Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirect and Possible Rootkit


  • This topic is locked This topic is locked
9 replies to this topic

#1 leibtek

leibtek

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 26 May 2010 - 07:37 PM

Hi Guys,

I hope I can get some help here.

My computer here has been infected by all sorts of malware and spyware, data protection... and others. I installed and ran full scans from Malwarebytes, Superantispyware, Microsoft Security Essensials, and Combofix (it was a last resort).

I then had issues with my winsock, dhcp (which I still have "sometimes" that the dhcp client services will time out on boot, and need to be start manually), and the Microsoft Windows Network Client needed to be reinstalled. All-in-all it looks and feels way cleaner. Except I still get search engine redirects, and from time to time a popup.

Now let me get back to ComboFix. When I initially tried to run it, I would get an error something like the software cannot create directories, please restart your computer, and it would then hang. So I booted to safe mode, and ran ComboFix. At first it gave me a message that there seems to be a presense of a rootkit, and it restarted my computer. I again redirected it to safe mode, and ComboFix continued scanning, then deleting a bunch of files (mainly Data Protection), and all went good. After finding out that I was still being Search engine redirected, I tried to run ComboFix under normal boot. This time it did start to run, but eventually hung on me. So again I restarted in safe mode, and ran ComboFix, and again it gave me the message, there seems to be a rootkit and the system will now reboot. ComboFix continued in safe mode after a reboot, and deleted two files (I believe the pciide.sys was previously deleted already).

There still seems to be something there and I'm still being redirected.


After reading your guidlines, I will post the DDS and GMER logs that are currently running . - Sorry
Here is the DDS.txt log:
QUOTE
DDS (Ver_10-03-17.01) - NTFSx86
Run by bayla at 23:41:55.26 on Wed 05/26/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.530 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\poweroff.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\GFI\FAXmaker Client\fmstart.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
\\Faxsrv\downloads\Combofix\ddc\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://expressresearch.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [PPort9reminder] "c:\program files\scansoft\paperport\webereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\9\config\ereg.ini"
mRun: [FMStart] "c:\program files\gfi\faxmaker client\fmstart.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - hxxp://www.nassaucountyny.gov/mynassauproperty/autodesk/DwfViewerSetup.exe
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 MpKsl803693a3;MpKsl803693a3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{48341094-4c07-43ed-980a-b7887c1776b4}\mpksl803693a3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{48341094-4c07-43ed-980a-b7887c1776b4}\MpKsl803693a3.sys [?]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-2-11 534040]
R2 Poweroff;Poweroff;c:\windows\system32\poweroff.exe [2008-11-10 172032]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\bayla\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\bayla\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\bayla\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\bayla\locals~1\temp\sas_selfextract\SASKUTIL.sys [?]
S3 B-Service;B-Service;c:\documents and settings\bayla\local settings\temporary internet files\content.ie5\3lyi4gh4\b-service.exe --> c:\documents and settings\bayla\local settings\temporary internet files\content.ie5\3lyi4gh4\B-Service.exe [?]
S3 SASENUM;SASENUM;\??\c:\docume~1\bayla\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\bayla\locals~1\temp\sas_selfextract\SASENUM.SYS [?]

=============== Created Last 30 ================

2010-05-27 02:04:54 118784 ----a-w- c:\windows\system32\chg.exe
2010-05-26 22:01:06 0 ----a-w- c:\windows\system32\dllcache\SET4E9.tmp
2010-05-26 22:01:03 75776 ----a-w- c:\windows\system32\dllcache\philcam1.sys
2010-05-26 22:01:00 16384 ----a-w- c:\windows\system32\dllcache\philcam1.dll
2010-05-26 21:59:59 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys
2010-05-26 21:58:57 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2010-05-26 21:57:59 75520 ----a-w- c:\windows\system32\dllcache\mxport.sys
2010-05-26 21:57:56 7168 ----a-w- c:\windows\system32\dllcache\mxport.dll
2010-05-26 21:57:54 19968 ----a-w- c:\windows\system32\dllcache\mxnic.sys
2010-05-26 21:57:51 19968 ----a-w- c:\windows\system32\dllcache\mxicfg.dll
2010-05-26 21:57:48 229439 ----a-w- c:\windows\system32\dllcache\multibox.dll
2010-05-26 21:57:48 21888 ----a-w- c:\windows\system32\dllcache\mxcard.sys
2010-05-26 21:57:45 103296 ----a-w- c:\windows\system32\dllcache\mtxvideo.sys
2010-05-26 21:57:24 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys
2010-05-26 21:57:21 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2010-05-26 21:57:12 12416 ----a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-05-26 21:57:00 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-05-26 21:56:59 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2010-05-26 21:56:59 1875968 ----a-w- c:\windows\system32\dllcache\msir3jp.lex
2010-05-26 21:56:58 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-05-26 21:56:37 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2010-05-26 21:56:30 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys
2010-05-26 21:56:29 56832 ----a-w- c:\windows\system32\dllcache\msdvbnp.ax
2010-05-26 21:56:27 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2010-05-26 21:56:11 17280 ----a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-05-26 21:56:02 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2010-05-26 21:54:57 802683 ----a-w- c:\windows\system32\dllcache\ltsm.sys
2010-05-26 21:53:53 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
2010-05-26 21:52:57 57398 ----a-w- c:\windows\system32\dllcache\imjpdadm.exe
2010-05-26 21:51:59 58592 ----a-w- c:\windows\system32\dllcache\i740nt5.sys
2010-05-26 21:50:59 13312 ----a-w- c:\windows\system32\dllcache\hpsjmcro.dll
2010-05-26 21:49:57 82304 ----a-w- c:\windows\system32\dllcache\grclass.sys
2010-05-26 21:48:59 27165 ----a-w- c:\windows\system32\dllcache\fetnd5.sys
2010-05-26 21:47:59 629952 ----a-w- c:\windows\system32\dllcache\eqn.sys
2010-05-26 21:46:53 29696 ----a-w- c:\windows\system32\dllcache\dm9pci5.sys
2010-05-26 21:45:59 27648 ----a-w- c:\windows\system32\dllcache\cyzports.dll
2010-05-26 21:44:59 13312 ----a-w- c:\windows\system32\dllcache\chglogon.exe
2010-05-26 21:43:59 45568 ----a-w- c:\windows\system32\dllcache\browscap.dll
2010-05-26 21:42:56 24576 ----a-w- c:\windows\system32\dllcache\agcgauge.ax
2010-05-26 21:41:28 2188928 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-05-26 21:41:20 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-05-26 21:41:20 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-05-26 21:41:17 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2010-05-26 21:41:16 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-05-26 21:41:16 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-05-26 21:41:16 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2010-05-26 21:41:08 94720 ----a-w- c:\windows\system32\dllcache\certmap.ocx
2010-05-26 21:28:26 9216 ----a-w- c:\windows\system32\ffnd.exe
2010-05-26 21:20:02 0 d-----w- c:\docume~1\bayla\applic~1\FreeFixer
2010-05-26 21:19:56 0 d-----w- c:\program files\FreeFixer
2010-05-26 21:10:59 908 ------w- c:\windows\system32\dllcache\skins.inf
2010-05-26 21:09:59 94720 ----a-w- c:\windows\system32\dllcache\imekr61.ime
2010-05-26 21:08:53 22528 ----a-w- c:\windows\system32\dllcache\lpdsvc.dll
2010-05-26 21:07:57 397312 ----a-w- c:\windows\system32\dllcache\fxstiff.dll
2010-05-26 21:07:46 19456 ----a-w- c:\windows\system32\dllcache\agt0412.dll
2010-05-26 21:07:37 72192 ----a-w- c:\windows\system32\dllcache\fxscom.dll
2010-05-26 21:07:27 19456 ----a-w- c:\windows\system32\dllcache\agt040d.dll
2010-05-26 21:07:24 7168 ----a-w- c:\windows\system32\dllcache\kbdibm02.dll
2010-05-26 21:07:23 8704 ----a-w- c:\windows\system32\dllcache\fxsperf.dll
2010-05-26 21:07:15 6656 ----a-w- c:\windows\system32\dllcache\kbdlk41a.dll
2010-05-26 21:07:11 119808 ----a-w- c:\windows\system32\dllcache\mtstocom.exe
2010-05-26 21:06:54 154112 ----a-w- c:\windows\system32\dllcache\fxsui.dll
2010-05-26 21:06:21 55296 ----a-w- c:\windows\system32\dllcache\fxsevent.dll
2010-05-26 21:06:15 18944 ----a-w- c:\windows\system32\dllcache\lprmon.dll
2010-05-26 21:05:41 218112 ----a-w- c:\windows\system32\dllcache\c_g18030.dll
2010-05-26 21:05:18 26624 ----a-w- c:\windows\system32\dllcache\fxsdrv.dll
2010-05-26 21:04:30 35328 ----a-w- c:\windows\system32\dllcache\iprip.dll
2010-05-26 21:04:23 142848 ----a-w- c:\windows\system32\dllcache\fxsclnt.exe
2010-05-26 21:04:21 6144 ----a-w- c:\windows\system32\dllcache\kbdax2.dll
2010-05-26 21:04:15 33792 ----a-w- c:\windows\system32\dllcache\lmmib2.dll
2010-05-26 21:04:00 331264 ----a-w- c:\windows\system32\dllcache\aqueue.dll
2010-05-26 21:04:00 101888 ----a-w- c:\windows\system32\dllcache\evntagnt.dll
2010-05-26 21:01:33 44928 ----a-w- c:\windows\system32\dllcache\agpcpq.sys
2010-05-26 21:00:10 19569 ----a-w- c:\windows\002797_.tmp
2010-05-26 20:32:38 0 d-----w- C:\spoolerlogs
2010-05-26 19:45:38 0 d-----w- c:\program files\Microsoft Security Essentials
2010-05-26 18:57:58 98816 ----a-w- c:\windows\sed.exe
2010-05-26 18:57:58 77312 ----a-w- c:\windows\MBR.exe
2010-05-26 18:57:58 256512 ----a-w- c:\windows\PEV.exe
2010-05-26 18:57:58 161792 ----a-w- c:\windows\SWREG.exe
2010-05-26 17:06:22 0 d-----w- c:\docume~1\bayla\applic~1\Malwarebytes
2010-05-26 17:06:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 17:06:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 17:06:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 17:06:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-21 15:38:23 0 d-----w- c:\docume~1\bayla\applic~1\SUPERAntiSpyware.com
2010-05-21 15:38:23 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

==================== Find3M ====================

2008-05-30 14:14:21 190 ----a-w- c:\program files\common files\psasetup.log

============= FINISH: 23:42:57.62 ===============


And I attached the Attach.txt file.
Here is the GMER log attached in the Ark.txt file - It took two hours to run and my system went down to a crawl (the winlogon.exe, and the wuauclt.exe process were eating up all cpu) at the end of the scan.

I will post below the latest ComboFix log. Thanks in advance! Leib


*****************
QUOTE
ComboFix 10-05-26.01 - bayla 05/26/2010 20:06:26.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.709 [GMT -4:00]
Running from: c:\documents and settings\bayla\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bayla\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\bayla\Start Menu\Programs\Data Protection

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-27 to 2010-05-27 )))))))))))))))))))))))))))))))
.

2010-05-26 22:26 . 2010-05-26 22:26 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{48341094-4C07-43ED-980A-B7887C1776B4}\MpKsl803693a3.sys
2010-05-26 22:01 . 2001-08-17 18:04 75776 ----a-w- c:\windows\system32\dllcache\philcam1.sys
2010-05-26 22:01 . 2001-08-18 02:36 16384 ----a-w- c:\windows\system32\dllcache\philcam1.dll
2010-05-26 21:59 . 2001-08-17 18:05 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys
2010-05-26 21:58 . 2001-08-17 16:20 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2010-05-26 21:57 . 2001-08-17 17:50 75520 ----a-w- c:\windows\system32\dllcache\mxport.sys
2010-05-26 21:57 . 2001-08-18 02:36 7168 ----a-w- c:\windows\system32\dllcache\mxport.dll
2010-05-26 21:57 . 2001-08-17 17:49 19968 ----a-w- c:\windows\system32\dllcache\mxnic.sys
2010-05-26 21:57 . 2001-08-18 02:36 19968 ----a-w- c:\windows\system32\dllcache\mxicfg.dll
2010-05-26 21:57 . 2006-02-28 07:00 229439 ----a-w- c:\windows\system32\dllcache\multibox.dll
2010-05-26 21:57 . 2001-08-17 17:50 21888 ----a-w- c:\windows\system32\dllcache\mxcard.sys
2010-05-26 21:57 . 2001-08-17 16:50 103296 ----a-w- c:\windows\system32\dllcache\mtxvideo.sys
2010-05-26 21:57 . 2008-04-14 04:09 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys
2010-05-26 21:57 . 2008-04-14 04:16 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2010-05-26 21:57 . 2001-08-17 17:48 12416 ----a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-05-26 21:57 . 2001-08-17 18:00 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-05-26 21:56 . 2008-04-14 04:24 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2010-05-26 21:56 . 2006-02-28 07:00 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-05-26 21:56 . 2001-08-17 18:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2010-05-26 21:56 . 2001-08-17 17:48 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys
2010-05-26 21:56 . 2008-04-14 04:16 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2010-05-26 21:56 . 2001-08-17 17:52 17280 ----a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-05-26 21:56 . 2008-04-14 04:16 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2010-05-26 21:54 . 2001-08-17 17:28 802683 ----a-w- c:\windows\system32\dllcache\ltsm.sys
2010-05-26 21:53 . 2008-04-14 09:39 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
2010-05-26 21:52 . 2006-02-28 07:00 57398 ----a-w- c:\windows\system32\dllcache\imjpdadm.exe
2010-05-26 21:51 . 2001-08-17 16:49 58592 ----a-w- c:\windows\system32\dllcache\i740nt5.sys
2010-05-26 21:50 . 2001-08-18 02:36 13312 ----a-w- c:\windows\system32\dllcache\hpsjmcro.dll
2010-05-26 21:49 . 2001-08-17 17:51 82304 ----a-w- c:\windows\system32\dllcache\grclass.sys
2010-05-26 21:48 . 2001-08-17 16:13 27165 ----a-w- c:\windows\system32\dllcache\fetnd5.sys
2010-05-26 21:47 . 2001-08-17 16:17 629952 ----a-w- c:\windows\system32\dllcache\eqn.sys
2010-05-26 21:46 . 2001-08-17 16:11 29696 ----a-w- c:\windows\system32\dllcache\dm9pci5.sys
2010-05-26 21:45 . 2001-08-18 02:36 27648 ----a-w- c:\windows\system32\dllcache\cyzports.dll
2010-05-26 21:44 . 2006-02-28 07:00 13312 ----a-w- c:\windows\system32\dllcache\chglogon.exe
2010-05-26 21:43 . 2006-02-28 07:00 45568 ----a-w- c:\windows\system32\dllcache\browscap.dll
2010-05-26 21:42 . 2006-02-28 07:00 49664 ----a-w- c:\windows\system32\dllcache\adrot.dll
2010-05-26 21:41 . 2008-04-14 04:57 2188928 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-05-26 21:41 . 2006-02-28 07:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-05-26 21:41 . 2006-02-28 07:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-05-26 21:41 . 2006-02-28 07:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2010-05-26 21:41 . 2006-02-28 07:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-05-26 21:41 . 2006-02-28 07:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-05-26 21:41 . 2006-02-28 07:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2010-05-26 21:28 . 2010-03-08 10:10 9216 ----a-w- c:\windows\system32\ffnd.exe
2010-05-26 21:20 . 2010-05-26 21:49 -------- d-----w- c:\documents and settings\bayla\Application Data\FreeFixer
2010-05-26 21:20 . 2010-05-26 21:20 -------- d-----w- c:\documents and settings\bayla\Local Settings\Application Data\FreeFixer
2010-05-26 21:19 . 2010-05-26 21:19 -------- d-----w- c:\program files\FreeFixer
2010-05-26 21:11 . 2008-04-14 09:42 1306624 ----a-w- c:\windows\system32\dllcache\msxml6.dll
2010-05-26 21:11 . 2008-04-14 09:42 1306624 ------w- c:\windows\system32\msxml6.dll
2010-05-26 21:11 . 2008-04-14 02:57 79872 ----a-w- c:\windows\system32\dllcache\msxml6r.dll
2010-05-26 21:11 . 2008-04-14 02:57 79872 ------w- c:\windows\system32\msxml6r.dll
2010-05-26 21:11 . 2008-04-14 09:42 221184 ------w- c:\windows\system32\dllcache\wmpns.dll
2010-05-26 21:11 . 2008-04-14 09:42 98304 ------w- c:\windows\system32\dllcache\wmpband.dll
2010-05-26 21:11 . 2008-04-14 09:42 233472 ------w- c:\windows\system32\dllcache\wmpdxm.dll
2010-05-26 21:11 . 2008-04-14 09:42 114688 ------w- c:\windows\system32\dllcache\wmpasf.dll
2010-05-26 21:11 . 2008-04-14 02:53 168448 ------w- c:\windows\system32\dllcache\wmerror.dll
2010-05-26 21:09 . 2008-04-14 02:14 262200 ----a-w- c:\windows\system32\dllcache\imjputy.exe
2010-05-26 21:08 . 2008-04-14 09:41 22528 ----a-w- c:\windows\system32\dllcache\lpdsvc.dll
2010-05-26 21:07 . 2008-04-14 09:41 397312 ----a-w- c:\windows\system32\dllcache\fxstiff.dll
2010-05-26 21:07 . 2007-04-03 03:56 19456 ----a-w- c:\windows\system32\dllcache\agt0412.dll
2010-05-26 21:07 . 2008-04-14 09:41 72192 ----a-w- c:\windows\system32\dllcache\fxscom.dll
2010-05-26 21:07 . 2007-04-03 03:56 19456 ----a-w- c:\windows\system32\dllcache\agt040d.dll
2010-05-26 21:07 . 2008-04-14 09:39 7168 ----a-w- c:\windows\system32\dllcache\kbdibm02.dll
2010-05-26 21:07 . 2008-04-14 09:41 8704 ----a-w- c:\windows\system32\dllcache\fxsperf.dll
2010-05-26 21:07 . 2008-04-14 09:39 6656 ----a-w- c:\windows\system32\dllcache\kbdlk41a.dll
2010-05-26 21:07 . 2008-04-14 09:42 119808 ----a-w- c:\windows\system32\dllcache\mtstocom.exe
2010-05-26 21:06 . 2008-04-14 09:41 154112 ----a-w- c:\windows\system32\dllcache\fxsui.dll
2010-05-26 21:06 . 2008-04-14 09:41 55296 ----a-w- c:\windows\system32\dllcache\fxsevent.dll
2010-05-26 21:06 . 2008-04-14 09:41 18944 ----a-w- c:\windows\system32\dllcache\lprmon.dll
2010-05-26 21:05 . 2008-04-14 09:41 218112 ----a-w- c:\windows\system32\dllcache\c_g18030.dll
2010-05-26 21:05 . 2008-04-14 09:41 26624 ----a-w- c:\windows\system32\dllcache\fxsdrv.dll
2010-05-26 21:04 . 2008-04-14 09:41 35328 ----a-w- c:\windows\system32\dllcache\iprip.dll
2010-05-26 21:04 . 2008-04-14 09:42 142848 ----a-w- c:\windows\system32\dllcache\fxsclnt.exe
2010-05-26 21:04 . 2008-04-14 09:39 6144 ----a-w- c:\windows\system32\dllcache\kbdax2.dll
2010-05-26 21:04 . 2008-04-14 09:41 33792 ----a-w- c:\windows\system32\dllcache\lmmib2.dll
2010-05-26 21:04 . 2008-04-14 09:41 101888 ----a-w- c:\windows\system32\dllcache\evntagnt.dll
2010-05-26 21:04 . 2008-04-14 09:41 331264 ----a-w- c:\windows\system32\dllcache\aqueue.dll
2010-05-26 21:03 . 2010-05-26 21:11 -------- d-----w- c:\windows\ServicePackFiles
2010-05-26 21:03 . 2008-04-14 09:42 294912 ------w- c:\windows\system32\dllcache\dlimport.exe
2010-05-26 21:03 . 2008-04-14 09:42 774144 ------w- c:\windows\system32\dllcache\setup_wm.exe
2010-05-26 21:03 . 2008-04-14 09:42 152064 ------w- c:\windows\system32\dllcache\shmedia.dll
2010-05-26 21:03 . 2008-04-14 09:42 73728 ------w- c:\windows\system32\dllcache\wmplayer.exe
2010-05-26 21:03 . 2008-04-14 09:42 303616 ------w- c:\windows\system32\dllcache\wmstream.dll
2010-05-26 21:03 . 2008-04-14 09:42 20480 ------w- c:\windows\system32\dllcache\wmpui.dll
2010-05-26 21:03 . 2008-04-14 09:42 20480 ------w- c:\windows\system32\dllcache\wmpcore.dll
2010-05-26 21:03 . 2008-04-14 09:42 20480 ------w- c:\windows\system32\dllcache\wmpcd.dll
2010-05-26 21:03 . 2008-04-14 09:42 115200 ------w- c:\windows\system32\dllcache\wmsdmoe.dll
2010-05-26 21:03 . 2008-04-14 09:42 102400 ------w- c:\windows\system32\dllcache\wmpshell.dll
2010-05-26 21:03 . 2008-04-14 02:58 2940928 ------w- c:\windows\system32\dllcache\wmploc.dll
2010-05-26 20:32 . 2010-05-26 20:32 -------- d-----w- C:\spoolerlogs
2010-05-26 19:45 . 2010-05-26 19:45 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-26 18:25 . 2010-05-26 18:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-26 17:06 . 2010-05-26 17:06 -------- d-----w- c:\documents and settings\bayla\Application Data\Malwarebytes
2010-05-26 17:06 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 17:06 . 2010-05-26 17:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 17:06 . 2010-05-26 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-26 17:06 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 15:38 . 2010-05-21 15:38 -------- d-----w- c:\documents and settings\bayla\Application Data\SUPERAntiSpyware.com
2010-05-21 15:38 . 2010-05-21 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-21 15:06 . 2010-05-21 15:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-05-21 15:06 . 2010-05-21 15:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 21:17 . 2007-05-02 15:36 73048 ----a-w- c:\documents and settings\esther\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 21:12 . 2006-04-25 17:31 91227 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-26 19:44 . 2008-01-30 16:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-26 19:43 . 2008-01-30 16:53 -------- d-----w- c:\program files\Symantec AntiVirus
2010-05-26 19:43 . 2008-01-30 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-21 15:15 . 2008-06-25 15:52 -------- d-----w- c:\program files\Windows Live Toolbar
2010-04-07 20:17 . 2009-02-10 21:33 -------- d-----w- c:\program files\FNT-NY Rate Calculator
2010-04-07 18:35 . 2010-04-07 18:35 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-04-07 18:35 . 2010-04-07 18:35 -------- d-----w- c:\program files\Autodesk
2008-05-30 14:14 . 2008-05-30 14:14 190 ----a-w- c:\program files\Common Files\psasetup.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-31 1622016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-23 16050688]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2006-07-14 279576]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2003-02-27 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2003-02-27 40960]
"PPort9reminder"="c:\program files\ScanSoft\PaperPort\WebEreg\Ereg.exe" [2003-01-27 729088]
"FMStart"="c:\program files\GFI\FAXmaker Client\fmstart.exe" [2000-05-10 56832]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-21 190464]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2009-1-19 294912]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-17 960032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S1 MpKsl803693a3;MpKsl803693a3;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{48341094-4C07-43ED-980A-B7887C1776B4}\MpKsl803693a3.sys [5/26/2010 6:26 PM 28752]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\bayla\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\bayla\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\bayla\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\bayla\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2/11/2007 2:42 PM 534040]
S2 Poweroff;Poweroff;c:\windows\system32\poweroff.exe [11/10/2008 4:18 PM 172032]
S3 B-Service;B-Service;c:\documents and settings\bayla\Local Settings\Temporary Internet Files\Content.IE5\3LYI4GH4\B-Service.exe --> c:\documents and settings\bayla\Local Settings\Temporary Internet Files\Content.IE5\3LYI4GH4\B-Service.exe [?]
S3 SASENUM;SASENUM;\??\c:\docume~1\bayla\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\bayla\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 22:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://expressresearch.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Scheduler - c:\windows\SMINST\Scheduler.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 20:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86ECECEC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7520f28
\Driver\ACPI -> ACPI.sys @ 0xf73b3cb8
\Driver\atapi -> atapi.sys @ 0xf7345852
\Driver\iaStor -> iaStor.sys @ 0xf72881bc
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf7187bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7194a21
SendHandler -> NDIS.sys @ 0xf717287b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1496)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2010-05-26 20:19:20
ComboFix-quarantined-files.txt 2010-05-27 00:19
ComboFix2.txt 2010-05-26 19:29

Pre-Run: 116,202,123,264 bytes free
Post-Run: 116,323,880,960 bytes free

- - End Of File - - 037C0DFF054C08BA34169B2FCB217100

Attached Files


Edited by leibtek, 27 May 2010 - 09:29 AM.
Moved from XP ~BP


BC AdBot (Login to Remove)

 


#2 leibtek

leibtek
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 26 May 2010 - 10:50 PM

I know have submitted all the required info. - Sorry.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:00 PM

Posted 28 May 2010 - 10:55 AM

Hi leibtek,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

Double-click to run TDLfix.exe, type the following in the command window and press Enter:

mbr

A log file opens up. please post the content to your reply.

#4 leibtek

leibtek
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 28 May 2010 - 11:09 AM

Thanks Farbar!!!

Agreed!

Here's the log:
QUOTE
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86ED5CEC]<<
kernel: MBR read successfully
user & kernel MBR OK


Thanks so much!

Edited by leibtek, 28 May 2010 - 11:14 AM.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:00 PM

Posted 28 May 2010 - 11:21 AM

  1. Close all the open windows.
    • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      pciide

    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion.

  2. Reboot the computer once manually then run TDLFix again, type mbr and press Enter. Copy and paste the log it creates.


#6 leibtek

leibtek
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 28 May 2010 - 12:26 PM

Hi Farbar,

After the system rebooted (on its own), The command screen came up with a message, "Please wait" then closed, but the system didn't continue to boot. I hit Ctrl-Alt-Delete, and rebooted the system. I then ran the TDLfix->mbr, and here's the log:

QUOTE
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK


I then tried to do a google search and some website browsing, and was not redirected! Even though I wasn't always redirected on every search, so I'm not 100% sure, but I'm pretty sure it's clean, unless you think otherwise.

Thanks!!!

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:00 PM

Posted 28 May 2010 - 12:43 PM

Thanks for the detailed feedback. There are a few cases of system hangup after the removal of rootkit. But after some time the system boots. You did well though.

The rootkit is taken of and the log is clean. thumbup2.gif
  1. Run TDLfix, type del and press Enter. This will delete the quarantined infected file, mbr.exe and the tool itself.

  2. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.Also remove any tool or log we used from your computer.

  3. Also remove any tool or log we used from your computer.


Happy surfing leibtek. smile.gif

#8 leibtek

leibtek
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 28 May 2010 - 01:20 PM

Ok, I was able to delete the TDLFix, however the command to remove ComboFix resulted in a "Windows cannot find ComboFix" error.

Thanks again, I left you a small token of appreciation.

Leibtek

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:00 PM

Posted 28 May 2010 - 01:29 PM

Thank you for your donation. smile.gif

If you don't have ComboFix on your desktop download a fresh one to your desktop from one of these locations:

Link 1
Link 2
Link 3

Go to Start => Run copy and paste the following in the Run box and click OK:

"%userprofile%\Desktop\ComboFix.exe" /Uninstall

Please let me know if you faced any problem.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:00 PM

Posted 08 June 2010 - 08:38 PM


This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users