Jump to content

Malwarebytes

Yahoo searches redirecting after infection. Please help!

- - - - -
Started by FFSchooley, Nov 13 2009 04:51 PM

11 replies to this topic

#1
FFSchooley
Posted 13 November 2009 - 04:51 PM

    New Member

  • Members
  • Pip
  • 18 posts
I had a massive infection and am trying to get all cleaned up. Here are the logs.

Malwarebytes' Anti-Malware 1.41
Database version: 3111
Windows 5.1.2600 Service Pack 3

11/9/2009 11:21:36 AM
mbam-log-2009-11-09 (11-21-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 259303
Time elapsed: 1 hour(s), 27 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


AND


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:10 AM, on 11/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 ossecure2009.microsoft.com
O1 - Hosts: 91.212.127.226 os-secure2009.com
O1 - Hosts: 91.212.127.226 www.os-secure2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\abcde\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup (User 'LOCAL SERVICE')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: wurakisin - {77c979a2-2533-4ade-a99f-e53d415d98e5} - (no file)
O21 - SSODL: fimofaguv - {349fa8dd-2f4e-4e75-acfd-96394767e167} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {77c979a2-2533-4ade-a99f-e53d415d98e5} - (no file)
O22 - SharedTaskScheduler: gahurihor - {349fa8dd-2f4e-4e75-acfd-96394767e167} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/MEGANN~1/LOCALS~1/Temp/msohtml1/10/clip_image002.gif

--
End of file - 9696 bytes

#2
miekiemoes
Posted 14 November 2009 - 11:33 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,161 posts
  • Gender:Female
  • Location:Belgium
Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 ossecure2009.microsoft.com
O1 - Hosts: 91.212.127.226 os-secure2009.com
O1 - Hosts: 91.212.127.226 www.os-secure2009.com
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O21 - SSODL: wurakisin - {77c979a2-2533-4ade-a99f-e53d415d98e5} - (no file)
O21 - SSODL: fimofaguv - {349fa8dd-2f4e-4e75-acfd-96394767e167} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {77c979a2-2533-4ade-a99f-e53d415d98e5} - (no file)
O22 - SharedTaskScheduler: gahurihor - {349fa8dd-2f4e-4e75-acfd-96394767e167} - (no file)
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/MEGANN~1/LOCALS~1/Temp/msohtml1/10/clip_image002.gif

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, please update MalwareBytes, because the databaseversion is outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3
FFSchooley
Posted 15 November 2009 - 09:06 PM

    New Member

  • Members
  • Pip
  • 18 posts
Thanks for the reply. I followed all your instructions and here are the resulting logs.

Malwarebytes' Anti-Malware 1.41
Database version: 3175
Windows 5.1.2600 Service Pack 3

11/15/2009 11:22:42 AM
mbam-log-2009-11-15 (11-22-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 266530
Time elapsed: 1 hour(s), 20 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




AND



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:17 PM, on 11/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\abcde\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup (User 'LOCAL SERVICE')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8639 bytes

#4
miekiemoes
Posted 16 November 2009 - 06:35 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,161 posts
  • Gender:Female
  • Location:Belgium
Hi,

This looks OK again.
How are things now?
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5
FFSchooley
Posted 19 November 2009 - 04:07 PM

    New Member

  • Members
  • Pip
  • 18 posts
Searches are still redirecting. It seems to be getting worse. Almost all search results when clicked will go to a completely different site, usually adds.

#6
miekiemoes
Posted 19 November 2009 - 04:21 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,161 posts
  • Gender:Female
  • Location:Belgium
Ok,

Do the following....

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.


In your case, please UNINSTALL Comodo Internet security before you run Combofix. This because I have seen huge problems with Combofix when Comodo is up and running.
Reboot after uninstalling Comodo and then run Combofix.
Once we are done here, you can reinstall Comodo again.
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7
FFSchooley
Posted 19 November 2009 - 08:22 PM

    New Member

  • Members
  • Pip
  • 18 posts
Thanks again for the reply. I followed your instructions and here is the log from Combofix

ComboFix 09-11-19.01 - Megan Nelson 11/19/2009 11:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.107 [GMT -8:00]
Running from: c:\documents and settings\Megan Nelson\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1708537768-602609370-725345543-500
c:\recycler\S-1-5-21-3403113249-1826735100-932201801-500

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-15 17:43 . 2009-11-15 17:43 -------- d-----w- c:\documents and settings\Megan Nelson\Local Settings\Application Data\Intuit
2009-11-14 05:36 . 2009-11-14 05:36 -------- d-----w- c:\documents and settings\Megan Nelson\Local Settings\Application Data\IsolatedStorage
2009-11-14 05:35 . 2009-11-14 05:35 -------- d-----w- c:\program files\TurboTax
2009-11-14 05:23 . 2009-11-19 19:18 1462920 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY.010\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-14 05:21 . 2009-11-14 05:21 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-14 05:21 . 2009-11-14 05:21 -------- d-----w- c:\program files\MSBuild
2009-11-14 05:21 . 2009-11-14 05:21 -------- d-----w- c:\program files\Reference Assemblies
2009-11-14 05:19 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-14 05:19 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-14 05:19 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-14 05:19 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-14 05:19 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-14 05:19 . 2009-11-14 05:20 -------- d-----w- C:\85b0f1ad304ac11c0f4812f0af01
2009-11-14 05:19 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-14 05:19 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-09 19:21 . 2009-11-09 19:21 -------- d-----w- c:\program files\Trend Micro
2009-11-06 18:18 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 18:18 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-06 18:18 . 2009-11-06 18:18 -------- d-----w- c:\program files\abcde
2009-11-02 00:43 . 2009-11-19 19:19 -------- d-----w- c:\program files\COMODO
2009-11-01 16:40 . 2009-03-30 18:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-01 16:40 . 2009-07-29 00:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-01 16:40 . 2009-02-13 20:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-01 16:40 . 2009-02-13 20:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-01 16:39 . 2009-11-01 16:39 -------- d-----w- c:\program files\Avira
2009-11-01 16:39 . 2009-11-01 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-01 06:19 . 2009-11-01 06:19 -------- d-----w- c:\program files\WinASO
2009-11-01 01:42 . 2009-11-01 16:27 0 ----a-w- c:\documents and settings\Megan Nelson\Local Settings\Application Data\prvlcl.dat
2009-10-31 23:28 . 2009-10-31 23:29 -------- d-----w- c:\program files\help
2009-10-30 04:12 . 2009-10-30 04:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-29 06:49 . 2009-10-29 06:49 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY.010\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 17:42 . 2005-08-21 23:35 241816 -c--a-w- c:\documents and settings\Megan Nelson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-14 05:50 . 2007-11-05 20:30 -------- d-----w- c:\documents and settings\Megan Nelson\Application Data\Intuit
2009-11-14 05:39 . 2007-11-05 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-11-14 05:36 . 2007-11-05 20:29 -------- d-----w- c:\program files\Common Files\Intuit
2009-11-06 19:31 . 2009-01-02 19:48 -------- d-----w- c:\documents and settings\Megan Nelson\Application Data\Skype
2009-11-06 16:05 . 2009-01-02 19:51 -------- d-----w- c:\documents and settings\Megan Nelson\Application Data\skypePM
2009-11-03 19:33 . 2009-11-03 19:33 6 ----a-w- c:\windows\Fonts\wfonts.key
2009-11-02 06:21 . 2005-04-29 09:19 -------- d-----w- c:\program files\Google
2009-11-01 15:47 . 2007-02-26 23:20 -------- d-----w- c:\documents and settings\Megan Nelson\Application Data\ComcastToolbar
2009-10-07 20:24 . 2009-10-07 20:21 -------- d-----w- c:\program files\Linksys EasyLink Advisor
2009-09-26 21:10 . 2005-08-06 19:38 -------- d-----w- c:\documents and settings\Megan Nelson\Application Data\Apple Computer
2009-09-20 21:03 . 2009-09-20 21:01 -------- d-----w- c:\program files\iTunes
2009-09-20 21:03 . 2009-09-20 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-20 21:01 . 2005-04-29 09:20 -------- d-----w- c:\program files\iPod
2009-09-20 21:01 . 2007-11-12 04:46 -------- d-----w- c:\program files\Common Files\Apple
2009-09-20 20:56 . 2009-09-20 20:55 -------- d-----w- c:\program files\QuickTime
2009-09-20 20:41 . 2009-09-20 20:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-07-31 07:23 . 2009-07-31 07:23 3 --sha-w- c:\windows\system32\gayiloba.dll
2009-07-31 07:54 . 2009-07-31 07:54 3 --sha-w- c:\windows\system32\gegotade.dll
2009-07-31 08:25 . 2009-07-31 08:25 3 --sha-w- c:\windows\system32\gitadumi.dll
2009-07-31 08:25 . 2009-07-31 08:25 3 --sha-w- c:\windows\system32\zivomubo.dll
2009-07-31 08:55 . 2009-07-31 08:55 3 --sha-w- c:\windows\system32\zojarepi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\abcde\mbam.exe" [2009-09-10 1312080]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"EPSON Stylus CX4800 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
"Cpqset"=c:\program files\HPQ\Default Settings\cpqset.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe"
"LSBWatcher"=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"tgcmd"=c:\program files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/1/2009 8:40 AM 108289]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [9/29/2009 9:17 AM 13088]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/15/2004 7:18 AM 200192]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\MEGANN~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\MEGANN~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-26 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-11 09:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Megan Nelson\Application Data\Mozilla\Firefox\Profiles\nexr8qkk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 12:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,4a,35,df,3a,f2,d8,43,82,9e,3f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,4a,35,df,3a,f2,d8,43,82,9e,3f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2084)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe
c:\windows\system32\wscntfy.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2009-11-19 12:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-19 20:18

Pre-Run: 39,253,344,256 bytes free
Post-Run: 39,329,529,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 80D4D3374ADC35876CFDB80E71FB3BAA

#8
miekiemoes
Posted 19 November 2009 - 08:37 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,161 posts
  • Gender:Female
  • Location:Belgium
Hi,

It looks like your atapi.sys was infected as well, which explains the search redirects. But Combofix could replace the infected atapi.sys with a clean copy...

There are still some leftovers we have to delete here, so...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\gayiloba.dll
c:\windows\system32\gegotade.dll
c:\windows\system32\gitadumi.dll
c:\windows\system32\zivomubo.dll
c:\windows\system32\zojarepi.dll
Dirlook::
c:\program files\abcde

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9
FFSchooley
Posted 19 November 2009 - 11:43 PM

    New Member

  • Members
  • Pip
  • 18 posts
Here are the results



ComboFix 09-11-19.05 - Megan Nelson 11/19/2009 15:15.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.168 [GMT -8:00]
Running from: c:\documents and settings\Megan Nelson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Megan Nelson\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\gayiloba.dll"
"c:\windows\system32\gegotade.dll"
"c:\windows\system32\gitadumi.dll"
"c:\windows\system32\zivomubo.dll"
"c:\windows\system32\zojarepi.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gayiloba.dll
c:\windows\system32\gegotade.dll
c:\windows\system32\gitadumi.dll
c:\windows\system32\zivomubo.dll
c:\windows\system32\zojarepi.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-15 17:43 . 2009-11-15 17:43 -------- d-----w- c:\documents and settings\Megan Nelson\Local Settings\Application Data\Intuit
2009-11-14 05:36 . 2009-11-14 05:36 -------- d-----w- c:\documents and settings\Megan Nelson\Local Settings\Application Data\IsolatedStorage
2009-11-14 05:35 . 2009-11-14 05:35 -------- d-----w- c:\program files\TurboTax
2009-11-14 05:23 . 2009-11-19 19:18 1462920 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY.010\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-14 05:21 . 2009-11-14 05:21 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-14 05:21 . 2009-11-14 05:21 -------- d-----w- c:\program files\MSBuild
2009-11-14 05:21 . 2009-11-14 05:21 -------- d-----w- c:\program files\Reference Assemblies
2009-11-14 05:19 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-14 05:19 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-14 05:19 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-14 05:19 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-14 05:19 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-14 05:19 . 2009-11-14 05:20 -------- d-----w- C:\85b0f1ad304ac11c0f4812f0af01
2009-11-14 05:19 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-14 05:19 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-09 19:21 . 2009-11-09 19:21 -------- d-----w- c:\program files\Trend Micro
2009-11-06 18:18 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 18:18 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-06 18:18 . 2009-11-06 18:18 -------- d-----w- c:\program files\abcde
2009-11-02 00:43 . 2009-11-19 19:19 -------- d-----w- c:\program files\COMODO
2009-11-01 16:40 . 2009-03-30 18:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-01 16:40 . 2009-07-29 00:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-01 16:40 . 2009-02-13 20:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-01 16:40 . 2009-02-13 20:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-01 16:39 . 2009-11-01 16:39 -------- d-----w- c:\program files\Avira
2009-11-01 16:39 . 2009-11-01 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-01 06:19 . 2009-11-01 06:19 -------- d-----w- c:\program files\WinASO
2009-11-01 01:42 . 2009-11-01 16:27 0 ----a-w- c:\documents and settings\Megan Nelson\Local Settings\Application Data\prvlcl.dat
2009-10-31 23:28 . 2009-10-31 23:29 -------- d-----w- c:\program files\help
2009-10-30 04:12 . 2009-10-30 04:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-29 06:49 . 2009-10-29 06:49 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY.010\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 17:42 . 2005-08-21 23:35 241816 -c--a-w- c:\documents and settings\Megan Nelson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-14 05:50 . 2007-11-05 20:30 -------- d-----w- c:\documents and settings\Megan Nelson\Application Data\Intuit
2009-11-14 05:39 . 2007-11-05 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-11-14 05:36 . 2007-11-05 20:29 -------- d-----w- c:\program files\Common Files\Intuit
2009-11-06 19:31 . 2009-01-02 19:48 -------- d-----w- c:\documents and settings\Megan Nelson\Application Data\Skype
2009-11-06 16:05 . 2009-01-02 19:51 -------- d-----w- c:\documents and settings\Megan Nelson\Application Data\skypePM
2009-11-03 19:33 . 2009-11-03 19:33 6 ----a-w- c:\windows\Fonts\wfonts.key
2009-11-02 06:21 . 2005-04-29 09:19 -------- d-----w- c:\program files\Google
2009-11-01 15:47 . 2007-02-26 23:20 -------- d-----w- c:\documents and settings\Megan Nelson\Application Data\ComcastToolbar
2009-10-07 20:24 . 2009-10-07 20:21 -------- d-----w- c:\program files\Linksys EasyLink Advisor
2009-09-26 21:10 . 2005-08-06 19:38 -------- d-----w- c:\documents and settings\Megan Nelson\Application Data\Apple Computer
2009-09-20 20:41 . 2009-09-20 20:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\abcde ----

2009-11-06 18:18 . 2009-11-06 18:18 10498 ----a-w- c:\program files\abcde\unins000.msg
2009-11-06 18:18 . 2009-09-10 22:54 269648 ----a-w- c:\program files\abcde\mbamservice.exe
2009-11-06 18:18 . 2009-09-10 22:54 420176 ----a-w- c:\program files\abcde\mbamgui.exe
2009-11-06 18:18 . 2009-09-10 22:54 496976 ----a-w- c:\program files\abcde\vbalsgrid6.ocx
2009-11-06 18:18 . 2009-09-10 22:54 46416 ----a-w- c:\program files\abcde\ssubtmr6.dll
2009-11-06 18:18 . 2009-09-10 22:54 79696 ----a-w- c:\program files\abcde\zlib.dll
2009-11-06 18:18 . 2009-09-10 22:53 70992 ----a-w- c:\program files\abcde\mbamext.dll
2009-11-06 18:18 . 2009-09-10 22:53 1312080 ----a-w- c:\program files\abcde\mbam.exe
2009-11-06 18:18 . 2008-11-01 01:54 13097 ----a-w- c:\program files\abcde\Languages\ukrainian.lng
2009-11-06 18:18 . 2009-04-15 13:00 13808 ----a-w- c:\program files\abcde\Languages\turkish.lng
2009-11-06 18:18 . 2009-09-07 09:51 12265 ----a-w- c:\program files\abcde\Languages\swedish.lng
2009-11-06 18:18 . 2009-09-09 07:46 12962 ----a-w- c:\program files\abcde\Languages\spanish.lng
2009-11-06 18:18 . 2008-03-04 07:28 11205 ----a-w- c:\program files\abcde\Languages\slovenian.lng
2009-11-06 18:18 . 2008-07-26 17:58 11599 ----a-w- c:\program files\abcde\Languages\slovak.lng
2009-11-06 18:18 . 2009-09-06 17:23 12198 ----a-w- c:\program files\abcde\Languages\serbian.lng
2009-11-06 18:18 . 2008-07-04 08:58 11779 ----a-w- c:\program files\abcde\Languages\russian.lng
2009-11-06 18:18 . 2008-03-14 03:09 12672 ----a-w- c:\program files\abcde\Languages\romanian.lng
2009-11-06 18:18 . 2008-06-15 21:04 12345 ----a-w- c:\program files\abcde\Languages\portuguesePT.lng
2009-11-06 18:18 . 2008-03-05 03:56 12245 ----a-w- c:\program files\abcde\Languages\portugueseBR.lng
2009-11-06 18:18 . 2009-01-11 08:56 11623 ----a-w- c:\program files\abcde\Languages\polish.lng
2009-11-06 18:18 . 2009-06-10 21:39 11593 ----a-w- c:\program files\abcde\Languages\norwegian.lng
2009-11-06 18:18 . 2008-09-11 06:29 13314 ----a-w- c:\program files\abcde\Languages\macedonian.lng
2009-11-06 18:18 . 2008-12-20 00:30 11457 ----a-w- c:\program files\abcde\Languages\latvian.lng
2009-11-06 18:18 . 2009-07-24 03:46 9269 ----a-w- c:\program files\abcde\Languages\korean.lng
2009-11-06 18:18 . 2008-03-05 04:03 13019 ----a-w- c:\program files\abcde\Languages\italian.lng
2009-11-06 18:18 . 2008-03-04 01:39 12048 ----a-w- c:\program files\abcde\Languages\hungarian.lng
2009-11-06 18:18 . 2009-08-20 04:38 9278 ----a-w- c:\program files\abcde\Languages\hebrew.lng
2009-11-06 18:18 . 2008-10-07 23:15 13234 ----a-w- c:\program files\abcde\Languages\greek.lng
2009-11-06 18:18 . 2009-09-10 22:12 13642 ----a-w- c:\program files\abcde\Languages\german.lng
2009-11-06 18:18 . 2009-09-09 07:45 13442 ----a-w- c:\program files\abcde\Languages\french.lng
2009-11-06 18:18 . 2008-05-17 18:09 11624 ----a-w- c:\program files\abcde\Languages\finnish.lng
2009-11-06 18:18 . 2009-07-31 17:20 11213 ----a-w- c:\program files\abcde\Languages\estonian.lng
2009-11-06 18:18 . 2009-09-03 18:22 11314 ----a-w- c:\program files\abcde\Languages\english.lng
2009-11-06 18:18 . 2008-03-05 03:56 12255 ----a-w- c:\program files\abcde\Languages\dutch.lng
2009-11-06 18:18 . 2009-02-18 04:27 11893 ----a-w- c:\program files\abcde\Languages\danish.lng
2009-11-06 18:18 . 2009-09-08 03:42 12199 ----a-w- c:\program files\abcde\Languages\czech.lng
2009-11-06 18:18 . 2008-12-28 00:41 11977 ----a-w- c:\program files\abcde\Languages\croatian.lng
2009-11-06 18:18 . 2008-08-04 20:58 8141 ----a-w- c:\program files\abcde\Languages\chineseTR.lng
2009-11-06 18:18 . 2008-08-01 17:03 8045 ----a-w- c:\program files\abcde\Languages\chineseSI.lng
2009-11-06 18:18 . 2008-03-05 04:05 12595 ----a-w- c:\program files\abcde\Languages\catalan.lng
2009-11-06 18:18 . 2009-09-09 07:46 12610 ----a-w- c:\program files\abcde\Languages\bulgarian.lng
2009-11-06 18:18 . 2009-08-02 00:14 12636 ----a-w- c:\program files\abcde\Languages\bosnian.lng
2009-11-06 18:18 . 2009-04-10 08:53 10331 ----a-w- c:\program files\abcde\Languages\arabic.lng
2009-11-06 18:18 . 2008-07-03 18:10 13924 ----a-w- c:\program files\abcde\Languages\albanian.lng
2009-11-06 18:18 . 2009-09-10 22:53 163664 ----a-w- c:\program files\abcde\mbam.dll
2009-11-06 18:18 . 2009-09-10 22:37 16400 ----a-w- c:\program files\abcde\changes.rtf
2009-11-06 18:18 . 2009-01-05 03:31 4124 ----a-w- c:\program files\abcde\license.txt
2009-11-06 18:18 . 2009-07-30 23:27 59015 ----a-w- c:\program files\abcde\mbam.chm
2009-11-06 18:18 . 2009-11-06 18:17 699216 ----a-w- c:\program files\abcde\unins000.exe
2009-11-06 18:18 . 2009-11-06 18:18 8722 ----a-w- c:\program files\abcde\unins000.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\abcde\mbam.exe" [2009-09-10 1312080]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"EPSON Stylus CX4800 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
"Cpqset"=c:\program files\HPQ\Default Settings\cpqset.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe"
"LSBWatcher"=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"tgcmd"=c:\program files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/1/2009 8:40 AM 108289]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [9/29/2009 9:17 AM 13088]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/15/2004 7:18 AM 200192]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\MEGANN~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\MEGANN~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-26 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-11 09:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Megan Nelson\Application Data\Mozilla\Firefox\Profiles\nexr8qkk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 15:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,4a,35,df,3a,f2,d8,43,82,9e,3f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,4a,35,df,3a,f2,d8,43,82,9e,3f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-19 15:31
ComboFix-quarantined-files.txt 2009-11-19 23:31
ComboFix2.txt 2009-11-19 20:19

Pre-Run: 39,348,637,696 bytes free
Post-Run: 39,332,040,704 bytes free

- - End Of File - - F44F4B32EEFADE72709A04ED1783BB6C

#10
miekiemoes
Posted 20 November 2009 - 07:03 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,161 posts
  • Gender:Female
  • Location:Belgium
Hi,

This looks OK now.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11
miekiemoes
Posted 22 November 2009 - 07:50 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,161 posts
  • Gender:Female
  • Location:Belgium

Quote

Let me know in your next reply how things are now.
Still with us?
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#12
miekiemoes
Posted 25 November 2009 - 07:42 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,161 posts
  • Gender:Female
  • Location:Belgium
Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us