1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Redirecting, pop-up spaming, Update blocking, banner hijacking, Url blocking

Discussion in 'Virus & Other Malware Removal' started by 4Leaf, Feb 6, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. 4Leaf

    4Leaf Thread Starter

    Joined:
    Feb 6, 2009
    Messages:
    15
    I seriously think I got the omega virus or something. I have no idea how things got this badly. I seriously don't even do anything! But somehow I got the nastiest malware I have ever seen.

    This is very nasty stuff. First of all it makes it so every single one of my banners on ANY website all advertise for Viramax (penis augmentation). Second, it makes it so none of my Antivirus programs can update. Third, it spams pop-ups. Fourth, it redirects me when I do google searches. Fifth, it will not even let me go to the download page of some Antivirus/Firewall programs. If I try to download Zone Alarm I can't do it. It just tells me there is a page load error. Oh and Sixth, It will not go away! I have done countless Spybot and Adaware scans and have found myself every five minutes redeleting the same "cookie" infections. They just keep respawning. I have also tried installing several antivirus programs that boot from a thumbdrive. (I updated them before I booted them up on the infected computer) and they deleted several viruses, but that apparantly didn't fix the problem.

    Please help me. I have no idea how this could have happened, and it is a major problem for me. Thank you very much for your time

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:53:46 AM, on 2/6/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb127\Dealio.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb127\Dealio.dll
    O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Bryan Willis\Application Data\Dealio\kb127\res\DealioSearch.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
    O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{09214DB2-992E-462B-8659-6D51604DE0AA}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{176B03E9-F538-4BF1-AB1B-AC54C18108FA}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{09214DB2-992E-462B-8659-6D51604DE0AA}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS4\Services\Tcpip\..\{09214DB2-992E-462B-8659-6D51604DE0AA}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

    --
    End of file - 7744 bytes
     
  2. 4Leaf

    4Leaf Thread Starter

    Joined:
    Feb 6, 2009
    Messages:
    15
    Bump
     
  3. 4Leaf

    4Leaf Thread Starter

    Joined:
    Feb 6, 2009
    Messages:
    15
    ugh bump
     
  4. 4Leaf

    4Leaf Thread Starter

    Joined:
    Feb 6, 2009
    Messages:
    15
    Please, it has been a few days and I am running out of options. I really need a solution to this and have no where left to turn. PLEASE help me out guys! I really need it
     
  5. 4Leaf

    4Leaf Thread Starter

    Joined:
    Feb 6, 2009
    Messages:
    15
    Please? (bump)
     
  6. 4Leaf

    4Leaf Thread Starter

    Joined:
    Feb 6, 2009
    Messages:
    15
    Bump
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please read and follow all these instructions very carefully

    Download ComboFix from Here to your Desktop.

    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything unless told to do so while we are fixing your problem.
     
  8. 4Leaf

    4Leaf Thread Starter

    Joined:
    Feb 6, 2009
    Messages:
    15
    Okay Ran Combofix successfully. It seems to have done some good. Here is the combofix log, and below that is the Hijack log

    ComboFix 09-02-10.03 - Bryan Willis 2009-02-11 12:11:41.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1597 [GMT -5:00]
    Running from: c:\documents and settings\Bryan Willis\Desktop\ComboFix.exe
    AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)
    FW: ZoneAlarm Security Suite Firewall *disabled*
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Bryan Willis\Start Menu\Programs\videosoft
    c:\program files\Mozilla Firefox\components\iamfamous.dll
    C:\resycled
    c:\windows\system32\drivers\msqpdxkyvbnree.sys
    c:\windows\system32\drivers\msqpdxuhtapmhs.sys
    c:\windows\system32\drivers\msqpdxxvkkwntt.sys
    c:\windows\system32\msqpdxtkiqqfti.dll
    F:\resycled

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_MSQPDXSERV.SYS


    ((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
    .

    2009-02-11 12:08 . 2009-02-11 12:24 1,112,864 --ahs---- c:\windows\system32\drivers\fidbox.dat
    2009-02-11 12:08 . 2009-02-11 12:20 15,752 --ahs---- c:\windows\system32\drivers\fidbox.idx
    2009-02-06 01:49 . 2009-02-06 01:49 <DIR> d-------- c:\program files\Trend Micro
    2009-02-03 15:01 . 2009-02-03 15:01 <DIR> d-------- c:\documents and settings\Bryan Willis\Application Data\MailFrontier
    2009-02-03 14:56 . 2009-02-03 14:56 <DIR> d-------- c:\program files\AskBarDis
    2009-02-01 23:59 . 2009-02-02 11:43 1,258 --a------ C:\rollback.ini
    2009-01-30 17:21 . 2009-01-30 17:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
    2009-01-30 17:21 . 2008-11-13 15:18 73,104 --a------ c:\windows\zllsputility.exe
    2009-01-30 17:21 . 2009-02-03 15:01 4,212 --ah----- c:\windows\system32\zllictbl.dat
    2009-01-30 17:20 . 2009-02-11 12:11 <DIR> d-------- c:\windows\system32\ZoneLabs
    2009-01-30 17:20 . 2009-01-30 17:20 <DIR> d-------- c:\program files\Zone Labs
    2009-01-30 17:20 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
    2009-01-30 17:20 . 2009-02-11 12:22 348,389 --a------ c:\windows\system32\vsconfig.xml
    2009-01-30 17:16 . 2009-02-11 12:16 <DIR> d-------- c:\windows\Internet Logs
    2009-01-28 17:43 . 2009-01-18 16:35 15,688 --a------ c:\windows\system32\lsdelete.exe
    2009-01-28 17:33 . 2009-01-28 17:33 <DIR> d-------- c:\program files\Lavasoft
    2009-01-28 17:33 . 2009-01-28 17:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-01-28 17:33 . 2009-01-28 17:33 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
    2009-01-28 17:33 . 2009-01-18 16:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
    2009-01-22 13:06 . 2009-01-22 13:06 <DIR> d-------- c:\documents and settings\Bryan Willis\Application Data\Sibelius Software
    2009-01-22 13:05 . 2009-01-22 13:05 <DIR> d-------- c:\program files\Sibelius Software
    2009-01-13 16:41 . 2009-01-13 16:41 1,488 --a------ c:\windows\ipconfig.dat
    2009-01-13 16:38 . 2009-01-13 16:38 1,487 --a------ c:\windows\checkip.dat
    2009-01-13 10:03 . 2009-01-28 17:36 268 --ah----- C:\sqmdata19.sqm
    2009-01-13 10:03 . 2009-01-28 17:36 244 --ah----- C:\sqmnoopt19.sqm
    2009-01-11 20:59 . 2004-08-03 20:07 10,129,408 --a--c--- c:\windows\system32\dllcache\hwxkor.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-02-11 17:22 --------- d-----w c:\documents and settings\Bryan Willis\Application Data\WTablet
    2009-02-11 17:03 --------- d-----w c:\documents and settings\Bryan Willis\Application Data\foobar2000
    2009-02-11 16:50 --------- d-----w c:\program files\Trillian
    2009-02-09 19:17 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
    2009-02-05 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
    2009-01-28 20:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-01-22 18:20 --------- d-----w c:\documents and settings\Bryan Willis\Application Data\Azureus
    2009-01-13 22:54 --------- d-----w c:\program files\StepMania
    2009-01-06 17:21 --------- d-----w c:\documents and settings\Bryan Willis\Application Data\ArcSoft
    2009-01-06 17:20 --------- d-----w c:\documents and settings\Bryan Willis\Application Data\Canon
    2008-12-31 08:04 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
    2008-12-31 08:01 --------- d-----w c:\program files\MSN Messenger
    2008-12-31 07:57 --------- d-----w c:\program files\Webroot
    2008-12-31 07:57 --------- d-----w c:\documents and settings\Bryan Willis\Application Data\Webroot
    2008-12-31 07:10 --------- d-----w c:\program files\Common Files\AOL
    2008-12-31 07:10 --------- d-----w c:\documents and settings\Bryan Willis\Application Data\Search Settings
    2008-12-31 06:28 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
    2008-12-31 06:27 --------- d-----w c:\program files\Common Files\Software Update Utility
    2008-12-31 06:27 --------- d-----w c:\program files\AIM Search
    2008-12-31 06:26 --------- d-----w c:\program files\Viewpoint
    2008-12-31 06:26 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
    2008-12-31 06:26 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
    2008-12-31 05:21 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2008-12-29 18:55 --------- d-----w c:\program files\Search Settings
    2008-12-29 18:55 --------- d-----w c:\program files\Dealio
    2008-12-29 18:55 --------- d-----w c:\documents and settings\Bryan Willis\Application Data\Dealio
    2008-12-25 18:08 --------- d-----w c:\program files\Yugioh Virtual Dueling
    2008-12-23 10:25 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
    2008-12-22 02:32 --------- d-----w c:\program files\Canon
    2008-12-22 02:30 --------- d-----w c:\program files\Common Files\ScanSoft Shared
    2008-12-22 02:30 --------- d-----w c:\program files\Common Files\InstallShield
    2008-12-22 02:30 --------- d-----w c:\documents and settings\Bryan Willis\Application Data\ScanSoft
    2008-12-22 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft
    2008-12-22 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
    2008-12-22 02:29 --------- d-----w c:\program files\ScanSoft
    2008-12-22 02:26 --------- d--h--w c:\program files\InstallShield Installation Information
    2008-12-22 02:26 --------- d-----w c:\program files\ArcSoft
    2008-12-22 02:25 --------- d-----w c:\program files\Common Files\CANON
    2008-12-22 02:23 --------- d--h--w c:\program files\CanonBJ
    2008-12-11 07:00 --------- d-----w c:\program files\The Rosetta Stone
    2008-11-13 22:11 1,553,272 ----a-w c:\windows\WRSetup.dll
    2008-11-12 05:16 315,392 ----a-w c:\windows\HideWin.exe
    2008-09-10 18:49 5,817,064 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"= "c:\program files\Search Settings\kb127\SearchSettings.dll" [2008-06-12 1111904]

    [HKEY_CLASSES_ROOT\clsid\{e312764e-7706-43f1-8dab-fcdd2b1e416d}]
    [HKEY_CLASSES_ROOT\SearchSettings.BHO.1]
    [HKEY_CLASSES_ROOT\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}]
    [HKEY_CLASSES_ROOT\SearchSettings.BHO]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-10-16 18:22 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}]
    2008-06-12 16:57 1111904 --a------ c:\program files\Search Settings\kb127\SearchSettings.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-16 8478720]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-16 81920]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    --a------ 2007-05-14 20:01 644696 c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    --a------ 2008-08-08 07:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    --a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
    --a------ 2007-02-04 12:02 79400 c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
    --a------ 2006-11-22 20:31 630784 c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    -rahs---- 2008-07-07 09:42 2156368 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2008-11-30 02:39 136600 c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    --a------ 2005-05-03 21:43 69632 c:\windows\Alcmtr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2007-08-16 16:19 1626112 c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    --a------ 2007-10-25 14:57 16855552 c:\windows\RTHDCPL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    "c:\\WINDOWS\\system32\\rtcshare.exe"=
    "c:\\Program Files\\NetMeeting\\conf.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Yugioh Virtual Dueling\\Yugioh Virtual Desktop 9.exe"=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-28 64160]
    R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
    R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-02-03 464264]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-31 24652]
    R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2008-12-31 1086840]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
    S3 CapFilt;CapFilt;c:\windows\system32\drivers\CapFilt.sys [2008-11-13 18048]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e02ca9b1-c611-11dd-a614-001fc682ad83}]
    \Shell\AutoRun\command - setupSNK.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2009-02-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 16:34]

    2009-01-31 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Compare Prices with &Dealio - c:\documents and settings\Bryan Willis\Application Data\Dealio\kb127\res\DealioSearch.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: {09214DB2-992E-462B-8659-6D51604DE0AA} = 208.67.220.220,208.67.222.222
    TCP: {176B03E9-F538-4BF1-AB1B-AC54C18108FA} = 208.67.220.220,208.67.222.222
    FF - ProfilePath - c:\documents and settings\Bryan Willis\Application Data\Mozilla\Firefox\Profiles\mskh5kjw.default\
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-02-11 12:24:58
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\Tablet.exe
    c:\windows\system32\WTablet\TabUserW.exe
    c:\windows\system32\Tablet.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2009-02-11 12:28:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-02-11 17:28:08

    Pre-Run: 94,810,083,328 bytes free
    Post-Run: 95,155,126,272 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    f:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
    242 --- E O F --- 2008-12-31 07:29:15








    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:36:22 PM, on 2/11/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb127\Dealio.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb127\Dealio.dll
    O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Bryan Willis\Application Data\Dealio\kb127\res\DealioSearch.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
    O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{09214DB2-992E-462B-8659-6D51604DE0AA}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{176B03E9-F538-4BF1-AB1B-AC54C18108FA}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{09214DB2-992E-462B-8659-6D51604DE0AA}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS4\Services\Tcpip\..\{09214DB2-992E-462B-8659-6D51604DE0AA}: NameServer = 208.67.220.220,208.67.222.222
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

    --
    End of file - 7811 bytes
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    how is it now

    if OK

    *Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
    * Click *START* then *RUN*
    * Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.
    [​IMG]


    then
    Turn off system restore by following instructions here
    for XP http://www.thespykiller.co.uk/index.php?page=8
    or for Vista http://www.bleepingcomputer.com/tutorials/tutorial143.html

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer and update whatever it suggests

    Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place
     
  10. 4Leaf

    4Leaf Thread Starter

    Joined:
    Feb 6, 2009
    Messages:
    15
    It seems to be running better than it was before. Some of the main problems are gone. I don't get redirected anymore. And I can now update my antivirus programs, however when I performed a Scan I found some spyware on my computer still lurking. It isn't making life too much of a living hell for me, but nonetheless it will not go away. So, the main problems are fixed, but there are still some pieces of spyware lurking
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    what spyware is found & what is finding it
     
  12. 4Leaf

    4Leaf Thread Starter

    Joined:
    Feb 6, 2009
    Messages:
    15
    Ad-Aware.

    It found 18 Total infections of spyware classified as "Cookies"

    Tribalfusion
    adyieldmanager
    adbureau
    zedo
    questionmarket
    adbrite
    fastclick
    real
    realmedia
    2o7
    adultfriendfinder
    specificclick
    kontera
    overture
    atdmt
    estat
    satcounter
    doubleclick
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    that isn't spyware & is harmless

    any website you visit drops cookies on your computer and some antispyware over inflate the dangers of them

    they are a privacy implication not a danger , just let the antispyware deal with them & they will continually occur
     
  14. 4Leaf

    4Leaf Thread Starter

    Joined:
    Feb 6, 2009
    Messages:
    15
    Okay thank you for your help. I think we are all finished here.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/798002

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice