Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown Malware - Search engine results being redirected


  • This topic is locked This topic is locked
16 replies to this topic

#1 Kem

Kem

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 31 January 2010 - 06:04 PM

Hi I hope you can help.

for the past few days whenever I carry out a google search and click on the results (selecting to open the page in a new tab) the link gets redirected to a different site.

If I press the back button in the new tab it takes me back to my search results page.

The redirected page is not the same every time but I've noticed that a few sites do come up more often than not, which are:

safecompare.com
ononeworld.com
savecompare.com

Once I close the tab with the redirected page and click on the search result again, the correct page will open in a new tab.

I have also noticed that sometimes I'll get an advert based pop up on the screen.

I have run Malwarebytes which found a few problems and I cleared these but the problem still exists.

I've also completed a full scan with my AV software and it only found some cookies which I deleted.

I then disabled my desktop AV and ran an online Kaspery scan which did not find any problems (I selected the critical areas scan)

The problem is annoying and I'd appreciate any help.

Thanks in advance


DDS File
----------------------------------
DDS (Ver_09-12-01.01) - NTFSx86
Run by Jasak at 22:25:22.73 on 31/01/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1089 [GMT 0:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SafeBoot\SbClientManager.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Reflection\rtsserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Sectra\IDS5\bin\workstation_service.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\jasak\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SafeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\WhlLSP.dll
LSP: c:\windows\system32\biolsp.dll
Trusted Zone: stg1citrix01
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213251525857
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://portal.stgeorges.nhs.uk/InternalSite/WhlCompMgr.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: NameServer = 93.188.163.217,93.188.166.55
TCP: {398CF624-912B-4F59-B5B6-684EF6462826} = 93.188.163.217,93.188.166.55
TCP: {7089E1F2-85D6-4EDF-BE4B-76158393097B} = 93.188.163.217,93.188.166.55
TCP: {ADAA3639-5242-40CE-A988-B2B8063CB9EA} = 93.188.163.217,93.188.166.55
TCP: {EC8B9847-AE06-4233-A105-3BF9B77BE933} = 93.188.163.217,93.188.166.55
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 wvauth
LSA: Notification Packages = SbNp5 SbNp5 scecli

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-6-23 102688]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-7-16 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-6-23 12928]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-6-23 5840]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-6-23 34192]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-6-23 14960]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\exchsrvr\bin\exmgmt.exe [2008-6-13 3117568]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2008-6-23 356352]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 workstation_service;SECTRA Workstation Update Service;c:\program files\sectra\ids5\bin\workstation_service.exe [2004-12-21 28729]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-15 174952]
R3 whlva;Whale Network Connector;c:\windows\system32\drivers\whlva.sys [2008-7-23 20248]
S2 Cryptographic Services (CryptSvc) ;Cryptographic Services (CryptSvc) ;c:\program files\tinyproxy\tinyproxy.exe --> c:\program files\tinyproxy\tinyproxy.exe [?]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-5-22 144704]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-5-22 54608]
S3 DMService;Whale Component Manager;c:\windows\downloaded program files\dm.0\DMService.exe [2009-3-10 428184]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-15 72936]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-10-15 33960]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 whliocsv;Whale Network Connector Client;c:\program files\whale communications\client components\3.1.0\whliocsv.exe [2008-7-23 136856]

=============== Created Last 30 ================

2010-01-31 20:13:34 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-31 12:26:25 0 d-----w- c:\docume~1\jasak\applic~1\Malwarebytes
2010-01-31 12:26:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-31 12:26:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-31 12:26:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-31 12:26:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-11-21 16:36:13 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

============= FINISH: 22:25:50.96 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 01 February 2010 - 06:54 AM

Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Kem

Kem
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 February 2010 - 09:13 AM

Hi,

I've downloaded the file and tried to run it on my laptop.

The first two times i ran it, it worked for a while and then blue screened the laptop with the following details "file: fwddqpog.sys, page_fault_in_nonpaged_area"

I then disabled Windows defender and ran the programme again. This time it ran for longer but then stopped with a programme failure error and asked if I wanted to send details to MS" (standard application fault error message).

Do I need to do anything special to get the programme to run?

Thanks

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 01 February 2010 - 09:19 AM

Ok, lets do this first...


Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Kem

Kem
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 February 2010 - 07:14 PM

Hi,

I've gone through those steps and can report the following:

1. The Comedian ran without issues after I re-enabled system restore (I had turned it off as part of my troubleshooting)

2. i let it install the recovery console

3. When I was running combofix it stated that my McAfee AV and antispyware were running but I had disabled the components and stopped the services from running. I continued to let comofix run

4. Combofix then stated that it had detected the precence of rootkit activity and needed to reboot the machine, I let it do this

5. Upon reboot combofix continued to run to completion, deleting some files.

I've attached the log as requested.

Please can you let me know next steps.

Thanks

Attached Files



#6 Kem

Kem
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 February 2010 - 07:19 PM

Sorry, I forgot to add.

When the machine rebooted before compiling the combofix log it gave me an application error for mbr.cfxxe and I've not seen that before. Is it something to be worried about?

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 02 February 2010 - 06:59 AM

QUOTE
(I had turned it off as part of my troubleshooting)


Never do that again.. Please DO NOT turn off your System Restore by any means..


1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
KillAll::

FCopy::
c:\windows\system32\dllcache\atapi.sys | c:\windows\system32\drivers\atapi.sys

SkipFix::


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 Kem

Kem
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 02 February 2010 - 03:22 PM

Hi

I'll do this. Can you point me in the direction of where I can download Hijackthis and use it?

Thanks

#9 Kem

Kem
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 02 February 2010 - 04:08 PM

Hi

I've run combofix again and the log is attached.

It did say it found rootkit activity.

A DDS log is below (is this good enough as a Hijackthis log?)

Thanks

-------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by Jasak at 21:01:44.60 on 02/02/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1422 [GMT 0:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SafeBoot\SbClientManager.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Reflection\rtsserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Sectra\IDS5\bin\workstation_service.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\jasak\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SafeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\WhlLSP.dll
LSP: c:\windows\system32\biolsp.dll
Trusted Zone: stg1citrix01
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213251525857
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://portal.stgeorges.nhs.uk/InternalSite/WhlCompMgr.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {398CF624-912B-4F59-B5B6-684EF6462826} = 93.188.163.217,93.188.166.55
TCP: {7089E1F2-85D6-4EDF-BE4B-76158393097B} = 93.188.163.217,93.188.166.55
TCP: {ADAA3639-5242-40CE-A988-B2B8063CB9EA} = 93.188.163.217,93.188.166.55
TCP: {EC8B9847-AE06-4233-A105-3BF9B77BE933} = 93.188.163.217,93.188.166.55
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\wxvault.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-5-22 144704]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-6-23 102688]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-7-16 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-6-23 12928]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-6-23 5840]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-6-23 34192]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-6-23 14960]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-5-22 54608]
R2 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\exchsrvr\bin\exmgmt.exe [2008-6-13 3117568]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2008-6-23 356352]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 workstation_service;SECTRA Workstation Update Service;c:\program files\sectra\ids5\bin\workstation_service.exe [2004-12-21 28729]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-15 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-10-15 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-15 174952]
R3 whlva;Whale Network Connector;c:\windows\system32\drivers\whlva.sys [2008-7-23 20248]
S2 Cryptographic Services (CryptSvc) ;Cryptographic Services (CryptSvc) ;c:\program files\tinyproxy\tinyproxy.exe --> c:\program files\tinyproxy\tinyproxy.exe [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 whliocsv;Whale Network Connector Client;c:\program files\whale communications\client components\3.1.0\whliocsv.exe [2008-7-23 136856]

=============== Created Last 30 ================

2010-02-01 23:40:17 0 d-sha-r- C:\cmdcons
2010-02-01 23:38:43 98816 ----a-w- c:\windows\sed.exe
2010-02-01 23:38:43 77312 ----a-w- c:\windows\MBR.exe
2010-02-01 23:38:43 261632 ----a-w- c:\windows\PEV.exe
2010-02-01 23:38:43 161792 ----a-w- c:\windows\SWREG.exe
2010-02-01 22:50:51 0 d-----w- c:\windows\system32\appmgmt
2010-01-31 20:13:34 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-31 12:26:25 0 d-----w- c:\docume~1\jasak\applic~1\Malwarebytes
2010-01-31 12:26:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-31 12:26:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-31 12:26:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-31 12:26:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-11-21 16:36:13 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

============= FINISH: 21:02:08.43 ===============

Attached Files



#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 03 February 2010 - 08:04 AM

Please download Norman TDSS Cleaner and save it to your Desktop.

Run it.. Just click on Accept >> Start scan

Let it scan till finish.. After that, a notepad file named NFix_date_time will be created on your Desktop. Post its content on your next reply..


Then run ComboFix once again (just double-click it) and post the fresh log here smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Kem

Kem
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 03 February 2010 - 06:00 PM

I downloaded and ran Norman TDSS Cleaner and the results are below. It was set to scan c:\windows\system32\* and I did not change this, is that correct?

I then ran combofix again and am attaching the log (it did say it found rootkit activity again)

Please let me know what to do next.

Thanks

Norman TDSS log
--------------------------------
Norman TDSS Cleaner
Version 1.6.2
Copyright © 1990 - 2009, Norman ASA. Built 2010/01/28 09:46:45

Norman Scanner Engine Version: 6.04.03
Nvcbin.def Version: 6.04.00, Date: 2010/01/28 09:46:45, Variants: 1817

Scan started: 03/02/2010 22:02:50

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 2
Logged on user: STGEORGES\Jasak


Scanning bootsectors...

Number of sectors found: 0
Number of sectors scanned: 0
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s


Scanning running processes and process memory...

Number of processes/threads found: 8423
Number of processes/threads scanned: 8423
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 1m 9s


Scanning file system...

Scanning: prescan

Scanning: C:\WINDOWS\system32\*

Scanning: postscan


Running post-scan cleanup routine:
Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = "C:\WINDOWS\system32\wxvault.dll" -> ""
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoDispScrSavPage = 0x00000000
Removed registry value: HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoDispScrSavPage = 0x00000000
Removed registry value: HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoDispScrSavPage = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoDispScrSavPage = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000

Number of files found: 5100
Number of archives unpacked: 4
Number of files scanned: 5100
Number of files not scanned: 0
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 2m 33s

Attached Files



#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 04 February 2010 - 06:58 AM

Ok.. First of all, copy this file directly to your Desktop.. Don't skip this step.. Its super important smile.gif

c:\windows\system32\dllcache\atapi.sys


Next, please find and upload below file to RapidShare or Megaupload and share the download link with me via pm

c:\windows\system32\drivers\atapi.sys



After you do two steps above, do below..


Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

CODE
Begin copying here:
Files to move:
%userprofile%\desktop\atapi.sys | c:\windows\system32\drivers\atapi.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.


Then run ComboFix once again..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 Kem

Kem
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 04 February 2010 - 05:43 PM

Hi

I've uploaded the atapi.sys file to rapidshare as requested and sent you the download link.

I've run Avenger and the log is below.

I've also run combofix again and this time it didn't complain of any rootkit activity. The log is attached.

Thanks for your help so far.

Please let me know next steps.

Thanks

------------------------------
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\Documents and Settings\jasak\desktop\atapi.sys|c:\windows\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Attached Files



#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 05 February 2010 - 07:23 AM

Hahaha.. We beat the rootkit! Lets do an online scanner smile.gif


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

How's the computer now? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 Kem

Kem
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 06 February 2010 - 04:54 AM

Hi

I've run the Eset online scanner and the results are below.

I've done a few google searches and my results have not been re-directed so I'm hoping the problem has been resolved.

I'll keep an eye on it for a few days.

Do I have to do anything special to uninstall all the tools we've used?

thanks so much for your help.

----------------------
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16981 (vista_gdr.091215-2244)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=96703d2d22080c48814d3d8ee7f27a8a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-06 09:45:51
# local_time=2010-02-06 09:45:51 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 168 168 0 0
# scanned=69044
# found=0
# cleaned=0
# scan_time=1604





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users