1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Google Links Redirect Me

Discussion in 'Virus & Other Malware Removal' started by fb767, Apr 6, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. fb767

    fb767 Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    3
    Hello, I have a problem were all the Google links after a Google search redirect me to spam websites and shopping websites. Even this website, after the search "Google links redirect me", took me 3 clicks for it to open. Also, Google is loading very slowly and it has never been slow before and is not slow on any of our 2 other computers.

    Another problem that I was hoping you will be able to help me with; Ad-Aware doesn't update (error shows up) and my scanning gets stuck and the computer freezes requiring a reboot. After a scan with a portable scanner, I found 5 Trojans and I deleted them all.

    Thank you in advance for all your help.

    P.S. I'm only a beginner so please go easy on me with the terminology.
     
  2. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:

    Please download DDS from either of these links

    LINK 1
    LINK 2

    and save it to your desktop.
    • Disable any script blocking protection
    • Double click dds.pif to run the tool.
    • When done, two DDS.txt's will open.
    • Save both reports to your desktop.
    ---------------------------------------------------
    Please include the contents of the following in your next reply:

    DDS.txt
    Attach.txt.


    NEXT


    [​IMG]
    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

      [​IMG]
      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and post it in your next reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
     
  3. fb767

    fb767 Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    3
    Thank you so much for replying! Here's the information:

    DDS:



    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Mindows_Laptop at 14:52:03.77 on 14/04/2010
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.3062.2046 [GMT -4:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\OSPPSVC.EXE
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\OEM02Mon.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\AGEIA Technologies\TrayIcon.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Palm\Hotsync.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\msiexec.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\explorer.exe
    C:\Users\Mindows_Laptop\Desktop\dds.com
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [TOY5KNQ8OC] c:\users\mindows_laptop\appdata\local\temp\Fk1.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [AGEIA PhysX SysTray] c:\program files\ageia technologies\TrayIcon.exe
    mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
    mRun: [IObit Security 360] "h:\security\iobit security 360\IS360tray.exe" /autostart
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\users\mindow~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\palmon~1.lnk - c:\program files\palmone\register.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
    IE: S&end to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 93.188.164.210,93.188.166.48
    TCP: {2B731500-213D-4EA2-B95A-081D5BCC886B} = 93.188.164.210,93.188.166.48
    TCP: {CD180CCB-5263-45EF-A717-33B7B6CE0913} = 93.188.164.210,93.188.166.48
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\mindow~1\appdata\roaming\mozilla\firefox\profiles\cos6wij6.default\
    FF - prefs.js: browser.search.selectedEngine - swagbucks.com
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
    FF - plugin: c:\users\mindows_laptop\appdata\roaming\move networks\plugins\npqmp071700000016.dll
    FF - plugin: c:\users\mindows_laptop\appdata\roaming\mozilla\firefox\profiles\cos6wij6.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\windows\system32\c2mp\npdivx32.dll

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-20 64288]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208]
    R2 osppsvc;Office Software Protection Platform;c:\windows\system32\OSPPSVC.EXE [2009-4-8 4319136]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
    S2 IS360service;IS360service;h:\security\iobit security 360\is360srv.exe --> h:\security\iobit security 360\is360srv.exe [?]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-4-6 40160]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2009-4-25 33480048]

    =============== Created Last 30 ================

    2010-04-14 18:43:53 0 d-----w- c:\programdata\Kaspersky Lab Setup Files
    2010-04-06 20:40:13 0 d-----w- c:\users\mindow~1\appdata\roaming\Malwarebytes
    2010-04-06 20:40:09 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-06 20:40:07 0 d-----w- c:\programdata\Malwarebytes
    2010-04-06 20:40:06 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-06 18:51:09 4869 ----a-w- c:\windows\system32\????? ?????? ??????? ?? ?????? ????? ?? ???? ???? ????? ???? ????? ????? ????? ???? ?????? ?????? ?? ?????? ??????? ???????? ??? ?????? ???? ????? ?? ?????? ?? ??? ?????? ????? ??????? ??? ??.lnk
    2010-04-05 17:30:32 0 d-----w- c:\programdata\IObit
    2010-04-05 04:25:01 0 d-----w- c:\programdata\Kaspersky Lab
    2010-04-05 04:12:15 65536 --sha-w- c:\users\mindows_laptop\ntuser.dat{61a81fa4-4069-11df-aba1-00242b3528a7}.TM.blf
    2010-04-05 04:12:15 524288 --sha-w- c:\users\mindows_laptop\ntuser.dat{61a81fa4-4069-11df-aba1-00242b3528a7}.TMContainer00000000000000000002.regtrans-ms
    2010-04-05 04:12:15 524288 --sha-w- c:\users\mindows_laptop\ntuser.dat{61a81fa4-4069-11df-aba1-00242b3528a7}.TMContainer00000000000000000001.regtrans-ms
    2010-03-20 23:57:34 0 d-----r- c:\users\mindow~1\appdata\roaming\Brother
    2010-03-20 15:25:20 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-03-20 15:20:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-03-20 15:19:59 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
    2010-03-20 15:19:52 0 d-----w- c:\programdata\Lavasoft
    2010-03-20 15:19:52 0 d-----w- c:\program files\Lavasoft
    2010-03-20 14:42:08 0 d-----w- c:\programdata\ESET

    ==================== Find3M ====================

    2010-03-04 05:43:56 80 ----a-w- c:\users\mindow~1\appdata\roaming\msdreg.dat
    2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-01-18 23:29:31 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-18 23:29:31 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-18 23:29:31 365568 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-18 23:29:30 369152 ----a-w- c:\windows\system32\secproc.dll
    2010-01-18 23:28:33 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-18 23:28:33 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-18 23:28:30 320512 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-18 23:28:30 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-18 00:58:37 87608 ----a-w- c:\users\mindow~1\appdata\roaming\inst.exe
    2010-01-18 00:58:37 47360 ----a-w- c:\users\mindow~1\appdata\roaming\pcouffin.sys
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 14:52:28.51 ===============

    Attach:

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 24/10/2009 10:41:14 PM
    System Uptime: 14/04/2010 2:41:16 PM (0 hours ago)

    Motherboard: Dell Inc. | | 0U990C
    Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz | Microprocessor | 2167/166mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 146 GiB total, 105.53 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP78: 10/03/2010 4:23:47 PM - Windows Update
    RP79: 12/03/2010 7:56:51 AM - Windows Update
    RP80: 19/03/2010 1:54:48 PM - Scheduled Checkpoint
    RP81: 20/03/2010 10:41:51 AM - Installed ESET NOD32 Antivirus
    RP82: 27/03/2010 12:13:07 PM - Scheduled Checkpoint
    RP83: 03/04/2010 9:02:27 PM - Scheduled Checkpoint
    RP84: 12/04/2010 9:43:09 AM - Scheduled Checkpoint

    ==== Installed Programs ======================

    Ad-Aware
    Ad-Aware Email Scanner for Outlook
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Premiere Elements 7.0
    Adobe Reader 9.3.2
    AGEIA PhysX v2.3.3
    ĀµTorrent
    Borderlands
    Brother MFL-Pro Suite DCP-350C
    Concise Oxford English Dictionary and Thesaurus
    ConvertXtoDVD 3.3.4.106e
    Dell Touchpad
    Ghost Recon Advanced Warfighter
    Graboid Video 1.65
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) TV Wizard
    Laptop Integrated Webcam Driver (1.04.01.1011)
    Malwarebytes' Anti-Malware
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office Access MUI (English) 14
    Microsoft Office Excel MUI (English) 14
    Microsoft Office Groove MUI (English) 14
    Microsoft Office Groove Setup Metadata MUI (English) 14
    Microsoft Office InfoPath MUI (English) 14
    Microsoft Office OneNote MUI (English) 14
    Microsoft Office Outlook MUI (English) 14
    Microsoft Office PowerPoint MUI (English) 14
    Microsoft Office Professional Plus 14
    Microsoft Office Professional Plus 2010 (Technical Preview)
    Microsoft Office Proof (English) 14
    Microsoft Office Proof (French) 14
    Microsoft Office Proof (Spanish) 14
    Microsoft Office Proofing (English) 14
    Microsoft Office Publisher MUI (English) 14
    Microsoft Office Send-a-Smile
    Microsoft Office Shared MUI (English) 14
    Microsoft Office Shared Setup Metadata MUI (English) 14
    Microsoft Office Word MUI (English) 14
    Microsoft Silverlight
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Move Media Player
    Mozilla Firefox (3.6.3)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NVIDIA PhysX v8.10.29
    Palm Desktop by ACCESS
    Skype Toolbars
    Skype&#8482; 4.1
    System Requirements Lab
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.0.1
    VoipStunt
    Windows 7 Codec Pack 2.2.0
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Player Firefox Plugin
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    14/04/2010 2:41:32 PM, Error: Service Control Manager [7000] - The IS360service service failed to start due to the following error: The system cannot find the file specified.
    07/04/2010 11:17:38 PM, Error: Service Control Manager [7022] - The ESET Service service hung on starting.
    07/04/2010 11:17:31 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.

    ==== End Of File ===========================


    GMER File:
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-14 14:59:07
    Windows 6.1.7600
    Running: gmer.exe; Driver: C:\Users\MINDOW~1\AppData\Local\Temp\kwtoqkod.sys


    ---- System - GMER 1.0.15 ----

    INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E47AF8
    INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E47104
    INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E473F4
    INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E302D8
    INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2F898
    INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E471DC
    INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E47958
    INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E476F8
    INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E47F2C
    INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E481A8

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys

    Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat eamon.sys

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:256] 86052930

    ---- EOF - GMER 1.0.15 ----


    Thanks again.
     
  4. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:

    Download Combofix from either of the links below, and save it to your desktop.

    Link 1
    Link 2



    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------
    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
    --------------------------------------------------------------------

    Double click on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt for further review.
     
  5. fb767

    fb767 Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    3
    Hey, sorry about the late reply. The log file is:


    ComboFix 10-04-18.04 - Mindows_Laptop 19/04/2010 14:09:36.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.3062.2134 [GMT -4:00]
    Running from: c:\users\Mindows_Laptop\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Mindows_Laptop\AppData\Local\Microsoft\Windows\Temporary Internet Files\{4FCEF5F2-CB12-4E39-9178-84133F9D6333}.xps
    c:\users\Mindows_Laptop\AppData\Local\Microsoft\Windows\Temporary Internet Files\{7228694A-C542-45A2-86A8-69DE61BC3BB9}.xps
    c:\users\Mindows_Laptop\AppData\Roaming\inst.exe
    c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
    c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
    .

    2010-04-19 18:14 . 2010-04-19 18:16 -------- d-----w- c:\users\Mindows_Laptop\AppData\Local\temp
    2010-04-19 18:14 . 2010-04-19 18:14 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-04-14 18:43 . 2010-04-14 18:43 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
    2010-04-06 20:40 . 2010-04-06 20:40 -------- d-----w- c:\users\Mindows_Laptop\AppData\Roaming\Malwarebytes
    2010-04-06 20:40 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-06 20:40 . 2010-04-06 20:40 -------- d-----w- c:\programdata\Malwarebytes
    2010-04-06 20:40 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-05 17:30 . 2010-04-05 17:30 -------- d-----w- c:\programdata\IObit
    2010-04-05 04:25 . 2010-04-05 04:25 -------- d-----w- c:\programdata\Kaspersky Lab
    2010-03-21 17:07 . 2010-03-21 17:07 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2010-03-21 17:07 . 2010-03-21 17:07 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
    2010-03-21 17:07 . 2010-03-21 17:07 573760 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2010-03-20 23:57 . 2010-03-20 23:57 -------- d-----r- c:\users\Mindows_Laptop\AppData\Roaming\Brother

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-13 21:59 . 2009-10-27 03:31 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-13 13:09 . 2010-02-18 13:55 -------- d-----w- c:\users\Mindows_Laptop\AppData\Roaming\Skype
    2010-04-13 13:08 . 2010-02-18 14:00 -------- d-----w- c:\users\Mindows_Laptop\AppData\Roaming\skypePM
    2010-03-22 14:44 . 2010-03-12 01:59 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2010-03-22 14:44 . 2010-03-12 01:59 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
    2010-03-20 15:20 . 2010-03-20 15:19 -------- d-----w- c:\programdata\Lavasoft
    2010-03-20 15:20 . 2010-03-20 15:19 -------- d-----w- c:\program files\Lavasoft
    2010-03-20 15:20 . 2010-03-20 15:19 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
    2010-03-18 04:45 . 2009-12-25 06:13 -------- d-----w- c:\users\Mindows_Laptop\AppData\Roaming\vlc
    2010-03-12 01:59 . 2010-03-12 01:59 573760 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-03-04 05:43 . 2010-03-04 05:28 80 ----a-w- c:\users\Mindows_Laptop\AppData\Roaming\msdreg.dat
    2010-03-04 05:28 . 2010-03-04 05:28 -------- d-----w- c:\users\Mindows_Laptop\AppData\Roaming\MSDict
    2010-03-04 05:27 . 2010-03-04 05:27 -------- d-----w- c:\program files\Mobile Systems
    2010-03-04 05:27 . 2009-11-02 01:21 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-01 03:25 . 2010-03-01 03:25 -------- d-----w- c:\program files\MSXML 4.0
    2010-02-28 05:20 . 2010-02-28 05:20 -------- d-----w- c:\users\Mindows_Laptop\AppData\Roaming\Arcsoft
    2010-02-28 05:20 . 2010-02-28 05:19 -------- d-----w- c:\program files\Palm
    2010-02-28 05:18 . 2010-02-28 05:05 -------- d-----w- c:\program files\palmOne
    2010-02-28 05:07 . 2010-02-28 05:07 -------- d-----w- c:\users\Mindows_Laptop\AppData\Roaming\Leadertech
    2010-02-28 05:05 . 2010-02-28 05:05 -------- d-----w- c:\programdata\HotSync
    2010-02-28 05:04 . 2010-02-28 05:04 -------- d-----w- c:\users\Mindows_Laptop\AppData\Roaming\HotSync
    2010-02-28 05:04 . 2010-01-12 02:22 -------- d-----w- c:\program files\Common Files\InstallShield
    2010-02-24 14:16 . 2009-10-25 03:09 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-18 14:00 . 2010-02-18 14:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
    2010-02-04 15:53 . 2010-03-20 15:19 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
    2010-02-04 15:53 . 2010-03-20 15:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-02-04 15:52 . 2010-03-20 15:25 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-02-02 07:45 . 2010-02-24 13:58 2048 ----a-w- c:\windows\system32\tzres.dll
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
    2009-04-08 20:05 739688 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-16 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-16 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-16 150552]
    "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-10-25 167936]
    "AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

    c:\users\Mindows_Laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    palmOne Registration.lnk - c:\program files\palmOne\register.exe [2010-2-28 2367488]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^MSDict.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MSDict.lnk
    backup=c:\windows\pss\MSDict.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^OfficeSAS.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\OfficeSAS.lnk
    backup=c:\windows\pss\OfficeSAS.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Status Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Status Monitor.lnk
    backup=c:\windows\pss\Status Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^Mindows_Laptop^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
    path=c:\users\Mindows_Laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-03-24 18:17 952768 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
    2009-04-25 22:00 58216 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
    2009-05-26 21:46 1159168 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
    2008-12-24 15:26 114688 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2009-04-25 22:18 875392 ----a-w- c:\progra~1\MICROS~2\Office14\GROOVEMN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
    2009-11-12 13:37 9109296 ----a-w- c:\program files\VoipStunt.com\VoipStunt\VoipStunt.exe

    R2 IS360service;IS360service;h:\security\IObit Security 360\is360srv.exe [x]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-04 1228208]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-05-26 40160]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2009-04-25 33480048]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 osppsvc;Office Software Protection Platform;c:\windows\system32\OSPPSVC.EXE [2009-04-08 4319136]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:52]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
    IE: S&end to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    FF - ProfilePath - c:\users\Mindows_Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\cos6wij6.default\
    FF - prefs.js: browser.search.selectedEngine - swagbucks.com
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\users\Mindows_Laptop\AppData\Roaming\Move Networks\plugins\npqmp071700000016.dll
    FF - plugin: c:\users\Mindows_Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\cos6wij6.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\windows\system32\C2MP\npdivx32.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
    HKLM-Run-IObit Security 360 - h:\security\IObit Security 360\IS360tray.exe
    MSConfigStartUp-TOY5KNQ8OC - c:\users\MINDOW~1\AppData\Local\Temp\Fk1.exe
    AddRemove-AGEIA PhysX v2.3.3 - c:\program files\AGEIA Technologies\uninstall.exe
    AddRemove-Malwarebytes' Anti-Malware_is1 - e:\program files\Malwarebytes' Anti-Malware\unins000.exe


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-04-19 14:17:51
    ComboFix-quarantined-files.txt 2010-04-19 18:17

    Pre-Run: 113,209,548,800 bytes free
    Post-Run: 117,733,941,248 bytes free

    - - End Of File - - 037D1F2B90CD3A316BF009C94BBC9B13




    Thanks again for all your help.
     
  6. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    please do the following:


    • Please open your MalwareBytes AntiMalware Program
    • Click the Update Tab and search for updates
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected. <-- very important
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



    NEXT


    **Vista users - right click on the IE icon and run as administrator

    Run an on-line scan with Kaspersky

    Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

    1. Click Accept, when prompted to download and install the program files and database of malware definitions.
    2. To optimize scanning time and produce a more sensible report for review:
    • Close any open programs
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    3. Click Run at the Security prompt.
    The program will then begin downloading and installing and will also update the database.
    Please be patient as this can take several minutes.
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
    • Click View scan report at the bottom.

      [​IMG]
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/915179

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice