1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help with Hijack log

Discussion in 'Virus & Other Malware Removal' started by higgs03, Dec 2, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. higgs03

    higgs03 Thread Starter

    Joined:
    Dec 2, 2011
    Messages:
    14
    I am looking for help with Internet Explorer. I bought a new netbook and it has come from China. It had no antivirus when i got it so I install microsoft security essentials. It detected some malware on it and fixed the problems.The only problem I think I have now is with IE. It opens on www.1112.me when I click on it. If I click on a link on a program it automatically opens IE on that www.1112.me even though I have set chrome as my default browser. I went in to the registry editor and changed the start page manually in all sections where I saw that web address and it worked fine when I opened IE, but when I restart the netbook, the same thing keeps happening. Any help would be grateful.


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 02:10:00, on 03/12/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\KaraokeSer.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ie
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1112.me
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.ie
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: QQ.vbs (User 'SYSTEM')
    O4 - .DEFAULT Startup: QQ.vbs (User 'Default user')
    O4 - .DEFAULT User Startup: QQ.vbs (User 'Default user')
    O4 - Startup: QQ.vbs
    O4 - Global Startup: QQ.vbs
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: VIA Karaoke digital mixer Service (KaraokeService) - VIA Technologies, Inc. - C:\WINDOWS\system32\KaraokeSer.exe

    --
    End of file - 5156 bytes
     
  2. higgs03

    higgs03 Thread Starter

    Joined:
    Dec 2, 2011
    Messages:
    14
    Here is the new log as I have deleted a few items with no success


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 23:54:57, on 06/12/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\KaraokeSer.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.ie
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: QQ.vbs (User 'SYSTEM')
    O4 - .DEFAULT Startup: QQ.vbs (User 'Default user')
    O4 - .DEFAULT User Startup: QQ.vbs (User 'Default user')
    O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Startup: QQ.vbs
    O4 - Global Startup: QQ.vbs
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: VIA Karaoke digital mixer Service (KaraokeService) - VIA Technologies, Inc. - C:\WINDOWS\system32\KaraokeSer.exe

    --
    End of file - 4970 bytes
     
  3. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
    • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
    • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
    • The fixes are specific to your problem and should only be used for the issues on this machine.
    • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
    • It's often worth reading through these instructions and printing them for ease of reference.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • Please reply to this thread. Do not start a new topic.

    IMPORTANT NOTE : Please do not delete anything unless instructed to.
    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
    Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.


    Vista and Windows 7 users:
    These tools MUST be run from the executable (.exe) every time you run them
    with Admin Rights (Right click, choose "Run as Administrator")


    Stay with this topic until I give you the all clean post.
    ----------

    Please download DDS from one of the following links and save it to your desktop.
    • Disable any script blocking protection (How to Disable your Security Programs)
    • Double click DDS icon to run the tool (may take up to 3 minutes to run)
    • When done, DDS.txt will open.
    • After a few moments, attach.txt will open in a second window.
    • Save both reports to your desktop.
    ---------------------------------------------------
    • Post the contents of the DDS.txt report in your next reply
    • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
    ----------

    Please download aswMBR to your desktop.

    • Double click the aswMBR icon to run it.
      Vista and Windows 7 users right click the icon and choose "Run as administrator".
    • Click the Scan button to start scan.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

    [​IMG]
    Click the image to enlarge it
    ----------

    In your next reply please post both of the logs created by DDS and the log created by aswMBR.exe. :)
     
  4. higgs03

    higgs03 Thread Starter

    Joined:
    Dec 2, 2011
    Messages:
    14
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
    Run by Administrator at 18:33:29 on 2011-12-07
    Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.2038.1352 [GMT 0:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\KaraokeSer.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = hxxp://www.google.com/ie
    uStart Page = hxxp://www.1112.me
    uInternet Connection Wizard,ShellNext = hxxp://www.google.ie
    uInternet Settings,ProxyServer = 0.0.0.0:80
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    mWinlogon: Userinit=userinit.exe
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\QQ.vbs
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\QQ.vbs
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{2E593374-E73E-4ACE-B895-931D33C206D3} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{EC1E7F15-E225-41DE-9167-3AA899ABD015} : DhcpNameServer = 202.96.134.133 202.96.128.166
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\9uqldack.default\
    FF - prefs.js: browser.startup.homepage - www.google.ie
    FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 THREADACPI;THREAD Firmware Extension Device Driver;c:\windows\system32\drivers\THREADACPI.sys [2011-9-4 6912]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
    R1 MpKsl2db308aa;MpKsl2db308aa;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{485d2aa5-76d1-4dd6-88f7-322ba3c51664}\MpKsl2db308aa.sys [2011-12-7 29904]
    R2 KaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\KaraokeSer.exe [2011-11-1 88688]
    R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2011-10-13 1720928]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-30 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-30 136176]
    S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-11-1 2805744]
    S4 ahcix86;ahcix86;c:\windows\system32\drivers\ahci8086.sys [2008-6-3 176136]
    S4 iaStor5;Intel RAID Controller;c:\windows\system32\drivers\iastor5.sys [2008-1-23 874624]
    S4 iaStor6;Intel AHCI Controller 6;c:\windows\system32\drivers\iastor6.sys [2008-1-23 250368]
    S4 iaStor7;Intel AHCI Controller 7;c:\windows\system32\drivers\iastor7.sys [2008-1-23 308248]
    S4 m5228;m5228;c:\windows\system32\drivers\m5228.sys [2008-1-23 45069]
    S4 m5281;m5281;c:\windows\system32\drivers\m5281.sys [2008-1-23 51072]
    S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2008-1-23 103680]
    S4 m5288;m5288;c:\windows\system32\drivers\m5288.sys [2008-1-23 210304]
    S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2008-1-23 52480]
    S4 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\si3112r.sys [2008-1-23 102528]
    S4 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [2008-1-23 68864]
    S4 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-1-23 17968]
    .
    =============== File Associations ===============
    .
    chm.file=hh.exe %1
    .
    =============== Created Last 30 ================
    .
    2011-12-07 18:24:34 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{485d2aa5-76d1-4dd6-88f7-322ba3c51664}\MpKsl2db308aa.sys
    2011-12-07 18:24:29 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{485d2aa5-76d1-4dd6-88f7-322ba3c51664}\offreg.dll
    2011-12-06 20:22:46 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{485d2aa5-76d1-4dd6-88f7-322ba3c51664}\mpengine.dll
    2011-12-06 20:13:50 -------- d-----w- c:\documents and settings\administrator\application data\OpenOffice.org
    2011-12-03 01:26:11 -------- d-----w- c:\windows\pss
    2011-12-02 18:51:43 388096 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-12-02 18:51:41 -------- d-----w- c:\program files\Trend Micro
    2011-12-02 00:25:30 -------- dc-h--w- c:\windows\ie8
    2011-12-02 00:19:09 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2011-12-01 18:51:34 758784 ----a-w- c:\windows\system32\dllcache\vgx.dll
    2011-11-30 23:58:28 -------- d-----w- c:\windows\system32\ReinstallBackups
    2011-11-30 23:58:24 2686976 ----a-w- c:\windows\system32\ig4dev32.dll
    2011-11-30 23:58:23 4104192 ----a-w- c:\windows\system32\ig4icd32.dll
    2011-11-30 23:58:23 3829760 ----a-w- c:\windows\system32\igdumd32.dll
    2011-11-30 23:58:23 257536 ----a-w- c:\windows\system32\igfxTMM.dll
    2011-11-30 23:58:23 155648 ----a-w- c:\windows\system32\igfxCoIn_v1972.dll
    2011-11-30 23:58:22 59392 ----a-w- c:\windows\system32\oemdspif.dll
    2011-11-30 23:58:22 536576 ----a-w- c:\windows\system32\igdumdx32.dll
    2011-11-30 23:58:22 4805120 ----a-w- c:\windows\system32\drivers\igdkmd32.sys
    2011-11-30 22:09:57 -------- d-----w- c:\program files\Microsoft Security Client
    2011-11-30 21:56:04 24064 ----a-w- c:\windows\system32\pidgen.dll.wga
    2011-11-30 21:56:04 24064 ----a-w- c:\windows\system32\dllcache\pidgen.dll
    2011-11-30 21:56:04 102912 ----a-w- c:\windows\system32\dpcdll.dll.wga
    2011-11-30 21:56:04 102912 ----a-w- c:\windows\system32\dllcache\dpcdll.dll
    2011-11-30 21:00:45 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-11-30 20:19:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-30 20:07:09 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Temp
    2011-11-30 20:03:00 -------- d-----w- c:\program files\CCleaner
    2011-11-30 19:55:41 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache
    2011-11-30 19:53:15 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
    2011-11-30 19:52:56 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
    2011-11-30 19:51:11 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
    2011-11-30 19:50:10 -------- d-----w- c:\windows\ie8updates
    2011-11-30 19:49:55 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2011-11-30 19:49:55 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2011-11-30 19:49:54 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2011-11-30 01:20:35 45568 ------w- c:\windows\system32\dllcache\wab.exe
    2011-11-30 01:20:30 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
    2011-11-30 01:20:15 978944 ------w- c:\windows\system32\dllcache\mfc42.dll
    2011-11-30 01:20:15 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
    2011-11-30 01:20:15 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2011-11-30 01:19:46 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-11-30 01:19:34 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    2011-11-30 01:19:13 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
    2011-11-30 01:15:13 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2011-11-29 17:03:31 221184 ----a-w- c:\windows\system32\wmpns.dll
    2011-11-29 17:00:21 138496 ------w- c:\windows\system32\dllcache\afd.sys
    2011-11-29 16:59:58 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-11-29 16:59:56 105472 ------w- c:\windows\system32\dllcache\mup.sys
    2011-11-29 16:59:48 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
    2011-11-29 16:51:38 293376 ------w- c:\windows\system32\browserchoice.exe
    2011-11-29 16:46:16 -------- d-----w- c:\program files\Foxit Software
    2011-11-29 16:43:17 -------- d-----w- c:\program files\OpenOffice.org 3
    2011-11-29 16:42:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-11-29 16:42:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-29 16:40:23 -------- d-----w- c:\program files\OpenOffice.org 3.3 (en-GB) Installation Files
    2011-11-29 16:40:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-11-29 16:40:04 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
    2011-11-29 16:39:32 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    2011-11-29 16:31:43 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-11-29 16:08:59 -------- d--h--w- c:\windows\$hf_mig$
    .
    ==================== Find3M ====================
    .
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 03:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 03:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 03:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    .
    ============= FINISH: 18:33:59.21 ===============
     

    Attached Files:

  5. higgs03

    higgs03 Thread Starter

    Joined:
    Dec 2, 2011
    Messages:
    14
    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-12-07 19:34:25
    -----------------------------
    19:34:25.062 OS Version: Windows 5.1.2600 Service Pack 3
    19:34:25.062 Number of processors: 2 586 0x1C0A
    19:34:25.062 ComputerName: PC-201008121243 UserName: Administrator
    19:34:25.281 Initialize success
    19:39:37.281 AVAST engine defs: 11120701
    19:41:38.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    19:41:38.421 Disk 0 Vendor: CSD_CAZ250SF ________ Size: 238475MB BusType: 3
    19:41:40.546 Disk 0 MBR read successfully
    19:41:40.562 Disk 0 MBR scan
    19:41:40.609 Disk 0 unknown MBR code
    19:41:40.625 Disk 0 scanning sectors +488392065
    19:41:40.703 Disk 0 scanning C:\WINDOWS\system32\drivers
    19:41:49.562 Service scanning
    19:41:49.843 Service MpKsl2db308aa C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{485D2AA5-76D1-4DD6-88F7-322BA3C51664}\MpKsl2db308aa.sys **LOCKED** 32
    19:41:50.484 Modules scanning
    19:41:59.187 Disk 0 trace - called modules:
    19:41:59.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    19:41:59.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a397ab8]
    19:41:59.281 3 CLASSPNP.SYS[ba0c8fd7] -> nt!IofCallDriver -> \Device\00000065[0x8a39d510]
    19:41:59.328 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a3b7940]
    19:41:59.703 AVAST engine scan C:\WINDOWS
    19:42:01.531 File: C:\WINDOWS\newrun.exe **INFECTED** Win32:Trojan-gen
    19:42:03.109 AVAST engine scan C:\WINDOWS\system32
    19:43:36.484 AVAST engine scan C:\WINDOWS\system32\drivers
    19:43:48.671 AVAST engine scan C:\Documents and Settings\Administrator
    19:44:17.312 AVAST engine scan C:\Documents and Settings\All Users
    19:44:21.765 Scan finished successfully
    19:44:21.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
    19:44:21.984 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
     
  6. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi higgs03,

    Please download MBRCheck.exe to your desktop.
    • Be sure to disable your security programs
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
    • A window will open on your desktop
    • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
    • Please post the contents of that file.
     
  7. higgs03

    higgs03 Thread Starter

    Joined:
    Dec 2, 2011
    Messages:
    14
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000003c

    Kernel Drivers (total 109):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E5000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA4BC000 compbatt.sys
    0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xBA5AC000 intelide.sys
    0xBA0B8000 MountMgr.sys
    0xB9F49000 ftdisk.sys
    0xBA5AE000 dmload.sys
    0xB9F23000 dmio.sys
    0xBA330000 PartMgr.sys
    0xBA4C4000 ACPIEC.sys
    0xBA671000 \WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
    0xB9F00000 nvrd32.sys
    0xBA0C8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xBA0D8000 VolSnap.sys
    0xB9EE8000 atapi.sys
    0xB9ECB000 viamraid.sys
    0xB9EB3000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xBA0E8000 disk.sys
    0xB9E93000 fltMgr.sys
    0xB9E7C000 KSecDD.sys
    0xBA338000 usbohci.sys
    0xB9E58000 \WINDOWS\system32\DRIVERS\USBPORT.SYS
    0xBA4C8000 kbdhid.sys
    0xBA340000 \WINDOWS\system32\DRIVERS\HIDPARSE.SYS
    0xB9DCB000 Ntfs.sys
    0xB9D9E000 NDIS.sys
    0xBA5B0000 THREADACPI.SYS
    0xB9D84000 Mup.sys
    0xBA0F8000 agp440.sys
    0xBA168000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB9131000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB9114000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
    0xB8F71000 \SystemRoot\system32\DRIVERS\RT2860.sys
    0xBA3D0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xBA3D8000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xBA178000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xBA3E0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA3E8000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA560000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xBA564000 \SystemRoot\system32\DRIVERS\fsvga.sys
    0xBA728000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA188000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xBA568000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB8F5A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA198000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA1A8000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA3F0000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB8F49000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA1B8000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA3F8000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA400000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB8F19000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA1C8000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA5B4000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB8EF6000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB8E98000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA584000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA1D8000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB756D000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xB7549000 \SystemRoot\system32\drivers\portcls.sys
    0xBA1E8000 \SystemRoot\system32\drivers\drmk.sys
    0xBA258000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5C2000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB0B52000 \SystemRoot\system32\DRIVERS\MpFilter.sys
    0xBA5F6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA6E2000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA5F8000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA450000 \SystemRoot\System32\drivers\vga.sys
    0xB0636000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0xBA5FA000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA5FC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA458000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA460000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB6B25000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB0603000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB05AA000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB055A000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB0534000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xB0512000 \SystemRoot\System32\drivers\afd.sys
    0xBA288000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xBA298000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xB0447000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB03D7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA2E8000 \SystemRoot\System32\Drivers\Fips.SYS
    0xBA468000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xAF9A9000 \SystemRoot\System32\Drivers\usbvideo.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB8484000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA470000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA78C000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBFF50000 \SystemRoot\System32\framebuf.dll
    0xAD841000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xACB94000 \SystemRoot\system32\drivers\wdmaud.sys
    0xACCE9000 \SystemRoot\system32\drivers\sysaudio.sys
    0xAC59F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xAC47F000 \SystemRoot\system32\DRIVERS\srv.sys
    0xAC25E000 \SystemRoot\System32\Drivers\HTTP.sys
    0xBA4A8000 \??\C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2AD8B3BB-DA84-4AD2-AB84-0570D0C004A0}\MpKslb6b16ab0.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 34):
    0 System Idle Process
    4 System
    660 C:\WINDOWS\system32\smss.exe
    720 csrss.exe
    744 C:\WINDOWS\system32\winlogon.exe
    788 C:\WINDOWS\system32\services.exe
    800 C:\WINDOWS\system32\lsass.exe
    964 C:\WINDOWS\system32\svchost.exe
    1012 svchost.exe
    1052 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    1088 C:\WINDOWS\system32\svchost.exe
    1136 svchost.exe
    1228 svchost.exe
    1500 C:\WINDOWS\system32\spoolsv.exe
    1804 C:\WINDOWS\explorer.exe
    180 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    184 C:\Program Files\Microsoft Security Client\msseces.exe
    328 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    364 C:\WINDOWS\system32\ctfmon.exe
    496 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
    580 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    1344 C:\Program Files\OpenOffice.org 3\program\soffice.exe
    1548 C:\Program Files\OpenOffice.org 3\program\soffice.bin
    1680 svchost.exe
    1708 C:\Program Files\Java\jre6\bin\jqs.exe
    1660 C:\WINDOWS\system32\KaraokeSer.exe
    2076 C:\WINDOWS\system32\svchost.exe
    2348 C:\WINDOWS\system32\wuauclt.exe
    2772 wmiprvse.exe
    2940 alg.exe
    3692 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    3776 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    3920 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    2908 C:\Documents and Settings\Administrator\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000e`58160200 (NTFS)
    \\.\E: --> \\.\PhysicalDrive0 at offset 0x0000001c`b02b8600 (NTFS)
    \\.\F: --> \\.\PhysicalDrive0 at offset 0x0000002b`08410a00 (NTFS)

    PhysicalDrive0 Model Number: CSDCAZ250SF, Rev:

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows 98 MBR code detected
    SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E


    Done!
     
  8. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi higgs03,

    Please read through these instructions to familarize yourself with what to expect when this tool runs

    Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Notes:

    1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ----------
     
  9. higgs03

    higgs03 Thread Starter

    Joined:
    Dec 2, 2011
    Messages:
    14
    ComboFix 11-12-06.02 - Administrator 08/12/2011 0:18.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.2038.1454 [GMT 0:00]
    Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\QQ.vbs
    c:\documents and settings\All Users\Start Menu\Programs\Startup\qq.vbs
    c:\documents and settings\Default User\Start Menu\Programs\Startup\QQ.vbs
    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\qq.vbs
    c:\windows\system32\msconfig.exe
    c:\windows\system32\Thumbs.db
    .
    c:\windows\system32\srsvc.dll . . . is infected!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-08 to 2011-12-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-08 00:13 . 2011-12-08 00:13 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A3839531-EF4E-4C6D-BA54-0927DDEC571A}\MpKsl2e9f8432.sys
    2011-12-08 00:13 . 2011-12-08 00:13 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A3839531-EF4E-4C6D-BA54-0927DDEC571A}\offreg.dll
    2011-12-07 23:42 . 2011-11-21 02:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A3839531-EF4E-4C6D-BA54-0927DDEC571A}\mpengine.dll
    2011-12-06 20:13 . 2011-12-06 20:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org
    2011-12-02 18:51 . 2011-12-02 18:51 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-12-02 18:51 . 2011-12-02 18:51 -------- d-----w- c:\program files\Trend Micro
    2011-12-02 00:25 . 2011-12-02 00:26 -------- dc-h--w- c:\windows\ie8
    2011-12-02 00:19 . 2011-11-21 02:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-12-01 18:51 . 2011-04-30 03:01 758784 ----a-w- c:\windows\system32\dllcache\vgx.dll
    2011-11-30 23:58 . 2009-10-15 14:55 2686976 ----a-w- c:\windows\system32\ig4dev32.dll
    2011-11-30 23:58 . 2009-10-15 15:35 155648 ----a-w- c:\windows\system32\igfxCoIn_v1972.dll
    2011-11-30 23:58 . 2009-10-15 15:18 3829760 ----a-w- c:\windows\system32\igdumd32.dll
    2011-11-30 23:58 . 2009-10-15 14:55 4104192 ----a-w- c:\windows\system32\ig4icd32.dll
    2011-11-30 23:58 . 2009-10-15 14:41 257536 ----a-w- c:\windows\system32\igfxTMM.dll
    2011-11-30 23:58 . 2009-10-15 15:18 4805120 ----a-w- c:\windows\system32\drivers\igdkmd32.sys
    2011-11-30 23:58 . 2009-10-15 15:12 536576 ----a-w- c:\windows\system32\igdumdx32.dll
    2011-11-30 23:58 . 2009-10-15 14:41 59392 ----a-w- c:\windows\system32\oemdspif.dll
    2011-11-30 22:09 . 2011-11-30 22:10 -------- d-----w- c:\program files\Microsoft Security Client
    2011-11-30 21:56 . 2008-04-14 04:00 24064 ----a-w- c:\windows\system32\pidgen.dll.wga
    2011-11-30 21:56 . 2008-04-14 04:00 102912 ----a-w- c:\windows\system32\dpcdll.dll.wga
    2011-11-30 21:56 . 2008-04-13 09:11 102912 ----a-w- c:\windows\system32\dllcache\dpcdll.dll
    2011-11-30 21:56 . 2008-04-13 09:11 24064 ----a-w- c:\windows\system32\dllcache\pidgen.dll
    2011-11-30 21:00 . 2011-11-30 21:00 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-11-30 20:19 . 2011-12-02 19:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-30 20:07 . 2011-11-30 20:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
    2011-11-30 20:07 . 2011-11-30 20:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
    2011-11-30 20:03 . 2011-11-30 20:03 -------- d-----w- c:\program files\CCleaner
    2011-11-30 20:02 . 2011-11-30 20:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
    2011-11-30 20:01 . 2011-11-30 20:02 -------- d-----w- c:\program files\Google
    2011-11-30 19:55 . 2011-11-30 19:55 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
    2011-11-30 19:53 . 2011-11-30 19:53 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2011-11-30 19:52 . 2011-11-30 19:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2011-11-30 19:51 . 2011-08-16 10:45 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
    2011-11-30 19:49 . 2011-08-22 23:48 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2011-11-30 19:49 . 2011-08-22 23:48 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2011-11-30 19:49 . 2011-08-22 23:48 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2011-11-30 01:20 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
    2011-11-30 01:20 . 2010-08-16 08:45 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
    2011-11-30 01:20 . 2011-02-08 13:33 978944 ------w- c:\windows\system32\dllcache\mfc42.dll
    2011-11-30 01:20 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
    2011-11-30 01:20 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2011-11-30 01:19 . 2011-07-15 13:29 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-11-30 01:19 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    2011-11-30 01:19 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
    2011-11-30 01:18 . 2011-11-30 01:18 -------- d-----w- c:\program files\Common Files\Java
    2011-11-30 01:15 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2011-11-29 17:03 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
    2011-11-29 17:00 . 2011-08-17 13:49 138496 ------w- c:\windows\system32\dllcache\afd.sys
    2011-11-29 16:59 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-11-29 16:59 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
    2011-11-29 16:59 . 2010-06-14 07:41 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
    2011-11-29 16:51 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
    2011-11-29 16:46 . 2011-11-29 16:46 -------- d-----w- c:\program files\Foxit Software
    2011-11-29 16:43 . 2011-11-29 16:43 -------- d-----w- c:\program files\OpenOffice.org 3
    2011-11-29 16:42 . 2011-10-02 21:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-29 16:42 . 2011-10-02 18:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-11-29 16:41 . 2011-11-30 01:17 -------- d-----w- c:\program files\Java
    2011-11-29 16:40 . 2011-02-17 12:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-11-29 16:40 . 2010-07-12 12:55 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
    2011-11-29 16:39 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    2011-11-29 16:31 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-11-29 16:08 . 2011-12-02 18:06 -------- d--h--w- c:\windows\$hf_mig$
    2011-11-29 15:47 . 2011-11-29 15:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-10 14:22 . 2008-11-24 11:22 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2008-04-14 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 03:41 . 2011-09-26 03:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 03:41 . 2008-04-14 04:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 03:41 . 2008-04-14 04:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-11-21 04:04 . 2011-11-29 15:47 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-30 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-22 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-22 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-22 150552]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    .
    R0 THREADACPI;THREAD Firmware Extension Device Driver;c:\windows\system32\drivers\THREADACPI.sys [04/09/2011 13:55 6912]
    R1 MpKsl2e9f8432;MpKsl2e9f8432;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A3839531-EF4E-4C6D-BA54-0927DDEC571A}\MpKsl2e9f8432.sys [08/12/2011 00:13 29904]
    R2 KaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\KaraokeSer.exe [01/11/2011 05:04 88688]
    R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [13/10/2011 18:11 1720928]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2011 20:02 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2011 20:02 136176]
    S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [01/11/2011 05:04 2805744]
    S4 ahcix86;ahcix86;c:\windows\system32\drivers\ahci8086.sys [03/06/2008 08:01 176136]
    S4 iaStor5;Intel RAID Controller;c:\windows\system32\drivers\iastor5.sys [23/01/2008 09:20 874624]
    S4 iaStor6;Intel AHCI Controller 6;c:\windows\system32\drivers\iastor6.sys [23/01/2008 09:20 250368]
    S4 iaStor7;Intel AHCI Controller 7;c:\windows\system32\drivers\iastor7.sys [23/01/2008 09:20 308248]
    S4 m5228;m5228;c:\windows\system32\drivers\m5228.sys [23/01/2008 09:20 45069]
    S4 m5281;m5281;c:\windows\system32\drivers\m5281.sys [23/01/2008 09:20 51072]
    S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [23/01/2008 09:20 103680]
    S4 m5288;m5288;c:\windows\system32\drivers\m5288.sys [23/01/2008 09:20 210304]
    S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [23/01/2008 09:20 52480]
    S4 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\si3112r.sys [23/01/2008 09:20 102528]
    S4 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [23/01/2008 09:20 68864]
    S4 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [23/01/2008 09:20 17968]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSL2E9F8432
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-30 20:02]
    .
    2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-30 20:02]
    .
    2011-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-839522115-1957994488-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-23 17:02]
    .
    2011-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-839522115-1957994488-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-23 17:02]
    .
    2011-12-08 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 15:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.1112.me
    uInternet Connection Wizard,ShellNext = hxxp://www.google.ie
    uInternet Settings,ProxyServer = 0.0.0.0:80
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9uqldack.default\
    FF - prefs.js: browser.startup.homepage - www.google.ie
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-08 00:23
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-602162358-839522115-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,61,26,1a,e1,b2,91,47,ac,9b,1f,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,61,26,1a,e1,b2,91,47,ac,9b,1f,\
    .
    Completion time: 2011-12-08 00:24:30
    ComboFix-quarantined-files.txt 2011-12-08 00:24
    .
    Pre-Run: 54,816,256,000 bytes free
    Post-Run: 54,875,656,192 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 5F4CE5E712DDBCC78C9D59B55397ACB9
     
  10. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi higgs03,

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      *srsvc.dll
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  11. higgs03

    higgs03 Thread Starter

    Joined:
    Dec 2, 2011
    Messages:
    14
    SystemLook 30.07.11 by jpshortstuff
    Log created at 08:18 on 08/12/2011 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "*srsvc.dll"
    No files found.

    -= EOF =-
     
  12. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi higgs,

    Lets re-run SystemLook....

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      srsvc.dll
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  13. higgs03

    higgs03 Thread Starter

    Joined:
    Dec 2, 2011
    Messages:
    14
    SystemLook 30.07.11 by jpshortstuff
    Log created at 20:28 on 08/12/2011 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "srsvc.dll"
    No files found.

    -= EOF =-
     
  14. higgs03

    higgs03 Thread Starter

    Joined:
    Dec 2, 2011
    Messages:
    14
    Internet explorer seems to be working ok now. The home page is staying the same and when IE is set as default browser and you click on a link in a program it redirects you to the correct page.So not sure if all is ok now????
     
  15. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi higgs,

    No we still have some work to do. :)
    -------------

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      DDS::
      uStart Page = hxxp://www.1112.me
      uInternet Connection Wizard,ShellNext = hxxp://www.google.ie
      uInternet Settings,ProxyServer = 0.0.0.0:80
      TCP: Interfaces\{EC1E7F15-E225-41DE-9167-3AA899ABD015} : DhcpNameServer = 202.96.134.133 202.96.128.166
      
      RegLock::
      [HKEY_USERS\S-1-5-21-602162358-839522115-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1029434

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice