Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search hi-jack


  • This topic is locked This topic is locked
40 replies to this topic

#1 Star Witness

Star Witness

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 14 March 2010 - 04:33 PM


When I do searched on Google they are hi-jacked. I am not sure how to correct.
Thanks!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Patrick at 14:54:34.34 on Sun 03/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.320 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Patrick\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearchAssistant =
mCustomizeSearch =
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\progra~1\yahoo!\common\YIeTagBm.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - &Yahoo! Messenger
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Yahoo! Pager] 1
mRun: [YBrowser] //~c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\patrick\applic~1\mozilla\firefox\profiles\rll5w00p.default\
FF - prefs.js: browser.search.selectedEngine - search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-12-19 162512]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-12-16 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-12-16 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-19 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-3 40384]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-12-16 723632]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-3 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-3 40384]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-03-14 17:35:35 0 ----a-w- c:\documents and settings\patrick\defogger_reenable
2010-03-11 23:38:14 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 04:10:28 0 d--h--w- c:\windows\PIF
2010-03-09 01:57:37 0 d-s---w- C:\ComboFix
2010-03-08 06:24:54 0 d-sha-r- C:\cmdcons
2010-03-08 06:22:22 98816 ----a-w- c:\windows\sed.exe
2010-03-08 06:22:22 77312 ----a-w- c:\windows\MBR.exe
2010-03-08 06:22:22 261632 ----a-w- c:\windows\PEV.exe
2010-03-08 06:22:22 161792 ----a-w- c:\windows\SWREG.exe
2010-03-08 04:46:32 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-08 04:46:13 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-08 04:46:12 0 d-----w- c:\docume~1\patrick\applic~1\SUPERAntiSpyware.com
2010-03-08 04:45:34 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-08 04:44:36 2388016 ----a-w- C:\MGtools.exe
2010-03-08 04:41:09 0 d-----w- C:\Cleaning PC
2010-03-07 21:43:45 0 d-----w- c:\program files\Process Explorer
2010-02-21 16:05:16 130 ----a-w- c:\windows\cfplogvw.INI

==================== Find3M ====================

2010-02-16 00:45:40 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-16 00:45:26 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-01-31 17:39:59 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe

============= FINISH: 14:56:52.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 17 March 2010 - 12:28 PM

Hi Star Witness,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum and apologies for the delay. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved Please update me on the current condition of your computer.

#3 Star Witness

Star Witness
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 17 March 2010 - 03:11 PM

Yes, I agree! Thanks!


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 17 March 2010 - 04:26 PM

So what is your current issue?

#5 Star Witness

Star Witness
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 17 March 2010 - 10:57 PM


I have a few....

Google search hi-hack is one issue.
I also have a windows update notification - but it doesn't update. Always tells me "updates are ready for your computer."
And the big one...I have some kind of memory leak. Svchost just keeps grabbing more memory...and my computer just bogs down.

Thanks!

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 18 March 2010 - 05:29 AM

Thanks for the feedback.

We will attend to all those issues in due time.
  1. Turn off Windows automatic updates as it might lead to unexpected results at this stage:
    • Go to start -> Control Panel -> double-click System to open it.
    • Go to the Automatic Updates tab.
    • Select the "Turn off Automatic Updates" box.
    • Click Apply and then OK.
    • Important: Reboot.

  2. Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      CODE
      :filefind
      atapi.*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

  3. You need to disable your Avast Antivirus before running ComboFix.
    • Open Avast.
    • Under avast! settings... windows select Troubleshooting.
    • Check Disabale avast! self-defence module.
    • Click OK.
      Note: Please enable avast! self-defence module after ComboFix produced its log.

  4. I see you have (tried to ?) run ComboFix. Remove your copy of ComboFix from your desktop if you still have it and download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications inclusive Comodo. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#7 Star Witness

Star Witness
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 18 March 2010 - 07:20 PM


Here is the system look log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:48 on 18/03/2010 by Patrick (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [04:59 04/08/2004] [04:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\DELL\ATAPI.EXE --a--- 28672 bytes [14:31 03/09/2002] [14:31 03/09/2002] 9C559E4CF8C3B2268818F1F6C6B1EE39
C:\I386\atapi.sys --a--- 87296 bytes [04:14 13/01/2004] [15:29 23/04/2003] E52B3B3F78C9AE85806CE49DCDD80C18
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [03:03 20/08/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys --a--- 96512 bytes [07:27 29/08/2002] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

I downloaded the Combofix but got a bluescreen.
Thanks to the system restore feature, I hit F8 and am using the "last config that worked" option.
You noticed that I had tried Comobfix before - this is the same thing that happened then. And..that is why I came to this site because I decided I needed help!

Also, as part of what I think is the memory leak problem, I often get a "svchost.ext application error" and I got one today. It said "The instruction at "Ox7815df6e" refrenced memory at "0x00000013". The memory could not be "read".

Thanks!


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 18 March 2010 - 08:14 PM

Let's take care of that svchost.exe problem first.

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" >log.txt&start log.txt

A text file (log.txt) will be open. Please post its content to your reply.





#9 Star Witness

Star Witness
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 18 March 2010 - 09:34 PM

I forgot to mention the bluescreen note: mbr.sys "driver_unloaded_without_canceling_pending_operations" Stop 0x000000ce.

Here is the log you requested. Thanks

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Debugger REG_SZ svchost.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Arrakis3.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\salwrap.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.DLL

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiscan.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upgrepl.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 18 March 2010 - 09:45 PM

  1. Go to start > Run copy and paste the following line in the run box and click OK:

    cmd /c reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /v Debugger /f


    A window flashes it is normal.

  2. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    mbr.exe -t
    sc query type= driver group= "SCSI Miniport" > Log.txt
    type mbr.log >>log.txt
    Start Log.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.



#11 Star Witness

Star Witness
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 18 March 2010 - 10:12 PM

SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84329170]<<
kernel: MBR read successfully
user & kernel MBR OK

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 19 March 2010 - 03:33 AM

  1. We are going to run this special tool.
    • Please download TDSSKiller.zip and save it to your desktop.
    • Extract the zip file to your desktop.
    • Mame sure TDSSKiller.exe is not in a folder.
      The exe file should be placed on the desktop, it looks like
    • Go to Start => Run copy and paste the following command in the Run box and click enter:

      "%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v

    • When it finished press any key to continue and let reboot if needed.
    • Please post the report.txt created on your desktop.

  2. Reboot the computer now once even if TDSSKiller needed a reboot.

  3. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1000 >nul
    Start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.


#13 Star Witness

Star Witness
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 19 March 2010 - 08:55 AM

08:39:41:390 3924 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
08:39:41:390 3924 ================================================================================
08:39:41:390 3924 SystemInfo:

08:39:41:390 3924 OS Version: 5.1.2600 ServicePack: 3.0
08:39:41:390 3924 Product type: Workstation
08:39:41:390 3924 ComputerName: PATIOG
08:39:41:390 3924 UserName: Patrick
08:39:41:390 3924 Windows directory: C:\WINDOWS
08:39:41:390 3924 Processor architecture: Intel x86
08:39:41:390 3924 Number of processors: 1
08:39:41:390 3924 Page size: 0x1000
08:39:41:390 3924 Boot type: Normal boot
08:39:41:390 3924 ================================================================================
08:39:41:406 3924 UnloadDriverW: NtUnloadDriver error 2
08:39:41:406 3924 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
08:39:41:468 3924 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
08:39:41:468 3924 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:39:41:468 3924 wfopen_ex: Trying to KLMD file open
08:39:41:468 3924 wfopen_ex: File opened ok (Flags 2)
08:39:41:468 3924 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
08:39:41:468 3924 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:39:41:468 3924 wfopen_ex: Trying to KLMD file open
08:39:41:468 3924 wfopen_ex: File opened ok (Flags 2)
08:39:41:468 3924 Initialize success
08:39:41:468 3924
08:39:41:468 3924 Scanning Services ...
08:39:42:046 3924 GetAdvancedServicesInfo: Raw services enum returned 366 services
08:39:42:046 3924
08:39:42:046 3924 Scanning Kernel memory ...
08:39:42:046 3924 Devices to scan: 3
08:39:42:046 3924
08:39:42:046 3924 Driver Name: Disk
08:39:42:046 3924 IRP_MJ_CREATE : F77ABBB0
08:39:42:046 3924 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
08:39:42:046 3924 IRP_MJ_CLOSE : F77ABBB0
08:39:42:046 3924 IRP_MJ_READ : F77A5D1F
08:39:42:046 3924 IRP_MJ_WRITE : F77A5D1F
08:39:42:046 3924 IRP_MJ_QUERY_INFORMATION : 804FA87E
08:39:42:046 3924 IRP_MJ_SET_INFORMATION : 804FA87E
08:39:42:046 3924 IRP_MJ_QUERY_EA : 804FA87E
08:39:42:046 3924 IRP_MJ_SET_EA : 804FA87E
08:39:42:046 3924 IRP_MJ_FLUSH_BUFFERS : F77A62E2
08:39:42:046 3924 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
08:39:42:046 3924 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
08:39:42:046 3924 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
08:39:42:046 3924 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
08:39:42:046 3924 IRP_MJ_DEVICE_CONTROL : F77A63BB
08:39:42:046 3924 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77A9F28
08:39:42:046 3924 IRP_MJ_SHUTDOWN : F77A62E2
08:39:42:046 3924 IRP_MJ_LOCK_CONTROL : 804FA87E
08:39:42:046 3924 IRP_MJ_CLEANUP : 804FA87E
08:39:42:046 3924 IRP_MJ_CREATE_MAILSLOT : 804FA87E
08:39:42:046 3924 IRP_MJ_QUERY_SECURITY : 804FA87E
08:39:42:046 3924 IRP_MJ_SET_SECURITY : 804FA87E
08:39:42:046 3924 IRP_MJ_POWER : F77A7C82
08:39:42:046 3924 IRP_MJ_SYSTEM_CONTROL : F77AC99E
08:39:42:046 3924 IRP_MJ_DEVICE_CHANGE : 804FA87E
08:39:42:046 3924 IRP_MJ_QUERY_QUOTA : 804FA87E
08:39:42:046 3924 IRP_MJ_SET_QUOTA : 804FA87E
08:39:42:062 3924 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:39:42:062 3924
08:39:42:062 3924 Driver Name: Disk
08:39:42:062 3924 IRP_MJ_CREATE : F77ABBB0
08:39:42:062 3924 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
08:39:42:062 3924 IRP_MJ_CLOSE : F77ABBB0
08:39:42:062 3924 IRP_MJ_READ : F77A5D1F
08:39:42:062 3924 IRP_MJ_WRITE : F77A5D1F
08:39:42:062 3924 IRP_MJ_QUERY_INFORMATION : 804FA87E
08:39:42:062 3924 IRP_MJ_SET_INFORMATION : 804FA87E
08:39:42:062 3924 IRP_MJ_QUERY_EA : 804FA87E
08:39:42:062 3924 IRP_MJ_SET_EA : 804FA87E
08:39:42:062 3924 IRP_MJ_FLUSH_BUFFERS : F77A62E2
08:39:42:062 3924 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
08:39:42:062 3924 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
08:39:42:062 3924 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
08:39:42:062 3924 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
08:39:42:062 3924 IRP_MJ_DEVICE_CONTROL : F77A63BB
08:39:42:062 3924 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77A9F28
08:39:42:062 3924 IRP_MJ_SHUTDOWN : F77A62E2
08:39:42:062 3924 IRP_MJ_LOCK_CONTROL : 804FA87E
08:39:42:062 3924 IRP_MJ_CLEANUP : 804FA87E
08:39:42:062 3924 IRP_MJ_CREATE_MAILSLOT : 804FA87E
08:39:42:062 3924 IRP_MJ_QUERY_SECURITY : 804FA87E
08:39:42:062 3924 IRP_MJ_SET_SECURITY : 804FA87E
08:39:42:062 3924 IRP_MJ_POWER : F77A7C82
08:39:42:062 3924 IRP_MJ_SYSTEM_CONTROL : F77AC99E
08:39:42:062 3924 IRP_MJ_DEVICE_CHANGE : 804FA87E
08:39:42:062 3924 IRP_MJ_QUERY_QUOTA : 804FA87E
08:39:42:062 3924 IRP_MJ_SET_QUOTA : 804FA87E
08:39:42:078 3924 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:39:42:078 3924
08:39:42:078 3924 Driver Name: atapi
08:39:42:078 3924 IRP_MJ_CREATE : 84329170
08:39:42:078 3924 IRP_MJ_CREATE_NAMED_PIPE : 84329170
08:39:42:078 3924 IRP_MJ_CLOSE : 84329170
08:39:42:078 3924 IRP_MJ_READ : 84329170
08:39:42:078 3924 IRP_MJ_WRITE : 84329170
08:39:42:078 3924 IRP_MJ_QUERY_INFORMATION : 84329170
08:39:42:078 3924 IRP_MJ_SET_INFORMATION : 84329170
08:39:42:078 3924 IRP_MJ_QUERY_EA : 84329170
08:39:42:078 3924 IRP_MJ_SET_EA : 84329170
08:39:42:078 3924 IRP_MJ_FLUSH_BUFFERS : 84329170
08:39:42:078 3924 IRP_MJ_QUERY_VOLUME_INFORMATION : 84329170
08:39:42:078 3924 IRP_MJ_SET_VOLUME_INFORMATION : 84329170
08:39:42:078 3924 IRP_MJ_DIRECTORY_CONTROL : 84329170
08:39:42:078 3924 IRP_MJ_FILE_SYSTEM_CONTROL : 84329170
08:39:42:078 3924 IRP_MJ_DEVICE_CONTROL : 84329170
08:39:42:078 3924 IRP_MJ_INTERNAL_DEVICE_CONTROL : 84329170
08:39:42:078 3924 IRP_MJ_SHUTDOWN : 84329170
08:39:42:078 3924 IRP_MJ_LOCK_CONTROL : 84329170
08:39:42:078 3924 IRP_MJ_CLEANUP : 84329170
08:39:42:078 3924 IRP_MJ_CREATE_MAILSLOT : 84329170
08:39:42:078 3924 IRP_MJ_QUERY_SECURITY : 84329170
08:39:42:078 3924 IRP_MJ_SET_SECURITY : 84329170
08:39:42:078 3924 IRP_MJ_POWER : 84329170
08:39:42:078 3924 IRP_MJ_SYSTEM_CONTROL : 84329170
08:39:42:078 3924 IRP_MJ_DEVICE_CHANGE : 84329170
08:39:42:078 3924 IRP_MJ_QUERY_QUOTA : 84329170
08:39:42:078 3924 IRP_MJ_SET_QUOTA : 84329170
08:39:42:078 3924 Driver "atapi" infected by TDSS rootkit!
08:39:42:078 3924 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
08:39:42:078 3924 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 08:39:42:078 3924 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
08:39:42:078 3924 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
08:39:42:312 3924 vfvi6
08:39:42:421 3924 !dsvbh1
08:39:48:015 3924 dsvbh2
08:39:48:015 3924 fdfb2
08:39:48:015 3924 Backup copy found, using it..
08:39:48:031 3924 will be cured on next reboot
08:39:48:031 3924 Reboot required for cure complete..
08:39:48:062 3924 Cure on reboot scheduled successfully
08:39:48:062 3924
08:39:48:062 3924 Completed
08:39:48:062 3924
08:39:48:062 3924 Results:
08:39:48:062 3924 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
08:39:48:062 3924 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
08:39:48:062 3924 File objects infected / cured / cured on reboot: 1 / 0 / 1
08:39:48:062 3924
08:39:48:062 3924 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
08:39:48:062 3924 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
08:39:48:078 3924 UnloadDriverW: NtUnloadDriver error 1
08:39:48:078 3924 KLMD_Unload: UnloadDriverW(klmd21) error 1
08:39:48:078 3924 KLMD(ARK) unloaded successfully


AND


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
kernel: MBR read successfully
user & kernel MBR OK



#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 19 March 2010 - 10:02 AM

The rootkit is taken care of.
  1. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. There should be no redirection any more. Tell me if you get any svchost error. The next post we are going to attend to Windows update.

  3. You have COMODO Internet Security is it antivirus+firewall or you have just install the firewall ?




#15 Star Witness

Star Witness
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 19 March 2010 - 06:57 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3886
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/19/2010 6:50:42 PM
mbam-log-2010-03-19 (18-50-42).txt

Scan type: Quick Scan
Objects scanned: 146027
Time elapsed: 12 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)



So far, no more errors with svchost.

I only have the comodo firewall installed.

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users