Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect trojan and computer freezing


  • This topic is locked This topic is locked
13 replies to this topic

#1 gorka

gorka

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 09 April 2010 - 02:41 PM

Hi,

I am having trouble removing a google redirect trojan and have been having trouble with computer freezes lately so I anticipate that there are some other nasties roaming my bytes but I haven't picked anything up with spybot or avg so hopefully you can help. I have attached the DDS logs below but I can't complete the GMER scan before my computer freezes. I also have had to hard shutdown enough times that GMER seems to bog down in the system volume folder trying to scan the recovery files which are plentiful. Many thanks in advance for taking time to look this over.

Gorka


DDS (Ver_10-03-17.01) - NTFSx86
Run by abcd at 10:06:57.82 on Thu 04/08/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1446 [GMT -10:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\abcd\Desktop\dds.scr
C:\Program Files\AVG\AVG9\avgcsrvx.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080929
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: PackageCab - hxxp://www.imgag.com/cp/install/AxCtp2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\abcd\applic~1\mozilla\firefox\profiles\mxcgp6gr.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-4-6 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-4-6 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-6 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-6 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-6 242696]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-6 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-4-6 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-4-6 5888008]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-4-6 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-4-6 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-4-6 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-4-6 26120]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-4-6 30104]

=============== Created Last 30 ================

2010-04-08 20:05:16 0 ----a-w- c:\documents and settings\abcd\defogger_reenable
2010-04-08 19:05:32 0 d-----w- c:\docume~1\abcd\applic~1\AVG9
2010-04-06 18:39:03 0 d--h--w- C:\$AVG
2010-04-06 18:07:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-06 18:07:58 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-06 18:07:58 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-06 18:07:57 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-06 18:07:57 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-06 18:07:53 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-06 17:59:44 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-04-06 17:59:44 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-04-06 17:58:42 0 d-----w- c:\program files\AVG
2010-04-06 17:58:22 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-13 00:59:30 7680 --sha-w- c:\windows\Thumbs.db
2010-03-10 19:57:03 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================


============= FINISH: 10:07:50.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:34 AM

Posted 12 April 2010 - 05:16 PM

Hi gorka, and welcome to Bleeping Computer.

Please try performing a scan with Gmer in Safe Mode (How to start Windows in Safe Mode - use F8 method)...

Also, while in Safe Mode, check if it freezes in that mode as well...
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 gorka

gorka
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 12 April 2010 - 11:33 PM

Hi snemelk,

I ran Gmer in safe mode and it completed the scan, see attached. The computer does freeze in safe mode, it happened yesterday. However following the completion of the gmer scan today I tried to turn it off but it wouldn't shut down. I tried to shut it off from task manager and noticed that winlogon.exe was running @50% cpu usage and wouldn't budge. I ended up having to power it down.

Gorka

Attached Files



#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:34 AM

Posted 13 April 2010 - 01:12 PM

Hi again gorka!!.. smile.gif.

QUOTE(gorka @ Apr 13 2010, 06:33 AM) View Post
The computer does freeze in safe mode, it happened yesterday.

Hmm, that may indicate a hardware problem... Like a problem with a bad hard drive, RAM, etc. ...

Let's check for malware first...
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Post the log from ComboFix when you've accomplished that.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 gorka

gorka
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 13 April 2010 - 10:02 PM

Hi again,

I have posted the combofix log below. I also noticed your Polish pride and thought I would extend my condolences for the national tragedy that occured over the weekend. Hopefully things will return to normal quickly.

ComboFix 10-04-13.02 - abcd 04/13/2010 16:40:50.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1545 [GMT -10:00]
Running from: c:\documents and settings\abcd\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 )))))))))))))))))))))))))))))))
.

2010-04-13 17:43 . 2010-04-13 17:43 -------- d-----w- C:\3cb4832b38a6c2034e40076425
2010-04-08 19:05 . 2010-04-08 19:05 -------- d-----w- c:\documents and settings\abcd\Application Data\AVG9
2010-04-06 20:57 . 2010-04-06 20:57 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-06 20:57 . 2010-04-06 20:57 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-06 18:39 . 2010-04-06 18:39 -------- d-----w- C:\$AVG
2010-04-06 18:07 . 2010-04-06 18:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-06 18:07 . 2010-04-06 18:07 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-06 18:07 . 2010-04-06 18:07 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-06 18:07 . 2010-04-06 18:07 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-06 18:07 . 2010-04-06 18:07 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-06 18:07 . 2010-04-06 18:07 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-06 18:07 . 2010-04-14 02:39 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-06 17:59 . 2010-04-06 17:59 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-04-06 17:59 . 2010-04-06 17:59 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-04-06 17:58 . 2010-04-06 17:58 -------- d-----w- c:\program files\AVG
2010-04-06 17:58 . 2010-04-06 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-11 03:12 . 2010-03-11 03:12 -------- d-----w- c:\program files\Microsoft.NET
2010-03-09 11:09 . 2008-04-25 16:16 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2008-04-25 16:16 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2008-04-25 16:16 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-25 16:16 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-25 16:16 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-07 09:08 . 2010-02-07 09:08 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-02-07 08:27 . 2008-09-28 22:58 19816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 06:22 . 2010-02-05 06:22 503808 ----a-w- c:\documents and settings\abcd\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4cadad2f-n\msvcp71.dll
2010-02-05 06:22 . 2010-02-05 06:22 499712 ----a-w- c:\documents and settings\abcd\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4cadad2f-n\jmc.dll
2010-02-05 06:22 . 2010-02-05 06:22 348160 ----a-w- c:\documents and settings\abcd\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4cadad2f-n\msvcr71.dll
2010-02-05 06:22 . 2010-02-05 06:22 61440 ----a-w- c:\documents and settings\abcd\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4ab58f53-n\decora-sse.dll
2010-02-05 06:22 . 2010-02-05 06:22 12800 ----a-w- c:\documents and settings\abcd\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4ab58f53-n\decora-d3d.dll
2010-01-20 03:47 . 2009-11-11 08:18 79488 ----a-w- c:\documents and settings\abcd\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-02-10_19.08.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 06:54 . 2009-07-12 06:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-12 06:32 . 2009-07-12 06:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 06:32 . 2009-07-12 06:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 06:32 . 2009-07-12 06:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 06:32 . 2009-07-12 06:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 06:32 . 2009-07-12 06:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-12 06:32 . 2009-07-12 06:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 06:32 . 2009-07-12 06:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 06:32 . 2009-07-12 06:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-12 06:32 . 2009-07-12 06:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 11:07 . 2009-07-12 11:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 11:19 . 2009-07-12 11:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2010-04-14 02:33 . 2010-04-14 02:33 16384 c:\windows\Temp\Perflib_Perfdata_848.dat
- 2008-04-25 16:16 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2008-04-25 16:16 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2010-02-10 21:02 . 2001-08-18 08:36 99328 c:\windows\system32\srusd.dll
+ 2008-04-25 21:38 . 2007-07-28 09:11 26488 c:\windows\system32\spupdsvc.exe
- 2008-04-25 21:38 . 2007-07-27 20:41 26488 c:\windows\system32\spupdsvc.exe
- 2008-04-25 16:16 . 2010-01-30 20:46 71936 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2010-02-21 20:22 71936 c:\windows\system32\perfc009.dat
- 2008-10-16 07:17 . 2010-02-07 09:08 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-10-16 07:17 . 2010-02-16 01:54 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2010-02-10 21:01 . 2001-08-18 08:36 71680 c:\windows\system32\fnfilter.dll
+ 2010-02-10 21:02 . 2001-08-18 08:36 99328 c:\windows\system32\dllcache\srusd.dll
+ 2010-02-10 21:01 . 2001-08-18 08:36 71680 c:\windows\system32\dllcache\fnfilter.dll
+ 2010-02-10 21:02 . 2001-08-18 08:36 80896 c:\windows\system32\dllcache\dc210usd.dll
+ 2010-02-10 21:02 . 2001-08-18 08:36 25600 c:\windows\system32\dllcache\dc210_32.dll
+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 c:\windows\system32\dllcache\cabview.dll
+ 2010-02-10 21:02 . 2001-08-18 08:36 80896 c:\windows\system32\dc210usd.dll
+ 2010-02-10 21:02 . 2001-08-18 08:36 25600 c:\windows\system32\dc210_32.dll
+ 2008-04-25 16:16 . 2010-01-13 14:01 86016 c:\windows\system32\cabview.dll
+ 2008-11-21 02:01 . 2010-04-13 17:42 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-11-21 02:01 . 2010-02-09 18:32 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-11-21 02:01 . 2010-04-13 17:42 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-11-21 02:01 . 2010-02-09 18:32 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-11-21 02:01 . 2010-04-13 17:42 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-11-21 02:01 . 2010-02-09 18:32 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-11-21 02:01 . 2010-04-13 17:42 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-11-21 02:01 . 2010-02-09 18:32 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2010-02-24 07:21 . 2009-10-28 15:07 46080 c:\windows\$NtUninstallKB979306$\tzchange.exe
+ 2010-02-24 07:21 . 2010-01-23 10:40 16896 c:\windows\$NtUninstallKB979306$\spuninst\tzchange.dll
+ 2010-03-11 03:12 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB975561\update\spcustom.dll
+ 2010-03-11 03:12 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB975561\spmsg.dll
+ 2010-02-10 21:01 . 2001-08-17 23:53 6784 c:\windows\system32\drivers\serscan.sys
+ 2010-02-10 21:01 . 2001-08-17 23:53 6784 c:\windows\system32\dllcache\serscan.sys
+ 2008-11-21 02:01 . 2010-04-13 17:42 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-11-21 02:01 . 2010-02-09 18:32 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-07-12 11:12 . 2009-07-12 11:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 11:09 . 2009-07-12 11:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 11:08 . 2009-07-12 11:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2008-04-25 16:16 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll
- 2008-04-25 16:16 . 2010-01-30 20:46 442796 c:\windows\system32\perfh009.dat
+ 2008-04-25 16:16 . 2010-02-21 20:22 442796 c:\windows\system32\perfh009.dat
+ 2010-01-27 01:07 . 2010-01-27 01:07 256280 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
- 2008-05-09 10:53 . 2008-05-09 10:53 430080 c:\windows\system32\dllcache\vbscript.dll
+ 2008-05-09 10:53 . 2010-03-09 11:09 430080 c:\windows\system32\dllcache\vbscript.dll
+ 2008-06-20 11:08 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2008-11-12 18:41 . 2010-02-24 13:11 455680 c:\windows\system32\dllcache\mrxsmb.sys
+ 2010-02-12 04:33 . 2010-02-12 04:33 100864 c:\windows\system32\dllcache\6to4svc.dll
+ 2010-04-06 17:58 . 2010-04-06 17:58 424448 c:\windows\Installer\1f96c3.msi
+ 2008-11-21 02:01 . 2010-04-13 17:42 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-11-21 02:01 . 2010-02-09 18:32 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-11-21 02:01 . 2010-04-13 17:42 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-11-21 02:01 . 2010-02-09 18:32 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-11-21 02:01 . 2010-04-13 17:42 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-11-21 02:01 . 2010-02-09 18:32 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-11-21 02:01 . 2010-02-09 18:32 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-11-21 02:01 . 2010-04-13 17:42 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-11-21 02:01 . 2010-02-09 18:32 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-11-21 02:01 . 2010-04-13 17:42 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2003-07-08 21:48 . 2003-07-08 21:48 115288 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DLL
+ 2008-11-12 18:41 . 2010-02-24 13:11 455680 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2010-02-24 07:21 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB979306$\spuninst\updspapi.dll
+ 2010-02-24 07:21 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB979306$\spuninst\spuninst.exe
+ 2010-03-11 03:12 . 2009-05-27 03:10 382840 c:\windows\$NtUninstallKB975561$\spuninst\updspapi.dll
+ 2010-03-11 03:12 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB975561$\spuninst\spuninst.exe
+ 2010-03-11 03:12 . 2009-05-27 03:10 382840 c:\windows\$hf_mig$\KB975561\update\updspapi.dll
+ 2010-03-11 03:12 . 2008-07-08 13:02 755576 c:\windows\$hf_mig$\KB975561\update\update.exe
+ 2010-03-11 03:12 . 2008-07-08 13:02 231288 c:\windows\$hf_mig$\KB975561\spuninst.exe
+ 2009-07-12 06:46 . 2009-07-12 06:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 06:46 . 2009-07-12 06:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
- 2008-04-25 16:16 . 2009-07-12 22:21 4874240 c:\windows\system32\wmp.dll
+ 2008-04-25 16:16 . 2010-03-20 04:05 4874240 c:\windows\system32\wmp.dll
+ 2010-01-27 01:07 . 2010-01-27 01:07 3884312 c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2009-07-12 22:21 . 2009-07-12 22:21 4874240 c:\windows\system32\dllcache\wmp.dll
+ 2009-07-12 22:21 . 2010-03-20 04:05 4874240 c:\windows\system32\dllcache\wmp.dll
+ 2008-10-14 18:30 . 2010-02-17 19:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-14 18:30 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-14 18:30 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-14 18:30 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2010-03-10 19:57 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2010-02-05 04:11 . 2010-02-05 04:11 5526528 c:\windows\Installer\81dc6.msp
+ 2010-01-28 03:53 . 2010-01-28 03:53 6820864 c:\windows\Installer\81db3.msp
+ 2010-03-11 22:03 . 2010-03-11 22:03 5524480 c:\windows\Installer\1f9dfe.msp
+ 2010-02-20 06:59 . 2010-02-20 06:59 5527040 c:\windows\Installer\12f755c.msp
+ 2003-07-07 23:36 . 2003-07-07 23:36 2058343 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DAT
+ 2009-10-28 06:34 . 2009-10-28 06:34 5009408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\authplay.dll
+ 2008-10-14 18:30 . 2010-02-17 19:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-14 18:30 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-14 18:30 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-14 18:30 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2010-03-11 03:12 . 2008-04-14 12:00 3558912 c:\windows\$NtUninstallKB975561$\moviemk.exe
+ 2010-03-10 19:57 . 2009-10-23 14:53 3558912 c:\windows\$hf_mig$\KB975561\SP3QFE\moviemk.exe
+ 2008-10-14 19:45 . 2010-04-06 17:52 31971272 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-25 1036288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 137752]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-14 707376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-12 246504]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-12 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-06 18:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:*:Disabled:Services
"3784:TCP"= 3784:TCP:*:Disabled:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3246:TCP"= 3246:TCP:*:Disabled:Services
"7785:TCP"= 7785:TCP:*:Disabled:Services
"8347:TCP"= 8347:TCP:Services
"8348:TCP"= 8348:TCP:Services

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [4/6/2010 8:07 AM 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/6/2010 8:07 AM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/6/2010 8:07 AM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/6/2010 8:07 AM 242696]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 8:30 AM 79168]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/6/2010 8:06 AM 308064]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [4/6/2010 8:07 AM 2325816]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [4/6/2010 7:59 AM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [4/6/2010 7:59 AM 30104]
S3 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/6/2010 8:06 AM 5888008]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [4/6/2010 8:06 AM 122376]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [4/6/2010 8:06 AM 30216]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [4/6/2010 8:06 AM 26120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080929
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: PackageCab - hxxp://www.imgag.com/cp/install/AxCtp2.cab
FF - ProfilePath - c:\documents and settings\abcd\Application Data\Mozilla\Firefox\Profiles\mxcgp6gr.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-04-13 16:45:22
ComboFix-quarantined-files.txt 2010-04-14 02:45
ComboFix2.txt 2010-02-07 08:04

Pre-Run: 221,951,373,312 bytes free
Post-Run: 222,455,189,504 bytes free

- - End Of File - - C3B75377AAE6346D63965DFAAF494DC7


#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:34 AM

Posted 14 April 2010 - 03:00 PM

Hi again gorka!!.. smile.gif.

QUOTE(gorka @ Apr 14 2010, 05:02 AM) View Post
I also noticed your Polish pride and thought I would extend my condolences for the national tragedy that occured over the weekend. Hopefully things will return to normal quickly.

Thank you!.. This was a very tragic event, and so unexpected!.. So many great people died...

Do you use (or have you been using?) a Remote Desktop Feature in Windows XP (remote assistance in Windows XP)??..

Firstly,
Please go to http://www.virustotal.com/ , click on Browse, and upload the following file for analysis:

c:\windows\system32\vbscript.dll

Then click Send File. Allow the file to be uploaded and scanned. Then, please post a link to the results page for me to see.

Secondly,
Download and run HAMeb_check.exe
Post the contents of the resulting log.

Thirdly,
Start --> Run --> write cmd and click Ok...
In the Command prompt window write the following in bold and hit Enter:

mbr -t > c:\logmbr.txt

Post the logfile produced (c:\logmbr.txt)...
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#7 gorka

gorka
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 14 April 2010 - 05:50 PM

Hi Snemelk,

I have not been using remote assistance although I did notice it was on and when I try to change the setting it only lasts till I shut the machine down then the box to allow it is checked again.

Second I tried to upload c:\windows\system32\vbscript.dll to virus total but kept getting the error EXCEPTION, so I sent it via email and I am waiting on the reply. I'll post it if I get a reply.

The Ha log is as follows,

C:\Documents and Settings\abcd\Desktop\HAMeb_check.exe
Wed 04/14/2010 at 12:36:34.18

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-3067869627-526961471-1392492116-1004
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1A4F79
malicious code @ sector 0x01D1A4F7C !
PE file found in sector at 0x01D1A4F92 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
"3784:TCP"=3784:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Disabled:Remote Desktop
"3246:TCP"=3246:TCP:*:Enabled:Services
"7785:TCP"=7785:TCP:*:Enabled:Services
"8347:TCP"=8347:TCP:*:Enabled:Services
"8348:TCP"=8348:TCP:*:Enabled:Services
80:TCP=80:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Disabled:Services
"3784:TCP"=3784:TCP:*:Disabled:Services
"3389:TCP"=3389:TCP:*:Disabled:Remote Desktop
"3246:TCP"=3246:TCP:*:Disabled:Services
"7785:TCP"=7785:TCP:*:Disabled:Services
"8347:TCP"=8347:TCP:*:Enabled:Services
"8348:TCP"=8348:TCP:*:Enabled:Services


~~ EOF ~~



The log file from the mbr -t > c:\logmbr.txt command is as follows,

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1A4F79
malicious code @ sector 0x01D1A4F7C !
PE file found in sector at 0x01D1A4F92 !


#8 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:34 AM

Posted 15 April 2010 - 11:39 AM

Hi again gorka!!.. smile.gif.

QUOTE(gorka @ Apr 15 2010, 12:50 AM) View Post
I have not been using remote assistance although I did notice it was on and when I try to change the setting it only lasts till I shut the machine down then the box to allow it is checked again.

I see... Your computer has a Mebroot/Sinowal infection - it certainly doesn't cause Google search redirections, however, it steals personal information and data (especially bank account information)...

That's why I highly recommend that from a clean, uninfected system you immediately change all the passwords. If you do any on-line banking, or store any financial information on this system, you should immediately call your financial institution and advise them of the situation so you can secure your accounts.
How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

The variant present on your machine shouldn't be easy to remove, unfortunately... Is it laptop or desktop computer??.. Did it come with Windows preloaded??..

Let's try it that way first:

Please download HelpAsst_mebroot_fix.exe and save it to your Desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#9 gorka

gorka
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 15 April 2010 - 06:14 PM

Hi again Snemelk,

Thanks for the bad news, I had a bad feeling about it based on the way my system had been performing. Hopefully we can resolve it.

I downloaded the helpasst program and ran it. The first time I ran it nothing happened. It just sat there with a blinking cursor and said please wait. After ~5 min I closed it and tried again. It then prompted me to press any key several times but didn't turn up any infections. So I followed the other directions and the log is pasted below.

Also the CPU in question is a desktop with xp preloaded.

Hope that helps.

C:\Documents and Settings\abcd\Desktop\HelpAsst_mebroot_fix.exe
Thu 04/15/2010 at 12:51:38.29

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
80:TCP=-

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 04/15/2010 at 13:03:43.99

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1A4F79
malicious code @ sector 0x01D1A4F7C !
PE file found in sector at 0x01D1A4F92 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
80:TCP=80:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#10 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:34 AM

Posted 16 April 2010 - 05:28 PM

Hi again gorka!!.. smile.gif.

QUOTE(gorka @ Apr 16 2010, 01:14 AM) View Post
It then prompted me to press any key several times but didn't turn up any infections. So I followed the other directions and the log is pasted below.

Looks like it succeeded!.. smile.gif.. Tell me what problem remains...

Also, please do the following:
Go to Start --> Run, write
helpasst -reset
and click Enter...

Then,
Click Start>Run and type helpasst -folder then hit Enter.
The tool will run and prompt for confirmation to remove any HelpAssistant folders found.
If prompted, restart your computer.
When complete, click Start>Run and type helpasst -mbrt then hit Enter.
Post the new log that opens when it finishes.

Finally,
Please scan your computer with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#11 gorka

gorka
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 17 April 2010 - 08:04 PM

Hi again Snemelk,

I am not noticing any problems, freezing is gone, google works. thumbup2.gif

I ran Eset Scanner but my wife pushed finish before I could save the log. I did copy the quarantined files and pasted them below. Hope that is good enough.

HelpAsst_backup\C\DOCUME~1\HelpAssistant\Local Settings\Temp\51B.tmp
HelpAsst_backup\C\DOCUME~1\HelpAssistant\Local Settings\Temp\518.tmp
HelpAsst_backup\C\DOCUME~1\HelpAssistant\Local Settings\Temp\515.tmp

The HelpAsst- mbrt log is as follows

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Folder removal routine ~ Fri 04/16/2010 at 14:23:30.96

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking for HelpAssistant directories ~~

C:\DOCUME~1\HelpAssistant found
backing up C:\DOCUME~1\HelpAssistant
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Folder removal routine ~ Fri 04/16/2010 at 14:26:21.18

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking for HelpAssistant directories ~~

C:\DOCUME~1\HelpAssistant found
backing up C:\DOCUME~1\HelpAssistant
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Folder removal routine ~ Fri 04/16/2010 at 14:28:32.18

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking for HelpAssistant directories ~~

C:\DOCUME~1\HelpAssistant found
backing up C:\DOCUME~1\HelpAssistant
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Folder removal routine ~ Fri 04/16/2010 at 17:31:02.87

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking for HelpAssistant directories ~~

C:\DOCUME~1\HelpAssistant found
backing up C:\DOCUME~1\HelpAssistant

C:\DOCUME~1\HelpAssistant removed

~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Fri 04/16/2010 at 18:38:25.65

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1A4F79
malicious code @ sector 0x01D1A4F7C !
PE file found in sector at 0x01D1A4F92 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
80:TCP=80:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

#12 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:34 AM

Posted 18 April 2010 - 02:29 PM

Hi again gorka!!.. smile.gif.

QUOTE(gorka @ Apr 18 2010, 03:04 AM) View Post
I am not noticing any problems, freezing is gone, google works. thumbup2.gif

Good to hear that!.. :D.

Please do the following:
Go to Start --> Run, write
helpasst -cleanup
and click Enter...

Delete HAMeb_check.exe and HelpAsst_mebroot_fix.exe ...

Let's update outdated programs:

Run Adobe Reader --> Help --> Check for updates

Go to Start > Control Panel double-click on Add or Remove Programs and uninstall the following:
Java™ 6 Update 18
Java™ 6 Update 5
Java™ 6 Update 7


Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe that you downloaded to install the newest version.

Update Skype™ 3.8 to the latest, secure version...

To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger.
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

Finally,
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Please check my site - snemelk.hekko.pl. There, you'll find a few steps to make your web browsing safer. thumbup2.gif

Also, I recommend you to read Grinler's excellent article: How did I get infected?, With steps so it does not happen again!
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#13 gorka

gorka
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 21 April 2010 - 01:03 PM

Hi Snemelk,

I completed the cleanup and am sailing the seas of internet smoothly again, albeit with a bit more caution.

Thanks for your invaluable assistance with the resolution of my problems. May bleeping computer continue to prosper.

Gorka

#14 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:34 AM

Posted 21 April 2010 - 04:14 PM

welcome.gif

Glad we could help. smile.gif

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users