Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus/Malware


  • This topic is locked This topic is locked
11 replies to this topic

#1 chimy

chimy

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 20 February 2010 - 11:51 PM

Its been a couple days since its started. Its a nuisance right now, but through searching on the web, I've found it can do more than annoy. To give detail, when i am on google and search for anything, and click on a link, I am redirected to "juggle.com." If i go back then try the link again, it works as it should. Further, I am using Firefox (3.5 I believe), Norton 360 Antivirus, and using a secure wireless network. I would like help removing this please. smile.gif


DDS (Ver_09-12-01.01) - NTFSx86
Run by Shayne Managbanag at 20:05:40.05 on Sat 02/20/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1247.601 [GMT -7:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Search Settings\SearchSettings.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Shayne Managbanag\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\SearchSettings.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\SearchSettings.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pcaler~1.lnk - c:\program files\msi\pc alert 4\StartPCAlert4.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shayne~1\applic~1\mozilla\firefox\profiles\r6fuipkz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\search settings\ff\components\SearchSettingsFF.dll
FF - plugin: c:\documents and settings\shayne managbanag\application data\mozilla\firefox\profiles\r6fuipkz.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {05FD376F-EEE1-443F-9AA2-182A864F445A} - c:\documents and settings\shayne managbanag\local settings\application data\{05FD376F-EEE1-443F-9AA2-182A864F445A}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2010-1-8 380928]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-9 108648]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-9 108648]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-11-8 12672]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100220.006\NAVENG.SYS [2010-2-20 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100220.006\NAVEX15.SYS [2010-2-20 1324720]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-12-28 517632]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2009-7-22 1251720]
S3 MsibiosDevice;MsibiosDevice;\??\c:\program files\msi\live update 4\lu4\msibios.sys --> c:\program files\msi\live update 4\lu4\msibios.sys [?]

=============== Created Last 30 ================

2010-02-21 01:45:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-02-21 01:45:45 0 d-----w- c:\program files\Hitman Pro 3.5
2010-01-26 10:02:38 0 d-----w- c:\docume~1\shayne~1\applic~1\Malwarebytes
2010-01-26 10:02:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 10:02:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 10:02:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-26 10:02:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-26 09:49:23 0 ----a-w- c:\windows\Fnohecazuwi.bin
2010-01-26 09:49:22 120 ----a-w- c:\windows\Trape.dat
2010-01-26 09:23:17 1 ----a-w- C:\s

==================== Find3M ====================

2010-01-08 04:18:59 81528 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-12 14:15:30 178176 ----a-w- c:\windows\system32\unrar.dll
2009-11-27 17:33:35 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:33:35 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:37:27 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37:27 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37:27 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37:27 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 20:06:25.80 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:50 PM

Posted 22 February 2010 - 02:24 PM

Hi,

Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3





IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 chimy

chimy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 24 February 2010 - 12:14 AM

Hi,

Just for added information here is what occurred, all normal I believe. I downloaded CF from the first link. Saved as combo-fix, as instructed. Ran CF, encountered a message about my Norton anti-virus, I could not manually stop Norton as it was not visible in the tray or in the task manager, but i continued anyway. CF restarted my PC, then installed windows recovery console, then continued and completed the scan.

Here is the log (also attached):

ComboFix 10-02-23.03 - Shayne Managbanag 02/23/2010 21:52:34.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1247.767 [GMT -7:00]
Running from: c:\documents and settings\Shayne Managbanag\Desktop\Combo-Fix.exe
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Shayne Managbanag\Application Data\AD ON Multimedia
c:\documents and settings\Shayne Managbanag\Application Data\AD ON Multimedia\eBay Shortcuts\eBayShortcuts.exe
c:\documents and settings\Shayne Managbanag\Application Data\Microsoft\~DFK2220a452.tmp
c:\documents and settings\Shayne Managbanag\Application Data\Microsoft\1eaadjc.dll
c:\documents and settings\Shayne Managbanag\Application Data\Microsoft\bass.dll
c:\documents and settings\Shayne Managbanag\Application Data\Microsoft\kfgresk.dll
c:\documents and settings\Shayne Managbanag\Application Data\Microsoft\mjcriu.dll
c:\documents and settings\Shayne Managbanag\Application Data\Microsoft\peaadje.dll
c:\documents and settings\Shayne Managbanag\Application Data\Microsoft\qwadjb.dll
c:\documents and settings\Shayne Managbanag\Application Data\Microsoft\rsaadjd.dll
c:\documents and settings\Shayne Managbanag\Local Settings\Application Data\{05FD376F-EEE1-443F-9AA2-182A864F445A}
c:\documents and settings\Shayne Managbanag\Local Settings\Application Data\{05FD376F-EEE1-443F-9AA2-182A864F445A}\chrome.manifest
c:\documents and settings\Shayne Managbanag\Local Settings\Application Data\{05FD376F-EEE1-443F-9AA2-182A864F445A}\chrome\content\_cfg.js
c:\documents and settings\Shayne Managbanag\Local Settings\Application Data\{05FD376F-EEE1-443F-9AA2-182A864F445A}\chrome\content\overlay.xul
c:\documents and settings\Shayne Managbanag\Local Settings\Application Data\{05FD376F-EEE1-443F-9AA2-182A864F445A}\install.rdf
c:\program files\Search Settings
c:\program files\Search Settings\FF\chrome.manifest
c:\program files\Search Settings\FF\chrome\content\plugin.js
c:\program files\Search Settings\FF\chrome\content\plugin.xul
c:\program files\Search Settings\FF\chrome\content\protection.js
c:\program files\Search Settings\FF\chrome\content\utils.js
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.dtd
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.properties
c:\program files\Search Settings\FF\components\IFBHOSearch.xpt
c:\program files\Search Settings\FF\components\IFBHOSearchHelperEngine.xpt
c:\program files\Search Settings\FF\components\IFHelperPreferences.xpt
c:\program files\Search Settings\FF\components\SearchSettingsFF.dll
c:\program files\Search Settings\FF\install.rdf
c:\program files\Search Settings\kb128\SearchSettingsInstaller.130.exe
c:\program files\Search Settings\SearchSettings.dll
c:\program files\Search Settings\SearchSettings.exe
c:\program files\Search Settings\SearchSettingsRes409.dll
C:\s

.
((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

2010-02-21 01:45 . 2010-02-21 01:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-02-21 01:45 . 2010-02-21 01:45 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-01-26 23:07 . 2010-01-26 23:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-01-26 10:02 . 2010-01-26 10:02 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\Malwarebytes
2010-01-26 10:02 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 10:02 . 2010-01-26 10:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-26 10:02 . 2010-01-26 10:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-26 10:02 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 09:49 . 2010-02-11 08:29 0 ----a-w- c:\windows\Fnohecazuwi.bin
2010-01-26 09:49 . 2010-02-03 20:02 120 ----a-w- c:\windows\Trape.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 04:38 . 2008-10-29 01:19 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\uTorrent
2010-02-21 04:34 . 2009-04-04 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-21 04:30 . 2008-10-29 01:19 -------- d-----w- c:\program files\uTorrent
2010-02-21 04:19 . 2005-05-06 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-20 00:45 . 2005-05-06 22:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-11 22:11 . 2008-11-02 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-31 05:02 . 2010-01-14 10:23 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-22 09:12 . 2008-11-28 17:43 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\LimeWire
2010-01-20 06:25 . 2008-10-26 21:15 77648 -c--a-w- c:\documents and settings\Shayne Managbanag\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-19 18:51 . 2009-10-17 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-01-19 18:11 . 2009-04-06 03:25 -------- d-----w- c:\program files\WinAVI Video Converter 9.0
2010-01-19 03:54 . 2009-09-10 08:18 -------- d-----w- c:\program files\Research In Motion
2010-01-19 03:47 . 2009-09-18 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-01-19 03:45 . 2008-11-06 06:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-16 20:34 . 2010-01-16 20:34 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\Search Settings
2010-01-16 18:08 . 2010-01-16 18:08 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-01-16 18:08 . 2010-01-16 18:08 -------- d-----w- c:\program files\Application Updater
2010-01-16 08:02 . 2010-01-15 21:52 -------- d-----w- c:\program files\Xvid
2010-01-15 18:35 . 2010-01-15 18:35 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\Canon
2010-01-14 10:25 . 2009-01-25 10:37 -------- d-----w- c:\program files\QuickTime
2010-01-08 04:43 . 2010-01-08 04:43 -------- d-----w- c:\program files\Common Files\Common Share
2010-01-08 04:43 . 2010-01-08 04:43 -------- d-----w- c:\program files\OJOsoft
2010-01-08 04:18 . 2010-01-08 04:18 81528 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-07 23:48 . 2009-09-10 08:19 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-07 23:48 . 2009-09-10 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-01-07 23:43 . 2009-09-10 08:35 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\Research In Motion
2010-01-07 23:38 . 2009-09-10 08:35 256 ----a-w- c:\windows\system32\pool.bin
2010-01-06 00:34 . 2010-01-06 00:34 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\Media Player Classic
2010-01-03 18:00 . 2010-01-03 17:57 -------- d-----w- c:\program files\iTunes
2010-01-03 17:57 . 2010-01-03 17:57 -------- d-----w- c:\program files\iPod
2010-01-03 17:57 . 2009-10-05 07:27 -------- d-----w- c:\program files\Common Files\Apple
2010-01-03 17:56 . 2009-01-25 10:34 -------- d-----w- c:\program files\Bonjour
2010-01-03 17:54 . 2009-10-05 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-03 17:52 . 2010-01-03 17:52 -------- d-----w- c:\program files\Apple Software Update
2009-12-31 16:14 . 2005-05-06 19:46 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 12:58 . 2005-05-06 19:45 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2005-05-06 19:43 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-12 14:15 . 2010-01-14 10:24 178176 ----a-w- c:\windows\system32\unrar.dll
2009-12-09 03:07 . 2009-12-09 03:07 232952 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-08 18:55 . 2005-05-06 19:45 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2005-05-06 20:48 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2005-05-06 19:45 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2005-05-06 20:48 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:33 . 2005-05-06 19:46 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:37 . 2005-05-06 20:48 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37 . 2005-05-06 20:47 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2005-05-06 19:45 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2005-05-06 19:45 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2005-05-06 19:42 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-02-13 319280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-13 106496]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SiSPower"="SiSPower.dll" [2007-08-03 53248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PC Alert 4.lnk - c:\program files\MSI\PC Alert 4\StartPCAlert4.exe [2009-11-8 188416]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-08-24 14:00 33648 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 06:12 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-12-12 19:41 157312 -c--a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"34821:TCP"= 34821:TCP:Utor1
"30644:TCP"= 30644:TCP:Utor1

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 12:51 AM 380928]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [11/8/2009 2:31 AM 12672]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 11:14 AM 102448]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [12/28/2009 10:28 AM 517632]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/1/2008 11:07 PM 717296]
S3 MsibiosDevice;MsibiosDevice;\??\c:\program files\MSI\Live Update 4\LU4\msibios.sys --> c:\program files\MSI\Live Update 4\LU4\msibios.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-02-24 c:\windows\Tasks\User_Feed_Synchronization-{53DB7E93-3827-461B-852E-0D9AD53CAB4D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\Shayne Managbanag\Application Data\Mozilla\Firefox\Profiles\r6fuipkz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - c:\program files\Search Settings\SearchSettings.dll
BHO-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - c:\program files\Search Settings\SearchSettings.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
MSConfigStartUp-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-23 21:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3542814547-1807725548-2705418666-1005\Software\SecuROM\License information*]
"datasecu"=hex:75,c6,89,dc,8f,1a,5f,46,9e,7a,23,87,dd,bd,06,0d,48,3f,76,d9,de,
4a,5c,dd,8a,77,89,80,2f,87,2d,53,da,6d,a8,f9,73,80,56,a6,bd,88,c6,1a,d5,f9,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
Completion time: 2010-02-23 22:01:20
ComboFix-quarantined-files.txt 2010-02-24 05:01

Pre-Run: 4,513,796,096 bytes free
Post-Run: 4,475,539,456 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 40DFC4A6419ED698A80C327A5E3753A6

Attached Files



#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:50 PM

Posted 24 February 2010 - 05:37 AM

Hi,

You appear to have Limewire installed - this is a great way to get yourself infected. I strongly recommend you consider removing it, and at the very least please do not use it until we have finished cleaning.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
File::
c:\windows\Fnohecazuwi.bin
c:\windows\Trape.dat

Folder::
c:\program files\Application Updater
c:\documents and settings\Shayne Managbanag\Application Data\Search Settings

Driver::
Application Updater

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post ComboFix.txt in your next reply.


Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.
  • Please go here then click on:
    QUOTE
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on:
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on:
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on:
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Let me know how your computer is running now.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 chimy

chimy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 24 February 2010 - 09:08 PM

Alright, so I followed the intructions and created the CFScript and dragged it to CF. It ran the process, then rebooted and saved the log. With the ESET Scan, i had trouble, as it remained stuck at 15% for nearly an hour (I did not move or click the mouse or touch the keyboard as directed). So I decided to cancel the scan, but of the 15% scanned there were no threats detected. Im not sure how important the ESET scan was for this issue, maybe theres a different program available? And as for Limewire.. it is on my computer however it has not been ran for some time now, i have not gotten around to uninstalling it.

To let you know about how my computers running now (without the completed ESET scan): Since the first CF scan i have not had any issues with google redirecting me to unwanted pages smile.gif however im still following your directions as i am not trained to say the problem is fixed and will wait for your go ahead.


Here is the log from the new CF scan (again, also attached):

ComboFix 10-02-24.01 - Shayne Managbanag 02/24/2010 16:23:57.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1247.640 [GMT -7:00]
Running from: c:\documents and settings\Shayne Managbanag\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Shayne Managbanag\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

FILE ::
"c:\windows\Fnohecazuwi.bin"
"c:\windows\Trape.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Shayne Managbanag\Application Data\Search Settings
c:\documents and settings\Shayne Managbanag\Application Data\Search Settings\kb130\temp\ws-14660.log
c:\documents and settings\Shayne Managbanag\Application Data\Search Settings\kb130\temp\ws-14661.log
c:\documents and settings\Shayne Managbanag\Application Data\Search Settings\kb130\temp\ws-14662.log
c:\documents and settings\Shayne Managbanag\Application Data\Search Settings\kb130\temp\ws-14663.log
c:\program files\Application Updater
c:\program files\Application Updater\ApplicationUpdater.exe
c:\program files\Application Updater\config.ini
c:\windows\Fnohecazuwi.bin
c:\windows\Trape.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_APPLICATION_UPDATER
-------\Service_Application Updater


((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

2010-02-21 01:45 . 2010-02-21 01:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-01-26 10:02 . 2010-01-26 10:02 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\Malwarebytes
2010-01-26 10:02 . 2010-01-26 10:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 23:44 . 2008-10-29 01:19 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\uTorrent
2010-02-21 04:34 . 2009-04-04 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-21 04:30 . 2008-10-29 01:19 -------- d-----w- c:\program files\uTorrent
2010-02-21 04:19 . 2005-05-06 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-21 01:45 . 2010-02-21 01:45 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-02-20 00:45 . 2005-05-06 22:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-11 22:11 . 2008-11-02 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-31 05:02 . 2010-01-14 10:23 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-26 10:02 . 2010-01-26 10:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-22 09:12 . 2008-11-28 17:43 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\LimeWire
2010-01-20 06:25 . 2008-10-26 21:15 77648 -c--a-w- c:\documents and settings\Shayne Managbanag\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-19 18:51 . 2009-10-17 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-01-19 18:11 . 2009-04-06 03:25 -------- d-----w- c:\program files\WinAVI Video Converter 9.0
2010-01-19 03:54 . 2009-09-10 08:18 -------- d-----w- c:\program files\Research In Motion
2010-01-19 03:47 . 2009-09-18 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-01-19 03:45 . 2008-11-06 06:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-16 18:08 . 2010-01-16 18:08 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-01-16 08:02 . 2010-01-15 21:52 -------- d-----w- c:\program files\Xvid
2010-01-15 18:35 . 2010-01-15 18:35 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\Canon
2010-01-14 10:25 . 2009-01-25 10:37 -------- d-----w- c:\program files\QuickTime
2010-01-08 04:43 . 2010-01-08 04:43 -------- d-----w- c:\program files\Common Files\Common Share
2010-01-08 04:43 . 2010-01-08 04:43 -------- d-----w- c:\program files\OJOsoft
2010-01-08 04:18 . 2010-01-08 04:18 81528 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-07 23:48 . 2009-09-10 08:19 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-07 23:48 . 2009-09-10 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-01-07 23:43 . 2009-09-10 08:35 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\Research In Motion
2010-01-07 23:38 . 2009-09-10 08:35 256 ----a-w- c:\windows\system32\pool.bin
2010-01-07 23:07 . 2010-01-26 10:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2010-01-26 10:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 00:34 . 2010-01-06 00:34 -------- d-----w- c:\documents and settings\Shayne Managbanag\Application Data\Media Player Classic
2010-01-03 18:00 . 2010-01-03 17:57 -------- d-----w- c:\program files\iTunes
2010-01-03 17:57 . 2010-01-03 17:57 -------- d-----w- c:\program files\iPod
2010-01-03 17:57 . 2009-10-05 07:27 -------- d-----w- c:\program files\Common Files\Apple
2010-01-03 17:56 . 2009-01-25 10:34 -------- d-----w- c:\program files\Bonjour
2010-01-03 17:54 . 2009-10-05 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-03 17:52 . 2010-01-03 17:52 -------- d-----w- c:\program files\Apple Software Update
2009-12-31 16:14 . 2005-05-06 19:46 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 12:58 . 2005-05-06 19:45 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2005-05-06 19:43 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-12 14:15 . 2010-01-14 10:24 178176 ----a-w- c:\windows\system32\unrar.dll
2009-12-09 03:07 . 2009-12-09 03:07 232952 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-08 18:55 . 2005-05-06 19:45 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2005-05-06 20:48 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2005-05-06 19:45 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2005-05-06 20:48 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:33 . 2005-05-06 19:46 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:37 . 2005-05-06 20:48 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37 . 2005-05-06 20:47 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2005-05-06 19:45 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2005-05-06 19:45 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2005-05-06 19:42 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-02-24 319280]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-13 106496]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SiSPower"="SiSPower.dll" [2007-08-03 53248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PC Alert 4.lnk - c:\program files\MSI\PC Alert 4\StartPCAlert4.exe [2009-11-8 188416]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-08-24 14:00 33648 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 06:12 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-12-12 19:41 157312 -c--a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"34821:TCP"= 34821:TCP:Utor1
"30644:TCP"= 30644:TCP:Utor1

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/1/2008 11:07 PM 717296]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [11/8/2009 2:31 AM 12672]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 11:14 AM 102448]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [12/28/2009 10:28 AM 517632]
S3 MsibiosDevice;MsibiosDevice;\??\c:\program files\MSI\Live Update 4\LU4\msibios.sys --> c:\program files\MSI\Live Update 4\LU4\msibios.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-02-24 c:\windows\Tasks\User_Feed_Synchronization-{53DB7E93-3827-461B-852E-0D9AD53CAB4D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\Shayne Managbanag\Application Data\Mozilla\Firefox\Profiles\r6fuipkz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 16:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89FD51F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecfc3
\Driver\ACPI -> ACPI.sys @ 0xba747cb8
\Driver\atapi -> 0x89fd51f8
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3542814547-1807725548-2705418666-1005\Software\SecuROM\License information*]
"datasecu"=hex:75,c6,89,dc,8f,1a,5f,46,9e,7a,23,87,dd,bd,06,0d,48,3f,76,d9,de,
4a,5c,dd,8a,77,89,80,2f,87,2d,53,da,6d,a8,f9,73,80,56,a6,bd,88,c6,1a,d5,f9,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3212)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-24 16:52:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-24 23:52
ComboFix2.txt 2010-02-24 05:01

Pre-Run: 4,474,945,536 bytes free
Post-Run: 4,321,439,744 bytes free

- - End Of File - - 169ADFDACC3CBD6B51FD9DA65E88A422

Attached Files


Edited by chimy, 24 February 2010 - 09:12 PM.


#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:50 PM

Posted 25 February 2010 - 03:34 AM

That log looks pretty good to me. Since ESET wasn't working for you, I recommend you open MalwareBytes' AntiMalware, update it, then run a full scan.

Let me know if that finds anything, otherwise we can clean-up after our tools and wrap this up.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 chimy

chimy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 26 February 2010 - 11:25 AM

Alright, I ran a full scan of MalwareBytes and it found 8 infected files ohmy.gif but deleted them i believe.

Here is the the mbam log:

Malwarebytes' Anti-Malware 1.44
Database version: 3795
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

2/26/2010 9:02:06 AM
mbam-log-2010-02-26 (09-02-06).txt

Scan type: Full Scan (C:\|K:\|)
Objects scanned: 284267
Time elapsed: 5 hour(s), 11 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Shayne Managbanag\Application Data\AD ON Multimedia\eBay Shortcuts\eBayShortcuts.exe.vir (Adware.ADON) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B5A286EA-D0B2-4724-A409-0E51D6351A14}\RP492\A0061074.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B5A286EA-D0B2-4724-A409-0E51D6351A14}\RP492\A0062074.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B5A286EA-D0B2-4724-A409-0E51D6351A14}\RP492\A0062075.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B5A286EA-D0B2-4724-A409-0E51D6351A14}\RP492\A0062077.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B5A286EA-D0B2-4724-A409-0E51D6351A14}\RP492\A0062086.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B5A286EA-D0B2-4724-A409-0E51D6351A14}\RP492\A0062088.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B5A286EA-D0B2-4724-A409-0E51D6351A14}\RP520\A0065071.exe (Adware.ADON) -> Quarantined and deleted successfully.


#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:50 PM

Posted 27 February 2010 - 04:07 AM

Nothing to worry about there - one of the files was in ComboFix's backups, and the rest were in System Restore. None of them were active.

There is one last thing I want you to do before we finish. Please go to the Windows Updates site and download and install Service Pack 3 (and any other critical security updates). Malware can sometimes cause problems when installing new Service Packs so I want to make sure this goes through without problems.

Let me know when you're done.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#9 chimy

chimy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 27 February 2010 - 11:53 PM

Alright, I successfully downloaded and installed Service Pack 3 and three other "high-priority updates."

#10 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:50 PM

Posted 28 February 2010 - 04:32 AM

Hi,

Glad to hear it thumbup2.gif

Click Start >> Run, and then type ComboFix /Uninstall and hit enter.
You can now delete any other tools I had you download and use, unless you wish to keep them.


Now that your system appears to be clean, there's just a few steps I'd like you to take to prevent any future infections.
  • Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.

  • Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.

  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.
Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#11 chimy

chimy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 01 March 2010 - 01:42 AM

Alrighty then.. You've been a great help, thanks for everything! Problem Solved. :D

#12 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:50 PM

Posted 01 March 2010 - 03:07 AM

Glad we could help thumbup2.gif

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users