GoogleRedirect;Shutdowns;HighCPUUsage;IETrouble

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

4 Pages
« First
←
2
3
4

You cannot start a new topic
This topic is locked

GoogleRedirect;Shutdowns;HighCPUUsage;IETrouble GettingWorse;DoNotKnowWhatOrHowToRemove

#46 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 27,527
Joined: 25-January 08
Gender:Female
Location:At home

Posted 15 February 2012 - 03:40 PM

Hi,

what I meant was for you to run ComboFix once more (on my request) to remove the SecurityCheck infection, as these kind of infections are normally automatically targetted by ComboFix.

As things are, I would suggest you run OTL once more so I can check for possible left overs of the infection.

Regarding PowerPoint Viewer, normally WindowsUpdate should offer you the updates to Office as an optional update. I would check in Windows Updates if there are any pending updates. If not you can always check if you can uninstall PowerpointViewer seperately. Can you give me the exact message you get for powerpoint viewer it should mention the update it's missing.

The problem with outdated programs is that if secunia can check what version it has from within your browser, then any malicious program can do the same and then determine whether it will be able to use its exploits against it.

These are typs I usually give at the very end of a thread with programs to improve security and to remove the tools we used. As we are almost there anyways I'll just go ahead and post them now:

Please do the following to clean up your PC:

Delete the tools used during the disinfection:
Uninstall ComboFix.exe And all Backups of the files it deleted
- Click START then RUN
- Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
- Download OTC from the following mirror and save it to your desktop:
  - Mirror
- Double click on
- Push the large "Cleanup" button.
- Allow your system to reboot.
If OTC faild to remove all programs from your Desktop, please delete the rest manually.

Please read these advices, in order to prevent reinfecting your PC:

Install and update the following programs regularly:
- an outbound firewall
  A comprehensive tutorial and a list of possible firewalls can be found here.
- an AntiVirus Software
  It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
- an Anti-Spyware program
  Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
  SUPERAntiSpyware is another good scanner with high detection and removal rates.
  Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
- Spyware Blaster
  A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
- MVPs hosts file
  A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
Keep Windows (and your other Microsoft software) up to date!
I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
Keep your other software up to date as well
Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
Stay up to date!
The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing .

Some more links you might find of interest:

Miekies' prevention suggestions
So How did I get infected?
Microsoft - 'Security at home'
Calendar of Updates: See which updates have been released.
How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail
Commonly UsedFreeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.
osalt: Find (free) open source alternatives to known commercial software.

Let me know if you have any more questions.
Have a nice day
myrti

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#47 Nil Desperandum

Member

Group: Members
Posts: 41
Joined: 04-December 07

Posted 15 February 2012 - 09:56 PM

I tried attaching these once, but they didn't post the first time. I'll try this again. Here are the OTL logs, as attachments.

Attached File(s)

OTL.Txt (98.11K)
Number of downloads: 0
Extras.Txt (37.16K)
Number of downloads: 0

#48 Nil Desperandum

Member

Group: Members
Posts: 41
Joined: 04-December 07

Posted 15 February 2012 - 10:26 PM

OK, I went to the little Windows symbol that I thought meant "start," but there was no "run" option, and putting "run" into the search box didn't help. So, I thought you meant to start Combofix, hit Start, hit Run, and so on. But it didn't work that way. Combofix tried to run. It said a few things--it beeped and said I had to disable my antivirus and then hit OK, and instead I hit the close "x," and it did the same thing again, and again I hit the close "x," and then a blue box labeled "Administrator" opened, and I closed it. It also said something about altering a couple of Secunia files (in each case saying "patched").

I hope I haven't done any irreparable harm! And how do I Start and Run?

#49 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 27,527
Joined: 25-January 08
Gender:Female
Location:At home

Posted 16 February 2012 - 05:34 AM

Hi,

if run isn't showing in your start menu, you can press Windows-key+R to open the run Window. ComboFix shouldn't have touched the Secunia files. Do you remember what it said exactly? Is something not working now? (Don't uninstall ComboFix unless everything is working. ComboFix makes backups we can restore if something isn't working. Uninstalling ComboFix will delete those backups however)

regards myrti

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#50 Nil Desperandum

Member

Group: Members
Posts: 41
Joined: 04-December 07

Posted 16 February 2012 - 02:38 PM

Everything seems to be working, except for last night when at 1:25 AM I suddenly lost my ability to use the Internet. Since it also affected my nephew's computer (in the same house), and since I have my Internet capability back now, I assume there was some problem with the system and not with my computer.

I haven't tried running Secunia again. Should I? Or should I just download it again, letting it replace the Secunia files I have if it asks to do so?

Incidentally, the OTL logs are from *before* I hit the ComboFix icon. Should I run OTL again and post its logs again?

I won't uninstall ComboFix until you say it's OK--which means that I won't perform the rest of those cleanup operations you gave until you say it's OK to uninstall ComboFix.

#51 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 27,527
Joined: 25-January 08
Gender:Female
Location:At home

Posted 16 February 2012 - 04:00 PM

Hi,

did you run Secunia's Online Scanner or did you install the program that keeps check if all your programs are up to date?
Just to be safe, please post new logs from OTL and we'll take a look.

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#52 Nil Desperandum

Member

Group: Members
Posts: 41
Joined: 04-December 07

Posted 17 February 2012 - 02:18 AM

Since I now have a PSISetup icon on my desktop--a Secunia installer--and since Secunia PSI (2.0.0.2003) shows up on my install/uninstall list of programs under Control Panel's Programs and Features, I assume I have it installed.

I'll run OTL again and post the logs.

#53 Nil Desperandum

Member

Group: Members
Posts: 41
Joined: 04-December 07

Posted 17 February 2012 - 02:55 AM

I just ran OTL twice, but each time, it only generated an OTL.txt file--no Extras.txt file. (I thought perhaps the problem the first time was that my desktop already had an Extras.txt file on it, so I deleted it, along with the newly-generated OTL.txt file, and ran OTL again. But it still generated only the OTL.txt file.) Here it is:

OTL logfile created on: 2/17/2012 2:37:08 AM - Run 2
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Users\Keith\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.94 Gb Total Physical Memory | 0.66 Gb Available Physical Memory | 34.13% Memory free
4.11 Gb Paging File | 2.30 Gb Available in Paging File | 56.01% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 103.38 Gb Total Space | 52.90 Gb Free Space | 51.17% Space Free | Partition Type: NTFS
Drive D: | 111.79 Gb Total Space | 73.15 Gb Free Space | 65.43% Space Free | Partition Type: NTFS
Drive E: | 7.35 Gb Total Space | 0.74 Gb Free Space | 10.00% Space Free | Partition Type: NTFS
Drive G: | 1.06 Gb Total Space | 1.02 Gb Free Space | 96.81% Space Free | Partition Type: NTFS

Computer Name: KEITH-PC | User Name: Keith | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/17 02:20:59 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Keith\Desktop\OTL.exe
PRC - [2012/01/12 01:31:06 | 000,307,312 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
PRC - [2012/01/03 16:31:34 | 001,391,272 | ---- | M] (Ask) -- C:\Program Files\Ask.com\Updater\Updater.exe
PRC - [2011/10/14 01:01:50 | 000,994,360 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe
PRC - [2011/10/14 01:01:48 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
PRC - [2011/10/14 01:01:46 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
PRC - [2011/04/16 19:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\5.2.0.13\ccsvchst.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/02/03 08:15:18 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

========== Modules (No Company Name) ==========

MOD - [2012/02/15 15:26:28 | 006,621,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\f91d98b8a230733f6887ba798efc3061\System.Data.ni.dll
MOD - [2012/02/15 15:26:13 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\d48e106e015d0f8cb2d5295015cee508\PresentationFramework.Aero.ni.dll
MOD - [2012/02/15 15:26:10 | 014,328,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\56df3488472318c59d0a08ed10a065d3\PresentationFramework.ni.dll
MOD - [2012/02/15 15:25:46 | 012,216,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\3951e0a359c004cd6ba268ff78ac62aa\PresentationCore.ni.dll
MOD - [2012/02/15 15:25:27 | 003,325,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\1e258a951222c818540b33880ca45f2e\WindowsBase.ni.dll
MOD - [2012/02/15 15:25:19 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c50133cb67d7c013fa31e1ffb942060b\System.ni.dll
MOD - [2011/10/13 16:10:33 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\b6632a8b2f276a8e31f5b0f6b2006cd1\mscorlib.ni.dll
MOD - [2011/03/29 05:53:25 | 005,025,792 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
MOD - [2009/04/11 01:28:21 | 000,368,640 | ---- | M] () -- C:\Windows\System32\msjetoledb40.dll
MOD - [2009/04/10 21:04:15 | 000,113,664 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
MOD - [2009/03/29 23:42:20 | 002,048,000 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2009/03/29 23:42:19 | 000,303,104 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2009/03/29 23:42:19 | 000,261,632 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2009/03/29 23:42:18 | 000,970,752 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
MOD - [2009/03/29 23:42:18 | 000,626,688 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
MOD - [2009/03/29 23:42:18 | 000,372,736 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2009/03/29 23:42:18 | 000,258,048 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
MOD - [2009/03/29 23:42:17 | 002,933,760 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2009/03/29 23:42:17 | 000,425,984 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2009/02/27 01:20:40 | 000,098,304 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\HP.ActiveSupportLibrary\2.0.0.1__01a974bc1760f423\HP.ActiveSupportLibrary.dll
MOD - [2007/12/19 19:28:32 | 000,345,384 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLTinyDB.dll
MOD - [2007/12/19 19:28:20 | 000,251,288 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapEngine.dll
MOD - [2007/12/19 19:28:20 | 000,120,208 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSchMgr.dll
MOD - [2007/12/19 19:28:20 | 000,038,184 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvcps.dll
MOD - [2007/03/20 17:22:46 | 000,040,960 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingServer.dll
MOD - [2007/03/20 15:51:46 | 000,053,248 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll
MOD - [2007/03/16 21:25:24 | 000,020,480 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\RemotingClient.dll
MOD - [2007/03/16 21:25:20 | 000,036,864 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingClients.dll
MOD - [2007/03/16 21:11:30 | 000,016,384 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingInterface.dll
MOD - [2007/03/16 17:04:46 | 000,028,672 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingMessages.dll

========== Win32 Services (SafeList) ==========

SRV - [2011/10/14 01:01:50 | 000,994,360 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
SRV - [2011/10/14 01:01:48 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2011/04/16 19:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe -- (N360)
SRV - [2011/03/29 14:41:46 | 000,053,248 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2008/12/01 10:59:52 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/01/09 16:55:34 | 000,110,592 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe -- (Com4Qlb)

========== Driver Services (SafeList) ==========

DRV - [2012/02/04 11:29:13 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/02/04 11:29:13 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/01/07 12:52:59 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120216.018\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/01/07 12:52:59 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120216.018\NAVENG.SYS -- (NAVENG)
DRV - [2011/12/15 18:33:22 | 000,368,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120215.002\IDSvix86.sys -- (IDSVix86)
DRV - [2011/11/30 21:25:03 | 000,820,344 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120215.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/05/20 05:41:17 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/04/20 20:37:49 | 000,331,384 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\N360\0502000.00D\SYMTDIV.SYS -- (SYMTDIv)
DRV - [2011/03/30 22:00:09 | 000,516,216 | R--- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\Drivers\N360\0502000.00D\SRTSP.SYS -- (SRTSP)
DRV - [2011/03/30 22:00:09 | 000,050,168 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\N360\0502000.00D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/03/14 21:31:23 | 000,744,568 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\system32\drivers\N360\0502000.00D\SYMEFA.SYS -- (SymEFA)
DRV - [2011/01/27 01:47:10 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\N360\0502000.00D\SYMDS.SYS -- (SymDS)
DRV - [2011/01/27 00:07:05 | 000,136,312 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\N360\0502000.00D\Ironx86.SYS -- (SymIRON)
DRV - [2010/09/01 03:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\psi_mf.sys -- (PSI)
DRV - [2010/02/24 23:03:16 | 000,014,904 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2009/06/24 05:08:00 | 007,542,208 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/08/01 18:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/03/03 10:32:00 | 000,188,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/01/19 01:14:59 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007/12/14 12:48:16 | 000,005,120 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rcmirror.sys -- (rcmirror)
DRV - [2007/07/10 05:27:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/04/11 21:30:52 | 000,160,768 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CHDART.sys -- (HdAudAddService)
DRV - [2007/02/24 09:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/02/16 18:50:32 | 000,012,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2007/01/23 12:03:28 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/01/23 11:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/30 12:24:58 | 000,008,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\Windows\System32\drivers\eabfiltr.sys -- (eabfiltr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

IE - HKU\.DEFAULT\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" =

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" =

IE - HKU\S-1-5-21-3378128204-625118920-687764525-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.physorg.com/
IE - HKU\S-1-5-21-3378128204-625118920-687764525-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3378128204-625118920-687764525-1000\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKU\S-1-5-21-3378128204-625118920-687764525-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\S-1-5-21-3378128204-625118920-687764525-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:3.2
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:2011.7.4.3
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 62121
FF - prefs.js..network.proxy.type: 1

FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\IPSFFPlgn\ [2012/02/01 20:59:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\coFFPlgn_2011_7_5_2 [2012/02/15 15:24:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.26\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/13 18:21:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.26\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/13 18:21:40 | 000,000,000 | ---D | M]

[2008/10/13 15:05:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Keith\AppData\Roaming\Mozilla\Extensions
[2012/02/13 19:13:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Keith\AppData\Roaming\Mozilla\Firefox\Profiles\c0o4lvuw.default\extensions
[2010/11/28 13:40:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Keith\AppData\Roaming\Mozilla\Firefox\Profiles\c0o4lvuw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/11/28 13:40:29 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Keith\AppData\Roaming\Mozilla\Firefox\Profiles\c0o4lvuw.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/02/13 19:14:44 | 000,000,000 | ---D | M] (Foxit PDF Creator Toolbar) -- C:\Users\Keith\AppData\Roaming\Mozilla\Firefox\Profiles\c0o4lvuw.default\extensions\toolbar@ask.com
[2012/02/13 18:21:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/28 01:08:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
File not found (No name found) -- C:\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\COFFPLGN_2011_7_4_3
[2012/02/01 20:59:41 | 000,000,000 | ---D | M] (Symantec Intrusion Prevention) -- C:\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\IPSFFPLGN
[2009/03/31 21:47:26 | 000,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\mozilla firefox\components\coFFPlgn.dll
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/01/29 03:41:05 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/01/29 03:41:05 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/01/29 03:41:05 | 000,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/01/29 03:41:05 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2012/01/25 15:43:24 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\5.2.0.13\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\5.2.0.13\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Foxit PDF Creator Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.2.0.13\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Foxit PDF Creator Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.2.0.13\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.2.0.13\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-3378128204-625118920-687764525-1000\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.2.0.13\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-3378128204-625118920-687764525-1000..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-3378128204-625118920-687764525-1000..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-3378128204-625118920-687764525-1000..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3378128204-625118920-687764525-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3378128204-625118920-687764525-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-3378128204-625118920-687764525-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A8EA756D-3AEC-4D66-8CDA-8927513FBA48}: DhcpNameServer = 75.75.75.75 75.75.76.76
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-18 Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-19 Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-20 Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Keith\Pictures\GothBrunetteAQuarter.jpg
O24 - Desktop BackupWallPaper: C:\Users\Keith\Pictures\GothBrunetteAQuarter.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/04 21:57:23 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 10:18:54 | 000,000,340 | -HS- | M] () - E:\AUTOMODE -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- Reg Error: Key error. File not found
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/02/17 02:21:28 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Keith\Desktop\OTL.exe
[2012/02/15 22:21:31 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/02/15 14:59:16 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/02/15 14:59:15 | 001,798,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/02/15 14:59:14 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/02/15 14:59:14 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/02/15 14:59:13 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/02/15 14:59:09 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/02/14 23:43:16 | 002,044,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/02/14 17:04:59 | 000,000,000 | ---D | C] -- C:\Users\Keith\AppData\Roaming\yahoo!
[2012/02/13 19:13:59 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2012/02/13 18:56:50 | 000,000,000 | ---D | C] -- C:\ProgramData\HP Product Assistant
[2012/02/13 18:51:45 | 000,000,000 | ---D | C] -- C:\Users\Keith\AppData\Roaming\HpUpdate
[2012/02/13 18:51:16 | 000,000,000 | ---D | C] -- C:\Windows\Hewlett-Packard
[2012/02/13 18:24:05 | 000,000,000 | ---D | C] -- C:\Windows\IrfanView
[2012/02/13 17:57:23 | 000,000,000 | ---D | C] -- C:\Users\Keith\AppData\Local\Secunia PSI
[2012/02/13 17:57:07 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia
[2012/02/13 17:54:42 | 001,754,456 | ---- | C] (Secunia) -- C:\Users\Keith\Desktop\PSISetup.exe
[2012/02/13 13:32:07 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/02/13 13:29:14 | 002,061,360 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Keith\Desktop\RootkitRemovalTool.exe
[2012/02/10 21:43:33 | 000,000,000 | ---D | C] -- C:\Users\Keith\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
[2012/02/07 19:26:20 | 000,414,368 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/01/31 02:47:12 | 000,181,064 | ---- | C] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2012/01/30 12:30:35 | 000,000,000 | ---D | C] -- C:\Users\Keith\Desktop\PsTools
[2012/01/25 20:07:51 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/01/25 20:04:36 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/01/25 20:04:25 | 000,000,000 | ---D | C] -- C:\Users\Keith\AppData\Local\temp
[2012/01/25 16:32:12 | 000,000,000 | ---D | C] -- C:\Users\Keith\AppData\Roaming\Tific
[2012/01/25 14:53:15 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/01/25 14:53:15 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/01/25 14:53:14 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/01/25 01:19:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/25 00:33:43 | 004,388,468 | R--- | C] (Swearware) -- C:\Users\Keith\Desktop\ComboFix.exe
[2012/01/23 20:24:07 | 000,000,000 | ---D | C] -- C:\Users\Keith\AppData\Roaming\FixZeroAccess
[2012/01/23 20:15:38 | 001,766,312 | ---- | C] (Symantec Corporation) -- C:\Users\Keith\Desktop\FixZeroAccess.exe

========== Files - Modified Within 30 Days ==========

[2012/02/17 02:40:26 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{90F8D24F-DFD1-493E-A517-64983C63D184}.job
[2012/02/17 02:20:59 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Keith\Desktop\OTL.exe
[2012/02/17 02:04:56 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/17 02:04:32 | 000,003,168 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/17 02:04:32 | 000,003,168 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/17 02:04:32 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/17 02:04:22 | 000,048,447 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2012/02/17 02:04:20 | 000,048,447 | ---- | M] () -- C:\ProgramData\nvModes.001
[2012/02/17 02:03:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/16 14:23:38 | 000,002,696 | ---- | M] () -- C:\Users\Keith\Desktop\Microsoft Word .lnk
[2012/02/15 15:27:36 | 000,000,323 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2012/02/15 15:24:36 | 000,414,704 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/02/15 15:21:21 | 2079,137,792 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/15 14:59:55 | 002,521,544 | ---- | M] () -- C:\Windows\System32\drivers\N360\0502000.00D\Cat.DB
[2012/02/15 14:46:49 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/02/15 14:46:49 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/02/14 19:30:45 | 000,129,294 | ---- | M] () -- C:\Users\Keith\Documents\AprilO'Neil32AA.jpg
[2012/02/13 21:23:33 | 000,027,148 | ---- | M] () -- C:\Users\Keith\Desktop\bookmarks.htm
[2012/02/13 19:14:47 | 000,000,933 | ---- | M] () -- C:\Users\Public\Desktop\Foxit Reader 5.0.lnk
[2012/02/13 18:21:46 | 000,001,682 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/02/13 18:21:46 | 000,001,580 | ---- | M] () -- C:\Mozilla Firefox.lnk
[2012/02/13 17:57:11 | 000,000,901 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2012/02/13 17:54:00 | 001,754,456 | ---- | M] (Secunia) -- C:\Users\Keith\Desktop\PSISetup.exe
[2012/02/13 17:36:42 | 004,388,468 | R--- | M] (Swearware) -- C:\Users\Keith\Desktop\ComboFix.exe
[2012/02/13 16:54:43 | 000,684,297 | ---- | M] () -- C:\Users\Keith\Desktop\unhide.exe
[2012/02/13 14:07:37 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/13 13:57:36 | 000,000,293 | ---- | M] () -- C:\Users\Keith\Desktop\iExplore - Shortcut.lnk
[2012/02/13 12:19:54 | 002,061,360 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Keith\Desktop\RootkitRemovalTool.exe
[2012/02/10 21:43:30 | 000,000,336 | ---- | M] () -- C:\ProgramData\hZMbALzPoP1D7D
[2012/02/07 19:26:20 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/01/31 03:04:50 | 000,181,064 | ---- | M] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2012/01/31 02:58:34 | 000,004,163 | ---- | M] () -- C:\Users\Keith\Desktop\fixme.reg
[2012/01/29 02:51:16 | 001,683,473 | ---- | M] () -- C:\Users\Keith\Desktop\PsTools.zip
[2012/01/28 00:27:32 | 000,000,172 | ---- | M] () -- C:\Windows\System32\drivers\N360\0502000.00D\isolate.ini
[2012/01/25 15:43:24 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/01/23 20:15:39 | 001,766,312 | ---- | M] (Symantec Corporation) -- C:\Users\Keith\Desktop\FixZeroAccess.exe
[2012/01/23 18:43:00 | 000,000,322 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForKeith.job
[2012/01/23 18:42:58 | 000,000,134 | ---- | M] () -- C:\Windows\System32\responseBody.xml
[2012/01/23 18:42:57 | 000,004,057 | ---- | M] () -- C:\Windows\System32\requestBody.xml
[2012/01/23 18:42:57 | 000,000,543 | ---- | M] () -- C:\Windows\System32\request.gzip
[2012/01/23 00:13:58 | 000,001,205 | ---- | M] () -- C:\Users\Keith\Desktop\FixNCR.reg.reg
[2012/01/20 16:46:51 | 261,724,572 | ---- | M] () -- C:\Windows\MEMORY.DMP

========== Files Created - No Company Name ==========

[2012/02/14 19:30:45 | 000,129,294 | ---- | C] () -- C:\Users\Keith\Documents\AprilO'Neil32AA.jpg
[2012/02/13 21:24:21 | 000,027,148 | ---- | C] () -- C:\Users\Keith\Desktop\bookmarks.htm
[2012/02/13 19:14:47 | 000,000,933 | ---- | C] () -- C:\Users\Public\Desktop\Foxit Reader 5.0.lnk
[2012/02/13 18:21:46 | 000,001,580 | ---- | C] () -- C:\Mozilla Firefox.lnk
[2012/02/13 18:21:45 | 000,001,682 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/02/13 17:57:10 | 000,000,901 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2012/02/13 17:57:10 | 000,000,864 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Secunia PSI.lnk
[2012/02/13 16:55:20 | 000,684,297 | ---- | C] () -- C:\Users\Keith\Desktop\unhide.exe
[2012/02/13 16:46:02 | 2079,137,792 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/13 14:07:37 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/10 21:43:30 | 000,000,336 | ---- | C] () -- C:\ProgramData\hZMbALzPoP1D7D
[2012/01/31 02:58:34 | 000,004,163 | ---- | C] () -- C:\Users\Keith\Desktop\fixme.reg
[2012/01/30 12:30:18 | 001,683,473 | ---- | C] () -- C:\Users\Keith\Desktop\PsTools.zip
[2012/01/25 14:53:15 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/25 14:53:15 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/25 14:53:15 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/01/25 14:53:14 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/25 14:53:14 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/23 02:03:01 | 000,000,293 | ---- | C] () -- C:\Users\Keith\Desktop\iExplore - Shortcut.lnk
[2012/01/23 01:39:02 | 000,001,205 | ---- | C] () -- C:\Users\Keith\Desktop\FixNCR.reg.reg
[2011/12/29 12:11:14 | 000,000,000 | ---- | C] () -- C:\ProgramData\t53GEEQT.exe.b
[2011/12/25 11:51:43 | 000,000,000 | ---- | C] () -- C:\Windows\System32\RFTtW3.com.b
[2011/12/24 11:23:54 | 000,000,112 | ---- | C] () -- C:\ProgramData\M3kFJE2b.dat
[2011/05/12 14:09:37 | 000,001,940 | ---- | C] () -- C:\Users\Keith\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2011/05/05 11:47:13 | 000,005,976 | ---- | C] () -- C:\Users\Keith\AppData\Roaming\EC44.A5C
[2010/11/23 16:50:46 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/06/09 12:12:19 | 000,000,175 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2009/10/30 21:21:32 | 000,013,347 | ---- | C] () -- C:\Windows\FEN2DIAG.INI
[2009/08/31 19:49:54 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/08/31 19:49:53 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/07/31 09:22:02 | 000,135,123 | ---- | C] () -- C:\Windows\hpwins10.dat
[2009/07/31 09:08:05 | 000,135,150 | ---- | C] () -- C:\Windows\hpwins10.dat.temp
[2009/07/31 09:08:05 | 000,001,042 | ---- | C] () -- C:\Windows\hpwmdl10.dat.temp
[2009/02/17 13:36:06 | 000,048,447 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/02/17 13:36:02 | 000,048,447 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2008/12/19 21:54:02 | 000,417,792 | ---- | C] () -- C:\Windows\System32\fxdb.dll
[2008/12/19 21:52:51 | 001,213,440 | ---- | C] () -- C:\Windows\System32\opengl.dll
[2008/12/19 21:52:51 | 000,154,624 | ---- | C] () -- C:\Windows\System32\glut.dll
[2008/12/19 21:52:50 | 000,315,904 | ---- | C] () -- C:\Windows\System32\glu.dll
[2008/12/19 20:12:51 | 000,000,656 | ---- | C] () -- C:\Users\Keith\AppData\Roaming\wklnhst.dat
[2008/09/08 12:00:56 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/01/25 15:25:08 | 000,011,264 | ---- | C] () -- C:\Windows\System32\rcmirror.dll
[2007/12/27 00:21:34 | 000,006,944 | ---- | C] () -- C:\Users\Keith\AppData\Local\d3d9caps.dat
[2007/11/16 01:37:08 | 000,027,335 | ---- | C] () -- C:\Users\Keith\AppData\Roaming\nvModes.001
[2007/11/16 01:37:07 | 000,027,335 | ---- | C] () -- C:\Users\Keith\AppData\Roaming\nvModes.dat
[2007/11/11 07:16:07 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/11/06 12:53:59 | 000,003,584 | ---- | C] () -- C:\Users\Keith\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/04 21:43:45 | 000,103,437 | ---- | C] () -- C:\Windows\hpqins13.dat
[2007/08/04 20:33:21 | 000,004,984 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2007/03/08 05:43:03 | 000,010,335 | ---- | C] () -- C:\Windows\hpwscr10.dat
[2007/02/27 21:19:55 | 000,001,042 | ---- | C] () -- C:\Windows\hpwmdl10.dat
[2007/02/27 15:43:02 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/12/14 01:01:36 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/12/14 01:01:36 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,414,704 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,604,502 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,104,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:25:21 | 000,061,440 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 19:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/05/07 07:06:00 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/10/29 01:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008/10/29 22:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2007/11/14 03:02:42 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[2007/11/14 03:02:42 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\ERDNT\cache\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008/10/27 21:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2006/11/02 04:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe
[2008/01/19 02:33:10 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: WININIT.EXE >
[2008/01/19 02:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\ERDNT\cache\wininit.exe
[2008/01/19 02:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe
[2008/01/19 02:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[2006/11/02 04:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe

< MD5 for: WINLOGON.EXE >
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\ERDNT\cache\winlogon.exe
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2006/11/02 04:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe
[2008/01/19 02:33:37 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< End of report >

#54 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 27,527
Joined: 25-January 08
Gender:Female
Location:At home

Posted 17 February 2012 - 09:57 AM

Hi,

this is looking good. You can go ahead and uninstall ComboFix.

I would also suggest uninstalling the Foxit toolbar, if you're not using it.

regards myrti

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#55 Nil Desperandum

Member

Group: Members
Posts: 41
Joined: 04-December 07

Posted 17 February 2012 - 08:11 PM

OK, I hit the Windows key and "R" simultaneously and got the Run box. Then I typed in "Combofix /Uninstall" (with a space between the "x" and the "/"). Then I hit "OK." But instead of uninstalling, Combofix started extracting files and then gave me the double beep and said it had detected an antivirus still running and said to disable it. I closed that box and another double beep accompanied the opening of another box saying that Norton 360 was still active but that Combofix would go ahead and run at my risk. *There was never an option to say anything like "Don't run."* I closed that box, too. I have no idea whether or not Combofix then did run, as nothing else appeared. At any rate, Combofix didn't uninstall. (The Combofix icon is still on my desktop, although Combofix doesn't show up in my Programs and Features list of installed programs.)

I haven't tried to do any of the rest of the cleanup procedure. I am uninstalling Foxit Toolbar (and the Foxit Toolbar Updater).

#56 Nil Desperandum

Member

Group: Members
Posts: 41
Joined: 04-December 07

Posted 23 February 2012 - 12:49 AM

I wound up downloading some security patches to PowerPoint Viewer 2003 and, eventually, PowerPoint Viewer 2007. Microsoft Update says it's up to date. Secunia still says it's a security risk, being out of date.

I got rid of the Foxit toolbar. Foxit no longer shows up as a problem when Secunia runs.

I'm not trying again to uninstall ComboFix without further instructions. That also means I haven't gotten beyond that point in the cleanup instructions you gave above.

#57 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 27,527
Joined: 25-January 08
Gender:Female
Location:At home

Posted 26 February 2012 - 04:05 PM

Hi,

please try to rename combofix.exe to uninstall.exe and double-click it. This should uninstall it as well.

regards myrti

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#58 Nil Desperandum

Member

Group: Members
Posts: 41
Joined: 04-December 07

Posted 26 February 2012 - 09:22 PM

I have no idea what it's doing, but it sure doesn't look as though it were uninstalling. I right-clicked the ComboFix icon, hit "Rename," and changed the name on the icon to "uninstall.exe". Then I double-clicked on it, and it *did* ask if I wanted to put it in the Recycle bin, but it *also* did the various things it did when running, and it isn't gone. Nor does it actually show up in my Recycle bin. Should I worry about not being able to uninstall it?

#59 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 27,527
Joined: 25-January 08
Gender:Female
Location:At home

Posted 27 February 2012 - 03:25 AM

Hi,

it's odd that it won't uninstall, but it's not necessarily something that you need to worry about. Yes, it would be best to uninstall, but the refusal to remove doesn't mean you're still infected. For example it could easily be your anti virus program blocking a part of the executable.

Could you try one last time to download a fresh copy and rename it to uninstall.exe and run it. Disable your anti virus porgram before launching the porgram.

regards myrti

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#60 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 27,527
Joined: 25-January 08
Gender:Female
Location:At home

Posted 04 March 2012 - 03:26 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!