12 replies to this topic

[diageminc]

Hello,

When i click on google searches in firefox, it takes to unrelated sites. I have scanned with paid version of MBAM and it always brings up 4 to 12 infections, i clean them up, but the problem persists, here are the HJL and MBAM log, appreciate your help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:47 AM, on 3/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\EZBackitup\EZBkuptray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Perfect Keyboard\PK32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\RemoteView\RemoteView.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.ebay....outme/diageminc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.249.138.103 store.allurecollectiongiftcard.com
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Wdipiqivuxeg] rundll32.exe "C:\WINDOWS\Fxiyef.dat",e
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Xpipaq] rundll32.exe "C:\WINDOWS\iluxocige.dll",e
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [EZBack-it-up Tray Scheduler] C:\Program Files\EZBackitup\EZBkuptray.exe
O4 - Startup: Shortcut to PK32.lnk = C:\Program Files\Perfect Keyboard\PK32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.co...er/3.2/ebie.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - http://cs8b.instants...erxsigned42.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://promero.webe...bex/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O16 - DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} - http://192.168.0.200/cab/RPB.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: ddccd - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7478 bytes


Malwarebytes' Anti-Malware 1.34
Database version: 1828
Windows 5.1.2600 Service Pack 3

3/10/2009 9:42:01 AM
mbam-log-2009-03-10 (09-42-01).txt

Scan type: Quick Scan
Objects scanned: 90630
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xpipaq (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\WINDOWS\iluxocige.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

[miekiemoes]

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• Once the updates are downloaded, perform a full scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[diageminc]

Thanks for your post,

-updated MBAM
- did a full scan
- remove all items (some needed reboot so immediately restarted the computer

Here are the latest HJT and MBAM logs

Malwarebytes' Anti-Malware 1.34
Database version: 1836
Windows 5.1.2600 Service Pack 3

3/11/2009 1:25:56 PM
mbam-log-2009-03-11 (13-25-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 255103
Time elapsed: 2 hour(s), 37 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xpipaq (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP392\A0183099.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP392\A0183100.dll (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP392\A0183101.dll (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP392\A0183102.dll (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP392\A0183110.dll (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP394\A0183707.dll (Trojan.Pakes) -> Quarantined and deleted successfully.
C:\WINDOWS\enuxatabivepas.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:15 PM, on 3/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\EZBackitup\EZBkuptray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Perfect Keyboard\PK32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\RemoteView\RemoteView.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.ebay....outme/diageminc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.249.138.103 store.allurecollectiongiftcard.com
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Wdipiqivuxeg] rundll32.exe "C:\WINDOWS\Fxiyef.dat",e
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [EZBack-it-up Tray Scheduler] C:\Program Files\EZBackitup\EZBkuptray.exe
O4 - Startup: Shortcut to PK32.lnk = C:\Program Files\Perfect Keyboard\PK32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.co...er/3.2/ebie.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - http://cs8b.instants...erxsigned42.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://promero.webe...bex/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O16 - DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} - http://192.168.0.200/cab/RPB.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: ddccd - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7377 bytes

miekiemoes, on Mar 11 2009, 07:11 AM, said:

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• Once the updates are downloaded, perform a full scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[diageminc]

thanks for your help here is the combofix log report


ComboFix 09-03-10.03 - Amit 2009-03-12 9:16:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.676 [GMT -8:00]
Running from: c:\documents and settings\Amit\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\windows\patch.exe
c:\windows\system32\comrepl.exe
c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\init32.exe
c:\windows\system32\kwave.sys
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\winhelp.ini

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2012-12-12 04:12 . 2012-12-12 04:12 1,221,464 --------- c:\windows\SYSTEM32\IMMC.EXE
2012-12-12 04:12 . 2012-12-12 04:12 65,536 --------- c:\windows\SYSTEM32\MSRTEDIT.DLL
2009-03-11 16:26 . 2009-03-11 16:26 1,374 --a------ c:\windows\imsins.BAK
2009-03-11 15:14 . 2009-03-11 15:14 133,120 --a------ c:\windows\ohudupayaza.dll
2009-02-26 11:26 . 2009-02-26 11:26 <DIR> d-------- c:\program files\BannerDesignerPro
2009-02-26 10:13 . 2009-02-26 10:13 <DIR> d-------- c:\program files\EZBackitup
2009-02-25 14:17 . 2009-02-25 14:17 <DIR> d-------- c:\program files\CCleaner
2009-02-25 13:52 . 2009-02-25 13:52 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Malwarebytes
2009-02-25 13:45 . 2004-05-10 14:37 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Symantec
2009-02-25 13:45 . 2004-05-10 14:40 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Sonic
2009-02-25 13:45 . 2004-05-10 14:36 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Jasc Software Inc
2009-02-25 13:45 . 2009-02-25 13:45 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP
2009-02-25 13:43 . 2009-02-25 13:43 <DIR> d-------- c:\documents and settings\Amit\Application Data\Malwarebytes
2009-02-25 13:43 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-25 13:43 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-25 13:16 . 2009-02-25 13:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 13:16 . 2009-02-25 13:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-25 11:54 . 2009-02-25 12:02 7 --a------ c:\windows\SYSTEM32\nar.bin
2009-02-25 11:52 . 2009-02-25 13:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-25 11:51 . 2009-03-10 09:42 <DIR> d-------- c:\program files\Trend Micro
2009-02-25 11:12 . 2009-02-25 11:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-02-25 11:07 . 2004-05-10 14:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-02-25 11:07 . 2004-05-10 14:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-02-25 11:07 . 2004-05-10 14:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-02-25 11:07 . 2009-02-25 11:07 <DIR> d-------- c:\documents and settings\Administrator
2009-02-25 10:55 . 2009-02-25 10:55 8,768 --a------ c:\windows\SYSTEM32\DRIVERS\wATV03nt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 22:45 --------- d-----w c:\program files\AOL Toolbar
2009-03-09 16:18 --------- d-----w c:\documents and settings\Amit\Application Data\Corel
2009-03-06 23:18 --------- d-----w c:\program files\America Online 8.0
2009-02-10 17:33 --------- d-----w c:\documents and settings\Amit\Application Data\AdobeUM
2009-01-30 22:35 --------- d-----w c:\program files\America Online 7.0
2009-01-29 22:43 --------- d-----w c:\documents and settings\Amit\Application Data\Galaxy Ship
2009-01-28 18:02 60,744 ----a-w c:\documents and settings\Amit\g2mdlhlpx.exe
2009-01-19 22:15 --------- d-----w c:\program files\EFTP
2009-01-19 17:38 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2006-04-21 16:50 630,784 ----a-w c:\documents and settings\Amit\chatlnk.exe
2008-08-04 23:24 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008080420080805\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"EZBack-it-up Tray Scheduler"="c:\program files\EZBackitup\EZBkuptray.exe" [2004-06-03 631808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Wdipiqivuxeg"="c:\windows\Fxiyef.dat" [2008-12-04 39936]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-02-11 399504]
"Xpipaq"="c:\windows\ohudupayaza.dll" [2009-03-11 133120]

c:\documents and settings\Amit\Start Menu\Programs\Startup\
Shortcut to PK32.lnk - c:\program files\Perfect Keyboard\PK32.EXE [2004-06-05 647168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 11:01 8704 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv50"= c:\windows\ir50_32.dll
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.GEOX"= c:\windows\GeoCodec.dll
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.mp42"= c:\windows\Mpg4c32.dll
"vidc.mp43"= c:\windows\Mpg4c32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wATV03nt.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 12:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--------- 2003-08-05 22:04 114741 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--------- 2003-08-13 07:27 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-03-10 14:22 48280 c:\program files\Common Files\AOL\1129563433\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 16:34 213936 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-03-20 16:34 213936 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-03-20 16:34 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-10-06 07:05 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2002-11-07 23:22 4243456 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 16:47 204800 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--------- 2002-11-07 23:22 770117 c:\windows\SYSTEM32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--------- 2002-11-07 23:22 315392 c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AdobeActiveFileMonitor5.0"=2 (0x2)
"NTService1"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 8.0\\waol.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WinAw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\RemoteView\\BcastTcp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSSQL$SHIPWORKS;MSSQL$SHIPWORKS;c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe -sSHIPWORKS --> c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe -sSHIPWORKS [?]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [2009-02-25 15504]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-02-25 179856]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 Irisifrtr;Irisifrtr; [x]
S3 SQLAgent$SHIPWORKS;SQLAgent$SHIPWORKS;c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlagent.EXE -i SHIPWORKS --> c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlagent.EXE -i SHIPWORKS [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{055ca751-c600-11d8-aba1-00038a000015}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - N:\system.exe
\Shell\Open\command - N:\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc1ca6a0-6f4d-11db-aec5-00038a000015}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - L:\system.exe
\Shell\Open\command - L:\system.exe
.
Contents of the 'Scheduled Tasks' folder

2004-06-05 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]
.
- - - - ORPHANS REMOVED - - - -

Notify-ddccd - (no file)
SafeBoot-eeekp.sys
MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-MaxtorOneTouch - c:\program files\Maxtor\OneTouch\utils\Onetouch.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://members.ebay.com/aboutme/diageminc
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} - hxxp://192.168.0.200/cab/RPB.cab
FF - ProfilePath - c:\documents and settings\Amit\Application Data\Mozilla\Firefox\Profiles\default.5b1\
FF - prefs.js: browser.startup.homepage - hxxp://members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=diageminc
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 09:20:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-12 9:26:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 17:26:17

Pre-Run: 36,248,784,896 bytes free
Post-Run: 36,636,332,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

243 --- E O F --- 2009-03-12 00:26:15

miekiemoes, on Mar 11 2009, 08:35 PM, said:

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[miekiemoes]

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

Collect::[8]
c:\windows\ohudupayaza.dll
c:\windows\Fxiyef.dat
Driver::
Irisifrtr
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wdipiqivuxeg"=-
"Xpipaq"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{055ca751-c600-11d8-aba1-00038a000015}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc1ca6a0-6f4d-11db-aec5-00038a000015}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingc...e.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[diageminc]

Here is the combofix text, there is no zip file in Quarantine folder



ComboFix 09-03-10.03 - Amit 2009-03-12 9:48:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.691 [GMT -8:00]
Running from: c:\documents and settings\Amit\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Amit\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\kwave.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Irisifrtr


((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2012-12-12 04:12 . 2012-12-12 04:12 1,221,464 --------- c:\windows\SYSTEM32\IMMC.EXE
2012-12-12 04:12 . 2012-12-12 04:12 65,536 --------- c:\windows\SYSTEM32\MSRTEDIT.DLL
2009-03-11 16:26 . 2009-03-11 16:26 1,374 --a------ c:\windows\imsins.BAK
2009-02-26 11:26 . 2009-02-26 11:26 <DIR> d-------- c:\program files\BannerDesignerPro
2009-02-26 10:13 . 2009-02-26 10:13 <DIR> d-------- c:\program files\EZBackitup
2009-02-25 14:17 . 2009-02-25 14:17 <DIR> d-------- c:\program files\CCleaner
2009-02-25 13:52 . 2009-02-25 13:52 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Malwarebytes
2009-02-25 13:45 . 2004-05-10 14:37 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Symantec
2009-02-25 13:45 . 2004-05-10 14:40 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Sonic
2009-02-25 13:45 . 2004-05-10 14:36 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Jasc Software Inc
2009-02-25 13:45 . 2009-02-25 13:45 <DIR> d-------- c:\documents and settings\Administrator.AMITNEWCOMP
2009-02-25 13:43 . 2009-02-25 13:43 <DIR> d-------- c:\documents and settings\Amit\Application Data\Malwarebytes
2009-02-25 13:43 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-25 13:43 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-25 13:16 . 2009-02-25 13:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 13:16 . 2009-02-25 13:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-25 11:54 . 2009-02-25 12:02 7 --a------ c:\windows\SYSTEM32\nar.bin
2009-02-25 11:52 . 2009-02-25 13:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-25 11:51 . 2009-03-10 09:42 <DIR> d-------- c:\program files\Trend Micro
2009-02-25 11:12 . 2009-02-25 11:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-02-25 11:07 . 2004-05-10 14:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-02-25 11:07 . 2004-05-10 14:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-02-25 11:07 . 2004-05-10 14:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-02-25 11:07 . 2009-02-25 11:07 <DIR> d-------- c:\documents and settings\Administrator
2009-02-25 10:55 . 2009-02-25 10:55 8,768 --a------ c:\windows\SYSTEM32\DRIVERS\wATV03nt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 22:45 --------- d-----w c:\program files\AOL Toolbar
2009-03-09 16:18 --------- d-----w c:\documents and settings\Amit\Application Data\Corel
2009-03-06 23:18 --------- d-----w c:\program files\America Online 8.0
2009-02-10 17:33 --------- d-----w c:\documents and settings\Amit\Application Data\AdobeUM
2009-01-30 22:35 --------- d-----w c:\program files\America Online 7.0
2009-01-29 22:43 --------- d-----w c:\documents and settings\Amit\Application Data\Galaxy Ship
2009-01-28 18:02 60,744 ----a-w c:\documents and settings\Amit\g2mdlhlpx.exe
2009-01-19 22:15 --------- d-----w c:\program files\EFTP
2009-01-19 17:38 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2006-04-21 16:50 630,784 ----a-w c:\documents and settings\Amit\chatlnk.exe
2008-08-04 23:24 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008080420080805\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-12_ 9.25.30.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-12 17:55:24 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_150.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"EZBack-it-up Tray Scheduler"="c:\program files\EZBackitup\EZBkuptray.exe" [2004-06-03 631808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-02-11 399504]

c:\documents and settings\Amit\Start Menu\Programs\Startup\
Shortcut to PK32.lnk - c:\program files\Perfect Keyboard\PK32.EXE [2004-06-05 647168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 11:01 8704 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv50"= c:\windows\ir50_32.dll
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.GEOX"= c:\windows\GeoCodec.dll
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.mp42"= c:\windows\Mpg4c32.dll
"vidc.mp43"= c:\windows\Mpg4c32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wATV03nt.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 12:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--------- 2003-08-05 22:04 114741 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--------- 2003-08-13 07:27 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-03-10 14:22 48280 c:\program files\Common Files\AOL\1129563433\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 16:34 213936 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-03-20 16:34 213936 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-03-20 16:34 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-10-06 07:05 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2002-11-07 23:22 4243456 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 16:47 204800 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--------- 2002-11-07 23:22 770117 c:\windows\SYSTEM32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--------- 2002-11-07 23:22 315392 c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AdobeActiveFileMonitor5.0"=2 (0x2)
"NTService1"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 8.0\\waol.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WinAw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\RemoteView\\BcastTcp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSSQL$SHIPWORKS;MSSQL$SHIPWORKS;c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe -sSHIPWORKS --> c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe -sSHIPWORKS [?]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [2009-02-25 15504]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-02-25 179856]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 SQLAgent$SHIPWORKS;SQLAgent$SHIPWORKS;c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlagent.EXE -i SHIPWORKS --> c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlagent.EXE -i SHIPWORKS [?]
.
Contents of the 'Scheduled Tasks' folder

2004-06-05 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://members.ebay.com/aboutme/diageminc
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} - hxxp://192.168.0.200/cab/RPB.cab
FF - ProfilePath - c:\documents and settings\Amit\Application Data\Mozilla\Firefox\Profiles\default.5b1\
FF - prefs.js: browser.startup.homepage - hxxp://members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=diageminc
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 09:55:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-12 10:00:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 18:00:38
ComboFix2.txt 2009-03-12 17:26:21

Pre-Run: 36,618,674,176 bytes free
Post-Run: 36,513,931,264 bytes free

212 --- E O F --- 2009-03-12 00:26:15

miekiemoes, on Mar 12 2009, 04:37 PM, said:

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:



Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingc...e.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[miekiemoes]

As far as I can see here, the files I asked to collect (zip) were already gone. They showed up in the previous log though.
Strange since I don't see either that Combofix removed them.
Unless you updated MBAM in between and performed a scan, because it should detect them now.

Anyway, how are things running now?

[diageminc]

Thanks for your help,

1. I found out that MBAM was updated and a scan was done between the first combofix run and the second one, sorry about that, do you want me to do the entire process again?

2. Google search so far are not been redirected, hopefully the issue was taken care of, do you think i should run MBAM again to see if it finds anything new?

I just want to say that you guys are doing a great job, i cannot believe that such volunteer work is possible, the quality and the level of service you are providing puts any paid services or high costing programs to shame, i whole heatedly appreciate your help, is there a donation i can do?


a

miekiemoes, on Mar 12 2009, 05:15 PM, said:

As far as I can see here, the files I asked to collect (zip) were already gone. They showed up in the previous log though.
Strange since I don't see either that Combofix removed them.
Unless you updated MBAM in between and performed a scan, because it should detect them now.

Anyway, how are things running now?

[miekiemoes]

Hi,

Quote

1. I found out that MBAM was updated and a scan was done between the first combofix run and the second one, sorry about that, do you want me to do the entire process again?

Yes, that's what I thought and it makes sense since MBAM detects this new variant now as well.

No, no need to do the process again, it should be OK now

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[diageminc]

Thank you for the wonderful tips and a well written blog, I have bookmarked it and will read it from time to time.

I am a big fan of marzipan from Belgium

i would like to send you a small paypal donation as a token of appreciation, if you are willing to accept then please provide a paypal email id

thanks

amit
Los Angeles


do

miekiemoes, on Mar 12 2009, 05:26 PM, said:

Hi,

Yes, that's what I thought and it makes sense since MBAM detects this new variant now as well.

No, no need to do the process again, it should be OK now

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Hi,

Thank you for the kind words.
No need to donate though. If you're pleased with our support, then maybe consider to purchase Malwarebytes (if you didn't already )

And you're most welcome

[AdvancedSetup]

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.