Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect; easy a-z


  • This topic is locked This topic is locked
17 replies to this topic

#1 Transfixed

Transfixed

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 27 March 2012 - 07:05 AM

Google search results are redirected to easy a-z site. Windows Security Essentials is disabled. Spyware and adware removal programs do not detect the threat.

This is my DDS text:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Run by Kimiko at 10:49:59 on 2012-03-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1342 [GMT 1:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\GPSoftware\Directory Opus\DOpus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k HPService
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [DOpus] c:\program files\gpsoftware\directory opus\DOpus.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\kimiko\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Directory Opus Desktop Dblclk] "c:\program files\gpsoftware\directory opus\dopusrt.exe" /dblclk
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://kitchenplanner.ikea.com/gb/Core/Player/2020PlayerAX_Win32.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234985668442
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196632938536
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 212.159.13.49 212.159.13.50
TCP: Interfaces\{D4F0DEC2-E2CD-4237-8AA8-BFAD4ED9A166} : DhcpNameServer = 212.159.13.49 212.159.13.50
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Directory Opus Shell Execute Hook: {3cf9ece0-1a9f-11d2-8c73-00c06c2005de} - c:\program files\gpsoftware\directory opus\dopuslib.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli scecli
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kimiko\application data\mozilla\firefox\profiles\6tz7ugfu.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\kimiko\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2007-12-8 38448]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2012-3-26 101112]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-2 217600]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S2 OODefrag;O&O Defrag;c:\windows\system32\oodag.exe [2002-2-8 263168]
S3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2008-10-31 43240]
S3 DrvFltIp;DrvFltIp;\??\c:\documents and settings\kimiko\local settings\temp\drvfltip --> c:\documents and settings\kimiko\local settings\temp\DrvFltIp [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 12872]
S4 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [2007-12-8 159616]
S4 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [2007-12-8 5248]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
.
=============== Created Last 30 ================
.
2012-03-27 08:03:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-27 08:03:42 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-03-27 08:00:46 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-27 08:00:46 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-27 07:45:41 -------- d-----w- c:\program files\HitmanPro
2012-03-27 07:44:18 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-03-26 15:55:39 42864 ----a-r- c:\windows\system32\SBBD.EXE
2012-03-26 15:55:39 101112 ----a-r- c:\windows\system32\drivers\SBREDrv.sys
2012-03-23 09:13:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-21 06:04:22 122880 --sha-r- c:\windows\system32\kbdfc3.dll
2012-03-20 16:30:02 6552120 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c1a86487-ea93-4456-91fa-8da032d77fd3}\mpengine.dll
2012-03-07 16:17:21 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-07 16:17:21 3072 ------w- c:\windows\system32\iacenc.dll
.
==================== Find3M ====================
.
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-19 10:13:53 15113064 ----a-w- c:\program files\Firefox Setup 9.0.1.exe
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-11-30 16:26:11 14580096 ----a-w- c:\program files\Firefox Setup 8.0.1.exe
2004-03-11 13:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.
============= FINISH: 10:51:05.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 28 March 2012 - 12:22 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Backup any files that cannot be replaced

If you have not done it yet spend a few minutes to backup any files that cannot be replaced. Removing malware can be unpredictable and this may save you and me allot of grief later.

You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

you may want to backup the whole harddrive there is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the files backed up you may do the following.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Transfixed

Transfixed
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 28 March 2012 - 02:45 AM

Hi Gringo. Thanks for your response. I have run Combofix and attached the log file to this post. Combofix updated Windows Recovery, and rebooted once during its run. After it finished, I opened Internet Explorer browser and searched Google for "computer viruses". When I clicked on the first url in the search results, I was redirected to a site called QandCA.com. When I clicked the back button, the following message was displayed:

404. That’s an error.
The requested URL /search.php?q=computer+viruses&n=1332920020 was not found on this server.

What's the next step?

ComboFix 12-03-27.03 - Kimiko 28/03/2012 8:08.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1604 [GMT 1:00]
Running from: c:\documents and settings\Kimiko\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\All Users\SPL2A.tmp
c:\documents and settings\All Users\SPL2B.tmp
c:\documents and settings\Kimiko\WINDOWS
c:\documents and settings\Peter\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-28 )))))))))))))))))))))))))))))))
.
.
2012-03-27 19:20 . 2012-03-27 19:35 -------- d-----w- c:\documents and settings\Kimiko\Local Settings\Application Data\SUPERSystemInspector
2012-03-27 08:03 . 2012-03-27 08:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-03-27 08:03 . 2012-03-27 08:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-27 08:00 . 2012-03-27 08:00 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-27 08:00 . 2012-03-27 08:00 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-27 07:45 . 2012-03-27 07:45 -------- d-----w- c:\program files\HitmanPro
2012-03-27 07:44 . 2012-03-27 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-03-26 15:55 . 2012-01-19 09:22 42864 ----a-r- c:\windows\system32\SBBD.EXE
2012-03-26 15:55 . 2012-01-12 08:26 101112 ----a-r- c:\windows\system32\drivers\SBREDrv.sys
2012-03-23 09:13 . 2012-03-23 09:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-21 06:04 . 2012-03-21 06:04 122880 --sha-r- c:\windows\system32\kbdfc3.dll
2012-03-20 16:30 . 2012-02-08 06:03 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C1A86487-EA93-4456-91FA-8DA032D77FD3}\mpengine.dll
2012-03-07 16:17 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-07 16:17 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2011-10-15 07:56 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-03 09:22 . 2009-02-18 20:25 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-01-11 21:53 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-19 10:13 . 2012-01-19 10:13 15113064 ----a-w- c:\program files\Firefox Setup 9.0.1.exe
2012-01-09 16:20 . 2009-02-18 20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-11-30 16:26 . 2011-11-30 16:25 14580096 ----a-w- c:\program files\Firefox Setup 8.0.1.exe
2004-03-11 13:27 . 2007-12-09 19:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2012-03-27 08:00 . 2012-01-20 11:08 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DOpus"="c:\program files\GPSoftware\Directory Opus\DOpus.exe" [2010-03-17 7312840]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-22 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-11 3905920]
"Directory Opus Desktop Dblclk"="c:\program files\GPSoftware\Directory Opus\dopusrt.exe" [2010-03-17 271840]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-25 49152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-23 13880424]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Peter\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [N/A]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
Quick StartUp.lnk - c:\program files\PENSOFT\fquick32.exe [N/A]
Start.lnk - c:\program files\PENSOFT\Quick95.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-12-8 25214]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\GPSoftware\Directory Opus\dopuslib.dll" [2010-03-17 838104]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\GPSoftware\\Directory Opus\\dopus.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)
.
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [08/12/2007 14:11 38448]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [26/03/2012 16:55 101112]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\Kimiko\Desktop\SASKUTIL.SYS --> c:\documents and settings\Kimiko\Desktop\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/02/2010 10:43 135664]
S2 OODefrag;O&O Defrag;c:\windows\system32\oodag.exe [08/02/2002 13:15 263168]
S3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [31/10/2008 09:47 43240]
S3 DrvFltIp;DrvFltIp;\??\c:\documents and settings\Kimiko\Local Settings\TEMP\DrvFltIp --> c:\documents and settings\Kimiko\Local Settings\TEMP\DrvFltIp [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01/02/2010 10:43 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/01/2009 17:17 12872]
S4 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [08/12/2007 18:24 159616]
S4 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [08/12/2007 18:24 5248]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-28 c:\windows\Tasks\ckjflyh.job
- c:\windows\system32\kbdfc3.dll [2012-03-21 06:04]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 09:43]
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 09:43]
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1958367476-725345543-1003Core.job
- c:\documents and settings\Kimiko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-23 13:56]
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1958367476-725345543-1003UA.job
- c:\documents and settings\Kimiko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-23 13:56]
.
2012-03-27 c:\windows\Tasks\Norton Security Scan for Kimiko.job
- c:\progra~1\NORTON~2\Engine\361~1.11\Nss.exe [2012-01-19 21:43]
.
2012-03-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1960408961-1958367476-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 16:02]
.
2012-03-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1960408961-1958367476-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 16:02]
.
2012-03-27 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 34f2e574-4e5f-4bd2-a84f-c11dcfe81e1c.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.159.13.49 212.159.13.50
FF - ProfilePath - c:\documents and settings\Kimiko\Application Data\Mozilla\Firefox\Profiles\6tz7ugfu.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Notify-TPSvc - TPSvc.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-28 08:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ASFWHide]
"ImagePath"="\??\c:\documents and settings\Kimiko\Local Settings\TEMP\ASFWHide"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\DrvFltIp]
"ImagePath"="\??\c:\documents and settings\Kimiko\Local Settings\TEMP\DrvFltIp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG04.00.00.01SERVER"="23C4D9DA528917E79D8CAC6B6E9DC64EFAFA34B4EABFBE408FFC5ED04F55F60785189ED3871C985A81E8F1D0D9DD0BD0DFF7E6A8E45F071B02D3C0B4B6AFBD11A10925B96C3D108AC3DAD7A966BFD2112C5B0EBB8870A8DBEBC4494E8E916596FA2F451D6E488584611079C4CAC5B669F387A718F3BAEBC71D8574C3FC28846BB7B61FC25BF08248F9C737A49D4552A5F0F1721F28DA1F1986DF84730C75BBD6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D67945D575E7D6A3B98089DB7CE019D40AA5CF864F871E43D8AFE27A21503C30F4C2F0839E607A6952A1A1801772156549D5FD16A5CE71BD9C73A36DD91C50E495549EB696EAB02B67BACE3469C1BEFCB79EE17A5AC737CC12F4AD352349B8AA846A91122F6F95983690D5D34ABAB3FA906B5DB02C4A76489249FC9C3D51B19A654CC1A1A7BA038F819E82216DE4318137AAC53013F520F1A91208407148B828FB7284E1EBB870EE9375E71CC3783B3FB943ED639FB731D2D63A698864F69EE04AF22988B37472FFB71022FCC77C2AE31134E64D1203E15D48981B941ADE5EE797C9487D6362DD0A9795BE21F260D08D0B8309A09939860737972C2C81865F33865504E0741BB10BF86E7B8DD0F1F25CCCDADBFB0029F4BC02BAEB1443B7F545CB397C33727A76B5FD396803CC06D4E6E1F043CAC5C2288491CE0A7EC88024A58B3A1E3967ADAC77F204C2E7B8E9BB0CD7AE31EF8D525AC6CCC27EA91356C74EE37184B6811F1EAE92DDED9F59086DADA35F1949FE75E325DC092E5153AF3D43B161CBE8584BF813CC21E3F97203DC358A54876C3CDB9F4A4812BA6ECD400D2A72740A3D534C919682A463EDF5D7FC15CA7F2BA9A87D6371E9B695D23062FB776CA89075CC047A734B30E5B64AC4611539BF27FEBD80A9F79203C61571350323CDF75952A12A80338319B3DCB32BAD3F9E4BE0597CAD9B43A23042D3A85E7D4E1CEF2A3E6500E66E2780CB1D35CBC0D646A3D318C2A03E5B8BD98DC132A309723FE6228CD6BCDF1F6656F264CD8DD267919CC0CD185F2849F0DC334BB1214D192DE9DBCAE15F0A789D549B01999E46AF35FBEC27F32CE456F304218221335C313606EA1ECC234F0832C918732D74C0BE132D6264348EE42FB4C47914A45E510DEF994B8FE2F8998A451B408A40EC11C2688CE2BDDA15C776D0B7850488631BC0123C20AEF58974EFCAD12B1917A2A16775D536A256258C8BE9870A547F652335C5B1F3F6080B6A3F2AF7F28AAA01955613086A104EBD678BF253C07867DBA43A4A445A7822D7591404BC2B23B495B9A42867CB074677D3314E55E8ED6C28E1F638145B61EA994F2F27719BE9DFC6E894CE6BE9C0940A984B492CCF99EB2A5DBF37FA0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2396)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\GPSoftware\Directory Opus\dopushlp.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2012-03-28 08:31:35 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-28 07:31
.
Pre-Run: 31,898,832,896 bytes free
Post-Run: 32,730,243,072 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 25453D9271BBD2896A8407103CEEA3CB

Attached Files

  • Attached File  log.txt   17.26KB   2 downloads

Edited by gringo_pr, 28 March 2012 - 02:50 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 28 March 2012 - 02:49 AM

Greetings


please do not attach the reports - see edit above

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 28 March 2012 - 02:49 AM

double post

Edited by gringo_pr, 28 March 2012 - 02:50 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Transfixed

Transfixed
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 28 March 2012 - 04:46 AM

Gringo

The TDSSkiller log is:

10:25:04.0890 3752 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
10:25:05.0093 3752 ============================================================
10:25:05.0093 3752 Current date / time: 2012/03/28 10:25:05.0093
10:25:05.0093 3752 SystemInfo:
10:25:05.0093 3752
10:25:05.0093 3752 OS Version: 5.1.2600 ServicePack: 3.0
10:25:05.0093 3752 Product type: Workstation
10:25:05.0093 3752 ComputerName: KOKO
10:25:05.0093 3752 UserName: Kimiko
10:25:05.0093 3752 Windows directory: C:\WINDOWS
10:25:05.0093 3752 System windows directory: C:\WINDOWS
10:25:05.0093 3752 Processor architecture: Intel x86
10:25:05.0093 3752 Number of processors: 1
10:25:05.0093 3752 Page size: 0x1000
10:25:05.0093 3752 Boot type: Normal boot
10:25:05.0093 3752 ============================================================
10:25:06.0625 3752 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
10:25:06.0625 3752 \Device\Harddisk0\DR0:
10:25:06.0625 3752 MBR used
10:25:06.0625 3752 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x6EF3F8B
10:25:06.0640 3752 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x6EF4009, BlocksNum 0x1627DFA3
10:25:06.0640 3752 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1D171FEB, BlocksNum 0x201C84
10:25:06.0875 3752 Initialize success
10:25:06.0875 3752 ============================================================
10:25:11.0156 1340 ============================================================
10:25:11.0156 1340 Scan started
10:25:11.0156 1340 Mode: Manual;
10:25:11.0156 1340 ============================================================
10:25:12.0062 1340 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
10:25:12.0078 1340 !SASCORE - ok
10:25:12.0187 1340 Abiosdsk - ok
10:25:12.0218 1340 abp480n5 - ok
10:25:12.0265 1340 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:25:12.0281 1340 ACPI - ok
10:25:12.0328 1340 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:25:12.0328 1340 ACPIEC - ok
10:25:12.0359 1340 adpu160m - ok
10:25:12.0406 1340 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
10:25:12.0406 1340 aeaudio - ok
10:25:12.0453 1340 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:25:12.0453 1340 aec - ok
10:25:12.0500 1340 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:25:12.0515 1340 AFD - ok
10:25:12.0546 1340 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
10:25:12.0546 1340 agp440 - ok
10:25:12.0562 1340 Aha154x - ok
10:25:12.0593 1340 aic78u2 - ok
10:25:12.0625 1340 aic78xx - ok
10:25:12.0671 1340 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
10:25:12.0671 1340 Alerter - ok
10:25:12.0718 1340 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
10:25:12.0718 1340 ALG - ok
10:25:12.0750 1340 AliIde - ok
10:25:12.0781 1340 amsint - ok
10:25:12.0812 1340 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
10:25:12.0812 1340 AppMgmt - ok
10:25:12.0843 1340 asc - ok
10:25:12.0875 1340 asc3350p - ok
10:25:12.0906 1340 asc3550 - ok
10:25:12.0984 1340 ASFWHide - ok
10:25:13.0078 1340 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
10:25:13.0078 1340 aspnet_state - ok
10:25:13.0140 1340 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:25:13.0140 1340 AsyncMac - ok
10:25:13.0171 1340 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:25:13.0171 1340 atapi - ok
10:25:13.0203 1340 Atdisk - ok
10:25:13.0250 1340 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:25:13.0250 1340 Atmarpc - ok
10:25:13.0296 1340 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
10:25:13.0296 1340 AudioSrv - ok
10:25:13.0343 1340 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:25:13.0343 1340 audstub - ok
10:25:13.0390 1340 BackupReader (6a960004131eed4b9d2a5224018b607c) C:\WINDOWS\system32\DRIVERS\BackupReader.sys
10:25:13.0390 1340 BackupReader - ok
10:25:13.0453 1340 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:25:13.0453 1340 Beep - ok
10:25:13.0515 1340 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
10:25:13.0515 1340 BITS - ok
10:25:13.0562 1340 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
10:25:13.0562 1340 Browser - ok
10:25:13.0578 1340 catchme - ok
10:25:13.0625 1340 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:25:13.0625 1340 cbidf2k - ok
10:25:13.0656 1340 cd20xrnt - ok
10:25:13.0703 1340 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:25:13.0703 1340 Cdaudio - ok
10:25:13.0750 1340 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:25:13.0750 1340 Cdfs - ok
10:25:13.0796 1340 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:25:13.0796 1340 Cdrom - ok
10:25:13.0828 1340 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
10:25:13.0828 1340 cercsr6 - ok
10:25:13.0859 1340 Changer - ok
10:25:13.0890 1340 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
10:25:13.0906 1340 CiSvc - ok
10:25:13.0937 1340 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
10:25:13.0937 1340 ClipSrv - ok
10:25:13.0968 1340 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
10:25:13.0984 1340 clr_optimization_v2.0.50727_32 - ok
10:25:14.0015 1340 CmdIde - ok
10:25:14.0031 1340 COMSysApp - ok
10:25:14.0078 1340 Cpqarray - ok
10:25:14.0125 1340 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
10:25:14.0140 1340 CryptSvc - ok
10:25:14.0156 1340 dac2w2k - ok
10:25:14.0203 1340 dac960nt - ok
10:25:14.0250 1340 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
10:25:14.0265 1340 DcomLaunch - ok
10:25:14.0312 1340 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
10:25:14.0312 1340 Dhcp - ok
10:25:14.0343 1340 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:25:14.0343 1340 Disk - ok
10:25:14.0375 1340 dmadmin - ok
10:25:14.0437 1340 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:25:14.0468 1340 dmboot - ok
10:25:14.0500 1340 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
10:25:14.0500 1340 dmio - ok
10:25:14.0546 1340 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:25:14.0546 1340 dmload - ok
10:25:14.0593 1340 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
10:25:14.0593 1340 dmserver - ok
10:25:14.0625 1340 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:25:14.0640 1340 DMusic - ok
10:25:14.0687 1340 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
10:25:14.0687 1340 Dnscache - ok
10:25:14.0734 1340 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
10:25:14.0750 1340 Dot3svc - ok
10:25:14.0781 1340 dpti2o - ok
10:25:14.0812 1340 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:25:14.0812 1340 drmkaud - ok
10:25:14.0875 1340 DrvFltIp - ok
10:25:14.0937 1340 E1000 (854293999e91bf2eb9e786166de4a35f) C:\WINDOWS\system32\DRIVERS\e1000325.sys
10:25:14.0937 1340 E1000 - ok
10:25:14.0968 1340 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
10:25:14.0984 1340 EapHost - ok
10:25:15.0015 1340 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
10:25:15.0015 1340 ERSvc - ok
10:25:15.0062 1340 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
10:25:15.0062 1340 Eventlog - ok
10:25:15.0109 1340 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
10:25:15.0109 1340 EventSystem - ok
10:25:15.0156 1340 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:25:15.0171 1340 Fastfat - ok
10:25:15.0234 1340 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:25:15.0234 1340 FastUserSwitchingCompatibility - ok
10:25:15.0265 1340 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:25:15.0265 1340 Fdc - ok
10:25:15.0312 1340 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:25:15.0312 1340 Fips - ok
10:25:15.0343 1340 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:25:15.0343 1340 Flpydisk - ok
10:25:15.0406 1340 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:25:15.0406 1340 FltMgr - ok
10:25:15.0515 1340 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
10:25:15.0515 1340 FontCache3.0.0.0 - ok
10:25:15.0562 1340 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:25:15.0562 1340 Fs_Rec - ok
10:25:15.0593 1340 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:25:15.0593 1340 Ftdisk - ok
10:25:15.0640 1340 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:25:15.0640 1340 Gpc - ok
10:25:15.0718 1340 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
10:25:15.0734 1340 gupdate - ok
10:25:15.0750 1340 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
10:25:15.0750 1340 gupdatem - ok
10:25:15.0796 1340 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
10:25:15.0796 1340 gusvc - ok
10:25:15.0828 1340 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
10:25:15.0828 1340 helpsvc - ok
10:25:15.0875 1340 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
10:25:15.0875 1340 HidServ - ok
10:25:15.0906 1340 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:25:15.0921 1340 HidUsb - ok
10:25:15.0968 1340 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
10:25:15.0968 1340 hkmsvc - ok
10:25:16.0015 1340 hotcore3 (4bab16afc2b0029e09c67daa8ec722a2) C:\WINDOWS\system32\drivers\hotcore3.sys
10:25:16.0015 1340 hotcore3 - ok
10:25:16.0046 1340 hpn - ok
10:25:16.0125 1340 hpqcxs08 (ed377b3c83fdea8d906109a085d219ba) C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
10:25:16.0125 1340 hpqcxs08 - ok
10:25:16.0171 1340 hpqddsvc (ee4c7a4cf2316701ffde90f404520265) C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
10:25:16.0171 1340 hpqddsvc - ok
10:25:16.0218 1340 HPSLPSVC (6f9cb6539a1b2508bd1c53d29334431a) C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
10:25:16.0250 1340 HPSLPSVC - ok
10:25:16.0281 1340 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
10:25:16.0296 1340 HPZid412 - ok
10:25:16.0343 1340 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
10:25:16.0343 1340 HPZipr12 - ok
10:25:16.0390 1340 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
10:25:16.0390 1340 HPZius12 - ok
10:25:16.0453 1340 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:25:16.0468 1340 HTTP - ok
10:25:16.0515 1340 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
10:25:16.0515 1340 HTTPFilter - ok
10:25:16.0546 1340 i2omgmt - ok
10:25:16.0578 1340 i2omp - ok
10:25:16.0609 1340 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:25:16.0609 1340 i8042prt - ok
10:25:16.0687 1340 ialm (da58a8be6a445835f603720c4bc8837e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
10:25:16.0718 1340 ialm - ok
10:25:16.0843 1340 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
10:25:16.0984 1340 idsvc - ok
10:25:17.0406 1340 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:25:17.0406 1340 Imapi - ok
10:25:17.0453 1340 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
10:25:17.0453 1340 ImapiService - ok
10:25:17.0500 1340 ini910u - ok
10:25:17.0546 1340 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
10:25:17.0546 1340 IntelIde - ok
10:25:17.0593 1340 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:25:17.0593 1340 intelppm - ok
10:25:17.0640 1340 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:25:17.0640 1340 Ip6Fw - ok
10:25:17.0671 1340 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:25:17.0671 1340 IpFilterDriver - ok
10:25:17.0718 1340 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:25:17.0718 1340 IpInIp - ok
10:25:17.0765 1340 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:25:17.0765 1340 IpNat - ok
10:25:17.0812 1340 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:25:17.0812 1340 IPSec - ok
10:25:17.0859 1340 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:25:17.0859 1340 IRENUM - ok
10:25:17.0890 1340 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:25:17.0906 1340 isapnp - ok
10:25:17.0984 1340 JavaQuickStarterService (32192b4ebe8720ed8d49a455c962cb91) C:\Program Files\Java\jre6\bin\jqs.exe
10:25:17.0984 1340 JavaQuickStarterService - ok
10:25:18.0015 1340 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:25:18.0031 1340 Kbdclass - ok
10:25:18.0062 1340 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:25:18.0062 1340 kbdhid - ok
10:25:18.0109 1340 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:25:18.0125 1340 kmixer - ok
10:25:18.0156 1340 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:25:18.0156 1340 KSecDD - ok
10:25:18.0218 1340 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
10:25:18.0218 1340 lanmanserver - ok
10:25:18.0281 1340 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
10:25:18.0281 1340 lanmanworkstation - ok
10:25:18.0312 1340 lbrtfdc - ok
10:25:18.0375 1340 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
10:25:18.0375 1340 LmHosts - ok
10:25:18.0421 1340 McComponentHostService (f453d1e6d881e8f8717e20ccd4199e85) C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
10:25:18.0437 1340 McComponentHostService - ok
10:25:18.0500 1340 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
10:25:18.0500 1340 MDM - ok
10:25:18.0546 1340 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
10:25:18.0546 1340 Messenger - ok
10:25:18.0593 1340 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:25:18.0593 1340 mnmdd - ok
10:25:18.0640 1340 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
10:25:18.0640 1340 mnmsrvc - ok
10:25:18.0671 1340 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:25:18.0671 1340 Modem - ok
10:25:18.0734 1340 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
10:25:18.0734 1340 MODEMCSA - ok
10:25:18.0781 1340 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:25:18.0781 1340 Mouclass - ok
10:25:18.0828 1340 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:25:18.0828 1340 mouhid - ok
10:25:18.0875 1340 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:25:18.0875 1340 MountMgr - ok
10:25:18.0921 1340 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
10:25:18.0921 1340 MpFilter - ok
10:25:18.0953 1340 mraid35x - ok
10:25:19.0000 1340 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:25:19.0000 1340 MRxDAV - ok
10:25:19.0078 1340 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:25:19.0093 1340 MRxSmb - ok
10:25:19.0140 1340 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
10:25:19.0140 1340 MSDTC - ok
10:25:19.0171 1340 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:25:19.0187 1340 Msfs - ok
10:25:19.0218 1340 MSIServer - ok
10:25:19.0250 1340 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:25:19.0250 1340 MSKSSRV - ok
10:25:19.0312 1340 MsMpSvc (cfce43b70ca0cc4dcc8adb62b792b173) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
10:25:19.0312 1340 MsMpSvc - ok
10:25:19.0343 1340 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:25:19.0359 1340 MSPCLOCK - ok
10:25:19.0390 1340 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:25:19.0390 1340 MSPQM - ok
10:25:19.0437 1340 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:25:19.0437 1340 mssmbios - ok
10:25:19.0468 1340 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:25:19.0468 1340 Mup - ok
10:25:19.0531 1340 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
10:25:19.0562 1340 napagent - ok
10:25:19.0593 1340 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:25:19.0593 1340 NDIS - ok
10:25:19.0640 1340 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:25:19.0640 1340 NdisTapi - ok
10:25:19.0687 1340 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:25:19.0687 1340 Ndisuio - ok
10:25:19.0718 1340 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:25:19.0718 1340 NdisWan - ok
10:25:19.0781 1340 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:25:19.0781 1340 NDProxy - ok
10:25:19.0828 1340 Net Driver HPZ12 (949941e4de88df1faf49a4b3cffb756f) C:\WINDOWS\system32\HPZinw12.dll
10:25:19.0828 1340 Net Driver HPZ12 - ok
10:25:19.0859 1340 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:25:19.0859 1340 NetBIOS - ok
10:25:19.0906 1340 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:25:19.0921 1340 NetBT - ok
10:25:19.0968 1340 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
10:25:19.0968 1340 NetDDE - ok
10:25:20.0000 1340 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
10:25:20.0000 1340 NetDDEdsdm - ok
10:25:20.0046 1340 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:25:20.0046 1340 Netlogon - ok
10:25:20.0078 1340 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
10:25:20.0093 1340 Netman - ok
10:25:20.0187 1340 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
10:25:20.0203 1340 NetTcpPortSharing - ok
10:25:20.0265 1340 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
10:25:20.0265 1340 Nla - ok
10:25:20.0296 1340 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:25:20.0296 1340 Npfs - ok
10:25:20.0359 1340 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:25:20.0359 1340 Ntfs - ok
10:25:20.0390 1340 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:25:20.0406 1340 NtLmSsp - ok
10:25:20.0453 1340 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
10:25:20.0453 1340 NtmsSvc - ok
10:25:20.0500 1340 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:25:20.0500 1340 Null - ok
10:25:20.0843 1340 nv (5e640f37801f2d4152d11595218915cd) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:25:21.0109 1340 nv - ok
10:25:21.0171 1340 NVSvc (400d95445c593d4c089013729d0da0b3) C:\WINDOWS\system32\nvsvc32.exe
10:25:21.0171 1340 NVSvc - ok
10:25:21.0437 1340 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:25:21.0437 1340 NwlnkFlt - ok
10:25:21.0468 1340 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:25:21.0484 1340 NwlnkFwd - ok
10:25:21.0546 1340 OODefrag (75025db1ec94bbaffbff999fee9b639d) C:\WINDOWS\system32\oodag.exe
10:25:21.0562 1340 OODefrag - ok
10:25:21.0625 1340 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
10:25:21.0625 1340 ose - ok
10:25:21.0671 1340 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:25:21.0687 1340 Parport - ok
10:25:21.0734 1340 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:25:21.0734 1340 PartMgr - ok
10:25:21.0796 1340 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:25:21.0796 1340 ParVdm - ok
10:25:21.0828 1340 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:25:21.0828 1340 PCI - ok
10:25:21.0859 1340 PCIDump - ok
10:25:21.0890 1340 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:25:21.0890 1340 PCIIde - ok
10:25:21.0937 1340 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:25:21.0937 1340 Pcmcia - ok
10:25:21.0968 1340 PDCOMP - ok
10:25:22.0000 1340 PDFRAME - ok
10:25:22.0031 1340 PDRELI - ok
10:25:22.0062 1340 PDRFRAME - ok
10:25:22.0093 1340 perc2 - ok
10:25:22.0125 1340 perc2hib - ok
10:25:22.0203 1340 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
10:25:22.0218 1340 PlugPlay - ok
10:25:22.0265 1340 Pml Driver HPZ12 (2f4ca141a609caf5c98f6e4760ef1b9b) C:\WINDOWS\system32\HPZipm12.dll
10:25:22.0265 1340 Pml Driver HPZ12 - ok
10:25:22.0296 1340 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:25:22.0312 1340 PolicyAgent - ok
10:25:22.0343 1340 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:25:22.0343 1340 PptpMiniport - ok
10:25:22.0375 1340 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:25:22.0375 1340 ProtectedStorage - ok
10:25:22.0421 1340 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:25:22.0421 1340 PSched - ok
10:25:22.0453 1340 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:25:22.0453 1340 Ptilink - ok
10:25:22.0484 1340 ql1080 - ok
10:25:22.0515 1340 Ql10wnt - ok
10:25:22.0546 1340 ql12160 - ok
10:25:22.0578 1340 ql1240 - ok
10:25:22.0609 1340 ql1280 - ok
10:25:22.0656 1340 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:25:22.0656 1340 RasAcd - ok
10:25:22.0703 1340 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
10:25:22.0703 1340 RasAuto - ok
10:25:22.0750 1340 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:25:22.0750 1340 Rasl2tp - ok
10:25:22.0796 1340 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
10:25:22.0812 1340 RasMan - ok
10:25:22.0843 1340 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:25:22.0843 1340 RasPppoe - ok
10:25:22.0890 1340 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:25:22.0890 1340 Raspti - ok
10:25:22.0937 1340 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:25:22.0937 1340 Rdbss - ok
10:25:22.0984 1340 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:25:22.0984 1340 RDPCDD - ok
10:25:23.0031 1340 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:25:23.0031 1340 rdpdr - ok
10:25:23.0093 1340 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
10:25:23.0109 1340 RDPWD - ok
10:25:23.0140 1340 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
10:25:23.0156 1340 RDSessMgr - ok
10:25:23.0187 1340 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:25:23.0187 1340 redbook - ok
10:25:23.0218 1340 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
10:25:23.0234 1340 RemoteAccess - ok
10:25:23.0281 1340 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
10:25:23.0296 1340 RemoteRegistry - ok
10:25:23.0328 1340 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
10:25:23.0328 1340 RpcLocator - ok
10:25:23.0375 1340 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
10:25:23.0390 1340 RpcSs - ok
10:25:23.0437 1340 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
10:25:23.0437 1340 RSVP - ok
10:25:23.0500 1340 SABKUTIL - ok
10:25:23.0546 1340 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:25:23.0546 1340 SamSs - ok
10:25:23.0609 1340 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
10:25:23.0609 1340 SASDIFSV - ok
10:25:23.0640 1340 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
10:25:23.0656 1340 SASENUM - ok
10:25:23.0687 1340 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
10:25:23.0703 1340 SASKUTIL - ok
10:25:23.0750 1340 SBRE (1fd538c4feb36b793d2121f20bbdc16f) C:\WINDOWS\system32\drivers\SBREdrv.sys
10:25:23.0750 1340 SBRE - ok
10:25:23.0812 1340 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
10:25:23.0812 1340 SCardSvr - ok
10:25:23.0859 1340 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
10:25:23.0859 1340 Schedule - ok
10:25:23.0921 1340 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:25:23.0921 1340 Secdrv - ok
10:25:23.0953 1340 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
10:25:23.0953 1340 seclogon - ok
10:25:23.0984 1340 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
10:25:24.0000 1340 SENS - ok
10:25:24.0046 1340 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:25:24.0046 1340 serenum - ok
10:25:24.0078 1340 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:25:24.0078 1340 Serial - ok
10:25:24.0156 1340 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:25:24.0156 1340 Sfloppy - ok
10:25:24.0218 1340 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
10:25:24.0234 1340 SharedAccess - ok
10:25:24.0281 1340 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:25:24.0281 1340 ShellHWDetection - ok
10:25:24.0312 1340 Simbad - ok
10:25:24.0390 1340 smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys
10:25:24.0406 1340 smwdm - ok
10:25:24.0437 1340 Sparrow - ok
10:25:24.0468 1340 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:25:24.0484 1340 splitter - ok
10:25:24.0515 1340 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
10:25:24.0515 1340 Spooler - ok
10:25:24.0578 1340 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:25:24.0578 1340 sr - ok
10:25:24.0609 1340 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
10:25:24.0625 1340 srservice - ok
10:25:24.0671 1340 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:25:24.0671 1340 Srv - ok
10:25:24.0718 1340 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
10:25:24.0734 1340 SSDPSRV - ok
10:25:24.0796 1340 StarWindService (ab2b9349ada4ac5ec74b622b8303fe23) C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
10:25:24.0796 1340 StarWindService - ok
10:25:24.0859 1340 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
10:25:24.0859 1340 StillCam - ok
10:25:24.0890 1340 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
10:25:24.0906 1340 stisvc - ok
10:25:24.0953 1340 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:25:24.0953 1340 swenum - ok
10:25:25.0000 1340 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:25:25.0015 1340 swmidi - ok
10:25:25.0046 1340 SwPrv - ok
10:25:25.0078 1340 symc810 - ok
10:25:25.0109 1340 symc8xx - ok
10:25:25.0140 1340 sym_hi - ok
10:25:25.0171 1340 sym_u3 - ok
10:25:25.0218 1340 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:25:25.0218 1340 sysaudio - ok
10:25:25.0265 1340 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
10:25:25.0265 1340 SysmonLog - ok
10:25:25.0328 1340 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
10:25:25.0328 1340 TapiSrv - ok
10:25:25.0390 1340 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:25:25.0406 1340 Tcpip - ok
10:25:25.0453 1340 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:25:25.0453 1340 TDPIPE - ok
10:25:25.0484 1340 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:25:25.0484 1340 TDTCP - ok
10:25:25.0515 1340 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:25:25.0515 1340 TermDD - ok
10:25:25.0578 1340 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
10:25:25.0578 1340 TermService - ok
10:25:25.0640 1340 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:25:25.0640 1340 Themes - ok
10:25:25.0687 1340 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
10:25:25.0703 1340 TlntSvr - ok
10:25:25.0734 1340 TosIde - ok
10:25:25.0781 1340 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
10:25:25.0781 1340 TrkWks - ok
10:25:25.0843 1340 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:25:25.0843 1340 Udfs - ok
10:25:25.0875 1340 ultra - ok
10:25:25.0921 1340 UMWdf (ab0a7ca90d9e3d6a193905dc1715ded0) C:\WINDOWS\system32\wdfmgr.exe
10:25:25.0921 1340 UMWdf - ok
10:25:25.0968 1340 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:25:25.0984 1340 Update - ok
10:25:26.0031 1340 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
10:25:26.0046 1340 upnphost - ok
10:25:26.0078 1340 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
10:25:26.0078 1340 UPS - ok
10:25:26.0125 1340 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:25:26.0140 1340 usbccgp - ok
10:25:26.0171 1340 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:25:26.0171 1340 usbehci - ok
10:25:26.0203 1340 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:25:26.0218 1340 usbhub - ok
10:25:26.0265 1340 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
10:25:26.0265 1340 usbprint - ok
10:25:26.0296 1340 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
10:25:26.0296 1340 usbscan - ok
10:25:26.0328 1340 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:25:26.0328 1340 USBSTOR - ok
10:25:26.0375 1340 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:25:26.0375 1340 usbuhci - ok
10:25:26.0437 1340 Vax347b (cb3400d696bee266c38cae330c2b4337) C:\WINDOWS\system32\DRIVERS\Vax347b.sys
10:25:26.0437 1340 Vax347b - ok
10:25:26.0468 1340 Vax347s (113e4b318bbaa7483ca4e582a4d63f49) C:\WINDOWS\System32\Drivers\Vax347s.sys
10:25:26.0468 1340 Vax347s - ok
10:25:26.0515 1340 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:25:26.0515 1340 VgaSave - ok
10:25:26.0546 1340 ViaIde - ok
10:25:26.0578 1340 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:25:26.0593 1340 VolSnap - ok
10:25:26.0625 1340 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
10:25:26.0640 1340 VSS - ok
10:25:26.0687 1340 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
10:25:26.0687 1340 W32Time - ok
10:25:26.0734 1340 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:25:26.0734 1340 Wanarp - ok
10:25:26.0750 1340 WDICA - ok
10:25:26.0781 1340 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:25:26.0796 1340 wdmaud - ok
10:25:26.0828 1340 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
10:25:26.0828 1340 WebClient - ok
10:25:26.0906 1340 WinDefend (f45dd1e1365d857dd08bc23563370d0e) C:\Program Files\Windows Defender\MsMpEng.exe
10:25:26.0906 1340 WinDefend - ok
10:25:26.0968 1340 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
10:25:26.0968 1340 winmgmt - ok
10:25:27.0046 1340 WmdmPmSN (140ef97b64f560fd78643cae2cdad838) C:\WINDOWS\system32\mspmsnsv.dll
10:25:27.0046 1340 WmdmPmSN - ok
10:25:27.0109 1340 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
10:25:27.0140 1340 Wmi - ok
10:25:27.0187 1340 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
10:25:27.0203 1340 WmiApSrv - ok
10:25:27.0328 1340 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
10:25:27.0359 1340 WMPNetworkSvc - ok
10:25:27.0390 1340 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
10:25:27.0390 1340 WS2IFSL - ok
10:25:27.0453 1340 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
10:25:27.0453 1340 wscsvc - ok
10:25:27.0500 1340 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
10:25:27.0500 1340 wuauserv - ok
10:25:27.0562 1340 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:25:27.0562 1340 WudfPf - ok
10:25:27.0609 1340 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:25:27.0609 1340 WudfRd - ok
10:25:27.0656 1340 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
10:25:27.0656 1340 WudfSvc - ok
10:25:27.0718 1340 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
10:25:27.0750 1340 WZCSVC - ok
10:25:27.0796 1340 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
10:25:27.0796 1340 xmlprov - ok
10:25:27.0843 1340 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
10:25:27.0984 1340 \Device\Harddisk0\DR0 - ok
10:25:28.0000 1340 Boot (0x1200) (d963d1fb8505792c0eed164835dbe509) \Device\Harddisk0\DR0\Partition0
10:25:28.0000 1340 \Device\Harddisk0\DR0\Partition0 - ok
10:25:28.0031 1340 Boot (0x1200) (83c0890c7e40c09662cb1f2798c57108) \Device\Harddisk0\DR0\Partition1
10:25:28.0031 1340 \Device\Harddisk0\DR0\Partition1 - ok
10:25:28.0046 1340 Boot (0x1200) (dd5c046b48f3381d3db547ad60e38a0b) \Device\Harddisk0\DR0\Partition2
10:25:28.0062 1340 \Device\Harddisk0\DR0\Partition2 - ok
10:25:28.0062 1340 ============================================================
10:25:28.0062 1340 Scan finished
10:25:28.0062 1340 ============================================================
10:25:28.0093 1864 Detected object count: 0
10:25:28.0093 1864 Actual detected object count: 0


The ASWmbr log is:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-28 10:26:59
-----------------------------
10:26:59.265 OS Version: Windows 5.1.2600 Service Pack 3
10:26:59.265 Number of processors: 1 586 0x204
10:26:59.265 ComputerName: KOKO UserName:
10:26:59.515 Initialize success
10:28:35.656 AVAST engine defs: 12032801
10:28:38.515 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:28:38.515 Disk 0 Vendor: WDC_WD5000AAKB-00UKA0 07.01N01 Size: 476940MB BusType: 3
10:28:38.531 Disk 0 MBR read successfully
10:28:38.531 Disk 0 MBR scan
10:28:38.531 Disk 0 Windows XP default MBR code
10:28:38.546 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 56807 MB offset 63
10:28:38.546 Disk 0 Partition - 00 0F Extended LBA 420129 MB offset 116342730
10:28:38.562 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 181499 MB offset 116342793
10:28:38.562 Disk 0 Partition - 00 05 Extended 1027 MB offset 488054700
10:28:38.578 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 1027 MB offset 488054763
10:28:38.578 Disk 0 scanning sectors +976768065
10:28:38.640 Disk 0 scanning C:\WINDOWS\system32\drivers
10:28:48.562 Service scanning
10:29:01.765 Modules scanning
10:29:04.968 Disk 0 trace - called modules:
10:29:05.000 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
10:29:05.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a68aab8]
10:29:05.000 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a68bd98]
10:29:05.453 AVAST engine scan C:\WINDOWS
10:29:15.453 AVAST engine scan C:\WINDOWS\system32
10:31:59.015 AVAST engine scan C:\WINDOWS\system32\drivers
10:32:14.203 AVAST engine scan C:\Documents and Settings\Kimiko
10:35:04.453 File: C:\Documents and Settings\Kimiko\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe **INFECTED** Win32:Malware-gen
10:35:04.609 File: C:\Documents and Settings\Kimiko\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdate.exe **INFECTED** Win32:Trojan-gen
10:37:34.500 AVAST engine scan C:\Documents and Settings\All Users
10:39:13.828 Scan finished successfully
10:42:58.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Kimiko\Desktop\MBR.dat"
10:42:58.218 The log file has been saved successfully to "C:\Documents and Settings\Kimiko\Desktop\aswMBR.txt"

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 28 March 2012 - 07:21 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::
File::
c:\windows\system32\kbdfc3.dll
c:\windows\Tasks\ckjflyh.job

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Transfixed

Transfixed
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 28 March 2012 - 08:08 AM

Hi Gringo.
The Google search results are still being redirected to other sites: bookmarky.com and ask jeeves were the last two redirects. Windows Defender still does not run: it starts, but closes immediately. So no improvement in the PC so far - it still appears to be infected.

The Combofix log is:

ComboFix 12-03-27.03 - Kimiko 28/03/2012 13:32:39.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1525 [GMT 1:00]
Running from: c:\documents and settings\Kimiko\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kimiko\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\kbdfc3.dll"
"c:\windows\Tasks\ckjflyh.job"
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-28 )))))))))))))))))))))))))))))))
.
.
2012-03-27 19:20 . 2012-03-27 19:35 -------- d-----w- c:\documents and settings\Kimiko\Local Settings\Application Data\SUPERSystemInspector
2012-03-27 08:03 . 2012-03-27 08:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-03-27 08:03 . 2012-03-27 08:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-27 08:00 . 2012-03-27 08:00 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-27 08:00 . 2012-03-27 08:00 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-27 07:45 . 2012-03-27 07:45 -------- d-----w- c:\program files\HitmanPro
2012-03-27 07:44 . 2012-03-27 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-03-26 15:55 . 2012-01-19 09:22 42864 ----a-r- c:\windows\system32\SBBD.EXE
2012-03-26 15:55 . 2012-01-12 08:26 101112 ----a-r- c:\windows\system32\drivers\SBREDrv.sys
2012-03-23 09:13 . 2012-03-23 09:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-21 06:04 . 2012-03-21 06:04 122880 --sha-r- c:\windows\system32\kbdfc3.dll
2012-03-20 16:30 . 2012-02-08 06:03 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C1A86487-EA93-4456-91FA-8DA032D77FD3}\mpengine.dll
2012-03-07 16:17 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-07 16:17 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2011-10-15 07:56 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-03 09:22 . 2009-02-18 20:25 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-01-11 21:53 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-19 10:13 . 2012-01-19 10:13 15113064 ----a-w- c:\program files\Firefox Setup 9.0.1.exe
2012-01-09 16:20 . 2009-02-18 20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-11-30 16:26 . 2011-11-30 16:25 14580096 ----a-w- c:\program files\Firefox Setup 8.0.1.exe
2004-03-11 13:27 . 2007-12-09 19:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2012-03-27 08:00 . 2012-01-20 11:08 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-28_07.27.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-28 12:40 . 2012-03-28 12:40 16384 c:\windows\Temp\Perflib_Perfdata_700.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DOpus"="c:\program files\GPSoftware\Directory Opus\DOpus.exe" [2010-03-17 7312840]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-22 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-11 3905920]
"Directory Opus Desktop Dblclk"="c:\program files\GPSoftware\Directory Opus\dopusrt.exe" [2010-03-17 271840]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-25 49152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-23 13880424]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Peter\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [N/A]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
Quick StartUp.lnk - c:\program files\PENSOFT\fquick32.exe [N/A]
Start.lnk - c:\program files\PENSOFT\Quick95.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-12-8 25214]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\GPSoftware\Directory Opus\dopuslib.dll" [2010-03-17 838104]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
[BU]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\GPSoftware\\Directory Opus\\dopus.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)
.
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [08/12/2007 14:11 38448]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [26/03/2012 16:55 101112]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\Kimiko\Desktop\SASKUTIL.SYS --> c:\documents and settings\Kimiko\Desktop\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/02/2010 10:43 135664]
S2 OODefrag;O&O Defrag;c:\windows\system32\oodag.exe [08/02/2002 13:15 263168]
S3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [31/10/2008 09:47 43240]
S3 DrvFltIp;DrvFltIp;\??\c:\documents and settings\Kimiko\Local Settings\TEMP\DrvFltIp --> c:\documents and settings\Kimiko\Local Settings\TEMP\DrvFltIp [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01/02/2010 10:43 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/01/2009 17:17 12872]
S4 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [08/12/2007 18:24 159616]
S4 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [08/12/2007 18:24 5248]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-28 c:\windows\Tasks\ckjflyh.job
- c:\windows\system32\kbdfc3.dll [2012-03-21 06:04]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 09:43]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 09:43]
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1958367476-725345543-1003Core.job
- c:\documents and settings\Kimiko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-23 13:56]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1958367476-725345543-1003UA.job
- c:\documents and settings\Kimiko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-23 13:56]
.
2012-03-27 c:\windows\Tasks\Norton Security Scan for Kimiko.job
- c:\progra~1\NORTON~2\Engine\361~1.11\Nss.exe [2012-01-19 21:43]
.
2012-03-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1960408961-1958367476-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 16:02]
.
2012-03-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1960408961-1958367476-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 16:02]
.
2012-03-28 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 34f2e574-4e5f-4bd2-a84f-c11dcfe81e1c.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.159.13.49 212.159.13.50
FF - ProfilePath - c:\documents and settings\Kimiko\Application Data\Mozilla\Firefox\Profiles\6tz7ugfu.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-28 13:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ASFWHide]
"ImagePath"="\??\c:\documents and settings\Kimiko\Local Settings\TEMP\ASFWHide"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\DrvFltIp]
"ImagePath"="\??\c:\documents and settings\Kimiko\Local Settings\TEMP\DrvFltIp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG04.00.00.01SERVER"="23C4D9DA528917E79D8CAC6B6E9DC64EFAFA34B4EABFBE408FFC5ED04F55F60785189ED3871C985A81E8F1D0D9DD0BD0DFF7E6A8E45F071B02D3C0B4B6AFBD11A10925B96C3D108AC3DAD7A966BFD2112C5B0EBB8870A8DBEBC4494E8E916596FA2F451D6E488584611079C4CAC5B669F387A718F3BAEBC71D8574C3FC28846BB7B61FC25BF08248F9C737A49D4552A5F0F1721F28DA1F1986DF84730C75BBD6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D67945D575E7D6A3B98089DB7CE019D40AA5CF864F871E43D8AFE27A21503C30F4C2F0839E607A6952A1A1801772156549D5FD16A5CE71BD9C73A36DD91C50E495549EB696EAB02B67BACE3469C1BEFCB79EE17A5AC737CC12F4AD352349B8AA846A91122F6F95983690D5D34ABAB3FA906B5DB02C4A76489249FC9C3D51B19A654CC1A1A7BA038F819E82216DE4318137AAC53013F520F1A91208407148B828FB7284E1EBB870EE9375E71CC3783B3FB943ED639FB731D2D63A698864F69EE04AF22988B37472FFB71022FCC77C2AE31134E64D1203E15D48981B941ADE5EE797C9487D6362DD0A9795BE21F260D08D0B8309A09939860737972C2C81865F33865504E0741BB10BF86E7B8DD0F1F25CCCDADBFB0029F4BC02BAEB1443B7F545CB397C33727A76B5FD396803CC06D4E6E1F043CAC5C2288491CE0A7EC88024A58B3A1E3967ADAC77F204C2E7B8E9BB0CD7AE31EF8D525AC6CCC27EA91356C74EE37184B6811F1EAE92DDED9F59086DADA35F1949FE75E325DC092E5153AF3D43B161CBE8584BF813CC21E3F97203DC358A54876C3CDB9F4A4812BA6ECD400D2A72740A3D534C919682A463EDF5D7FC15CA7F2BA9A87D6371E9B695D23062FB776CA89075CC047A734B30E5B64AC4611539BF27FEBD80A9F79203C61571350323CDF75952A12A80338319B3DCB32BAD3F9E4BE0597CAD9B43A23042D3A85E7D4E1CEF2A3E6500E66E2780CB1D35CBC0D646A3D318C2A03E5B8BD98DC132A309723FE6228CD6BCDF1F6656F264CD8DD267919CC0CD185F2849F0DC334BB1214D192DE9DBCAE15F0A789D549B01999E46AF35FBEC27F32CE456F304218221335C313606EA1ECC234F0832C918732D74C0BE132D6264348EE42FB4C47914A45E510DEF994B8FE2F8998A451B408A40EC11C2688CE2BDDA15C776D0B7850488631BC0123C20AEF58974EFCAD12B1917A2A16775D536A256258C8BE9870A547F652335C5B1F3F6080B6A3F2AF7F28AAA01955613086A104EBD678BF253C07867DBA43A4A445A7822D7591404BC2B23B495B9A42867CB074677D3314E55E8ED6C28E1F638145B61EA994F2F27719BE9DFC6E894CE6BE9C0940A984B492CCF99EB2A5DBF37FA0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\msv1_0.dll
.
- - - - - - - > 'explorer.exe'(468)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\GPSoftware\Directory Opus\dopushlp.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2012-03-28 13:58:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-28 12:58
ComboFix2.txt 2012-03-28 07:31
.
Pre-Run: 32,674,443,264 bytes free
Post-Run: 32,734,355,456 bytes free
.
- - End Of File - - 07141A280E36725EA600AEDD94284ACE

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 28 March 2012 - 08:11 AM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
DeleteFile:
"c:\windows\system32\kbdfc3.dll"
"c:\windows\Tasks\ckjflyh.job"
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Transfixed

Transfixed
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 28 March 2012 - 10:28 AM

I have run Blitzblank. The machine does not now redirect from a Google search, and Microsoft Security Essentials now starts and runs. I am currently running a scan with Microsoft Security Essentials.

The Blitzblank log is:

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
MoveFileOnReboot: sourceFile = "\??\c:\windows\system32\kbdfc3.dll", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\windows\tasks\ckjflyh.job", destinationFile = "(null)", replaceWithDummy = 0

Thanks for your help so far. Are there more steps to take?

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 28 March 2012 - 02:39 PM

Glad to hear things are running better now. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Java™ 6 Update 11
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
McAfee Security Scan Plus
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.


Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Transfixed

Transfixed
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 28 March 2012 - 04:57 PM

Hi Gringo

The PC is running well now and I haven't found any problems yet, although Microsoft Security Essentials doesn't seem to be starting up automatically. The HiJack this log is:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:53:42, on 28/03/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\GPSoftware\Directory Opus\DOpus.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?

LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?

LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?

LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?

LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-

4C09146192CA} - C:\Documents and Settings\All Users\Application

Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program

Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program

Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google

Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [DOpus] C:\Program Files\GPSoftware\Directory Opus\DOpus.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] "C:\Program Files\GPSoftware\Directory

Opus\dopusrt.exe" /dblclk
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11

\EXCEL.EXE/3000
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program

Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program

Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11

\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) -

http://kitchenplanner.ikea.com/gb/Core/Player/2020PlayerAX_Win32.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) -

http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234985668442
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196632938536
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program

Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1

\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: TPSvc - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} -

C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} -

C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program

Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program

Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program

Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32

\nvsvc32.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program

Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10213 bytes


The MBAM log is:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.28.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Kimiko :: KOKO [administrator]

28/03/2012 22:37:19
mbam-log-2012-03-28 (22-37-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 220457
Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRVFLTIP (Rogue.UnVirex) -> Quarantined and deleted successfully.
HKLM\System\CurrentControlSet\Services\DrvFltIp (Rogue.UnVirex) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 28 March 2012 - 05:58 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
      O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [DOpus] C:\Program Files\GPSoftware\Directory Opus\DOpus.exe
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] "C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe" /dblclk
      O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Transfixed

Transfixed
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 29 March 2012 - 01:34 PM

Hi Gringo
I've run Hijack This as directed and run the ESET online scanner. The threats deteected from that are:

D:\Trans\Downloads\bsc.physiotherapy.detailed.syllabus.2010.pdf (1).exe a variant of Win32/Adware.MediaFinder.C application
D:\Trans\Downloads\bsc.physiotherapy.detailed.syllabus.2010.pdf.exe a variant of Win32/Adware.MediaFinder.C application
D:\Trans\Downloads\bsc_physiotherapy_detailed_syllabus.new.pdf.exe a variant of Win32/Adware.MediaFinder.C application
H:\Trans 16-01-2012\RealPlayer Downloads\dvd software\VideoConverterSetup.exe a variant of Win32/InstallCore.D application

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 29 March 2012 - 01:38 PM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "D:\Trans\Downloads\bsc.physiotherapy.detailed.syllabus.2010.pdf (1).exe"
    del /f /s /q "D:\Trans\Downloads\bsc.physiotherapy.detailed.syllabus.2010.pdf.exe"
    del /f /s /q "D:\Trans\Downloads\bsc_physiotherapy_detailed_syllabus.new.pdf.exe"
    del /f /s /q "H:\Trans 16-01-2012\RealPlayer Downloads\dvd software\VideoConverterSetup.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop.

:DeFogger:

Note** This only needs to be run if it was run before - If not then skip it.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users