Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Google Redirect + Fake svchost.exe Keeps Coming back [Closed]

Started by Stan228 , Dec 11 2009 10:32 PM

This topic is locked

#31
Rorschach112

Posted 16 December 2009 - 02:44 PM

Ralphie

Retired Staff
47,710 posts

still being redirected ?

if so do this

Download ComboFix from one of these locations:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#32
Stan228

Posted 16 December 2009 - 07:06 PM

Member

Topic Starter
Member
22 posts

Yeah, still had re-direct before running this. Not sure now.

ComboFix 09-12-16.02 - Dean Wallace 12/16/2009 16:42:34.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2122 [GMT -8:00]
Running from: c:\users\Dean Wallace\Desktop\KittyFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3034627068-3489764445-2694749426-500
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-11-17 to 2009-12-17 )))))))))))))))))))))))))))))))
.

2009-12-17 00:39 . 2009-12-17 00:39 -------- d-----w- C:\32788R22FWJFW
2009-12-16 19:56 . 2009-12-16 19:56 191272 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-14 01:03 . 2009-12-14 01:55 -------- d-----w- c:\users\Dean Wallace\DoctorWeb
2009-12-13 22:55 . 2009-12-13 22:55 304920 ----a-w- c:\windows\system32\drivers\tsk_iastor.sys
2009-12-13 12:20 . 2009-12-13 12:20 132096 --sha-r- c:\windows\system32\IDStorea.dll
2009-12-12 01:07 . 2009-12-13 01:09 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-11 09:12 . 2009-12-11 09:12 -------- d-----w- c:\program files\Warp Pipe
2009-12-10 08:55 . 2009-12-10 08:55 -------- d-----w- c:\users\Dean Wallace\AppData\Local\Opera
2009-12-10 08:55 . 2009-12-10 08:55 -------- d-----w- c:\program files\Opera
2009-12-10 08:30 . 2009-12-10 08:30 -------- d-----w- c:\program files\Trend Micro
2009-12-10 01:28 . 2009-12-10 07:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-10 01:28 . 2009-12-10 01:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-10 00:26 . 2009-12-10 00:26 -------- d-----w- c:\users\Dean Wallace\AppData\Roaming\Malwarebytes
2009-12-10 00:26 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-10 00:26 . 2009-12-10 00:26 -------- d-----w- c:\programdata\Malwarebytes
2009-12-10 00:25 . 2009-12-15 12:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-10 00:25 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 08:18 . 2009-12-09 08:18 -------- d-----w- c:\users\Dean Wallace\AppData\Local\ElevatedDiagnostics
2009-11-26 06:14 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-19 09:27 . 2009-11-19 09:49 -------- d-----w- c:\program files\Dell Photo AIO Printer 922
2009-11-19 09:27 . 2009-12-11 09:13 -------- d-----w- C:\Temp
2009-11-19 09:27 . 2009-11-19 10:04 -------- d-----w- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2009-11-19 09:26 . 2009-11-19 09:26 -------- d-----w- C:\Dell922
2009-11-19 09:17 . 2009-11-19 09:17 -------- d-----w- c:\windows\system32\Spool\prtprocs\w32x86\9
2009-11-19 08:59 . 2009-11-19 08:59 -------- d--h--w- c:\programdata\CanonBJ
2009-11-17 18:38 . 2008-04-03 13:00 198656 ----a-w- c:\windows\system32\CNMLM81.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-17 00:59 . 2009-02-10 06:35 -------- d-----w- c:\users\Dean Wallace\AppData\Roaming\DNA
2009-12-17 00:59 . 2009-02-10 06:35 -------- d-----w- c:\program files\DNA
2009-12-16 19:50 . 2009-08-04 16:57 -------- d-----w- c:\program files\Full Tilt Poker
2009-12-13 12:01 . 2009-12-13 12:01 682241 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{B65FD14D-4B1C-BBBA-98D5-16DB2A931011}-setup.exe
2009-12-13 11:50 . 2008-05-07 07:24 -------- d-----w- c:\programdata\Lavasoft
2009-12-13 10:23 . 2009-10-08 05:31 195376 ----a-w- c:\programdata\nvModes.dat
2009-12-13 01:14 . 2009-12-13 01:14 470785 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{F2C86A9F-802B-7831-8A41-E5EFD88B7161}-avcenter.exe
2009-12-12 03:09 . 2009-02-24 04:59 -------- d-----w- c:\program files\Sophos
2009-12-12 01:28 . 2008-03-11 19:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-11 08:03 . 2009-12-11 08:03 439816 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-12-10 09:55 . 2009-03-02 02:45 -------- d-----w- c:\users\Dean Wallace\AppData\Roaming\IGN_DLM
2009-12-09 01:11 . 2008-03-18 23:40 -------- d-----w- c:\programdata\Microsoft Help
2009-11-30 06:52 . 2009-10-15 21:31 143976 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Move Networks\uninstall.exe
2009-11-30 06:51 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2009-11-30 06:51 . 2008-04-09 00:38 -------- d-----w- c:\users\Dean Wallace\AppData\Roaming\Move Networks
2009-11-19 09:54 . 2009-04-22 02:55 -------- d-----w- c:\program files\dl_Cats
2009-11-17 22:01 . 2009-04-24 03:51 -------- d-----w- c:\programdata\Stanford
2009-11-17 18:30 . 2009-11-17 18:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-11 08:28 . 2009-11-11 08:28 247280 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2009-11-10 05:33 . 2009-11-10 05:33 -------- d-----w- c:\programdata\SupportSoft
2009-11-10 05:33 . 2009-11-10 05:33 -------- d-----w- c:\program files\Comcast
2009-11-10 05:33 . 2009-01-09 06:33 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-11-03 04:42 . 2009-10-03 00:39 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-27 03:01 . 2008-04-29 01:35 -------- d-----w- c:\program files\Google
2009-10-21 22:51 . 2008-03-11 19:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-19 14:42 . 2009-10-19 14:42 -------- d-----w- c:\users\Dean Wallace\AppData\Roaming\vlc
2009-10-15 21:31 . 2009-06-16 06:35 4183416 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-08 05:51 . 2009-10-08 05:51 110048 ----a-w- c:\users\Dean Wallace\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-08 05:36 . 2009-10-08 05:36 65536 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Microsoft\Windows\.autobahn\libwin32proxyconfig.dll
2009-10-08 05:13 . 2009-10-08 05:13 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-02 04:06 . 2009-10-15 21:21 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-26 23:16 . 2009-09-26 23:16 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 04:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 04:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-12 323392]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"Google Update"="c:\users\Dean Wallace\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-08-30 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-03 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-03 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-09-03 96800]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-12-03 405504]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-06 144792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-09 198160]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]

c:\users\Dean Wallace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MLB.TV NexDef Plug-in.lnk - c:\users\Dean Wallace\AppData\Local\Autobahn\mlb-nexdef-autobahn.exe [2009-4-1 801032]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 04:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 23:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

R1 SAVOnAccess;SAVOnAccess;c:\windows\System32\drivers\savonaccess.sys [2/26/2009 5:58 PM 93192]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [7/13/2009 3:52 PM 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [10/7/2009 8:35 PM 73728]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/5/2009 3:22 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 1:36 AM 98304]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\System32\drivers\vwifimp.sys [7/13/2009 3:52 PM 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\System32\drivers\yk62x86.sys [7/13/2009 2:02 PM 311296]
S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [3/11/2008 7:13 PM 209408]
S4 SophosBootDriver;SophosBootDriver;c:\windows\System32\drivers\SophosBootDriver.sys [2/26/2009 5:58 PM 20288]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Dean Wallace\AppData\Roaming\Mozilla\Firefox\Profiles\5vfeu3m5.default\
FF - prefs.js: browser.startup.homepage - nytimes.com
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\users\Dean Wallace\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\Dean Wallace\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Dean Wallace\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\Dean Wallace\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - plugin: c:\users\Dean Wallace\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-igndlm.exe - c:\program files\Download Manager\DLM.exe
AddRemove-Download Manager - c:\program files\Download Manager\uninst.exe
AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\Dean Wallace\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
AddRemove-{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk - c:\users\Dean Wallace\AppData\Roaming\Google\Google Talk\uninstall.exe
AddRemove-{ECCA8FE7-767A-4C8A-9DAA-BAB60F877C41} - c:\users\Dean Wallace\AppData\Local\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4BAF.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(520)
c:\windows\system32\psqlpwd.DLL
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(2424)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\windows\system32\rundll32.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\users\Dean Wallace\AppData\Local\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2009-12-16 17:04:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-17 01:04

Pre-Run: 103,327,219,712 bytes free
Post-Run: 103,163,883,520 bytes free

- - End Of File - - 96074DC62FAE5128E69ABCC1E71EE573

#33
Stan228

Posted 16 December 2009 - 07:06 PM

Member

Topic Starter
Member
22 posts

Yeah, still there.

#34
Rorschach112

Posted 17 December 2009 - 09:20 AM

Ralphie

Retired Staff
47,710 posts

hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\mlfcache.dat
c:\windows\system32\IDStorea.dll

Mia::
c:\windows\system32\drivers\iastor.sys

DirLook::
c:\windows\system32\Spool\prtprocs\w32x86\9
KillAll::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#35
Stan228

Posted 20 December 2009 - 12:07 AM

Member

Topic Starter
Member
22 posts

Sorry for the long time between posts, it's a busy time of year. Here is the combofix log (after doing what you said in the last post):

ComboFix 09-12-16.02 - Dean Wallace 12/17/2009 15:55:04.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2154 [GMT -8:00]
Running from: c:\users\Dean Wallace\Desktop\KittyFix.exe
Command switches used :: c:\users\Dean Wallace\Desktop\CFScript.txt.txt

FILE ::
"c:\windows\system32\IDStorea.dll"
"c:\windows\system32\mlfcache.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\IDStorea.dll
c:\windows\system32\mlfcache.dat

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2009-11-18 to 2009-12-18 )))))))))))))))))))))))))))))))
.

2009-12-18 00:02 . 2009-12-18 00:02 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-18 00:02 . 2009-12-18 00:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-17 23:50 . 2009-12-17 23:52 -------- d-----w- C:\32788R22FWJFW
2009-12-14 01:03 . 2009-12-14 01:55 -------- d-----w- c:\users\Dean Wallace\DoctorWeb
2009-12-13 22:55 . 2009-12-13 22:55 304920 ----a-w- c:\windows\system32\drivers\tsk_iastor.sys
2009-12-12 01:07 . 2009-12-13 01:09 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-11 09:12 . 2009-12-11 09:12 -------- d-----w- c:\program files\Warp Pipe
2009-12-10 08:55 . 2009-12-10 08:55 -------- d-----w- c:\users\Dean Wallace\AppData\Local\Opera
2009-12-10 08:55 . 2009-12-10 08:55 -------- d-----w- c:\program files\Opera
2009-12-10 08:30 . 2009-12-10 08:30 -------- d-----w- c:\program files\Trend Micro
2009-12-10 01:28 . 2009-12-10 07:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-10 01:28 . 2009-12-10 01:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-10 00:26 . 2009-12-10 00:26 -------- d-----w- c:\users\Dean Wallace\AppData\Roaming\Malwarebytes
2009-12-10 00:26 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-10 00:26 . 2009-12-10 00:26 -------- d-----w- c:\programdata\Malwarebytes
2009-12-10 00:25 . 2009-12-15 12:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-10 00:25 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 08:18 . 2009-12-09 08:18 -------- d-----w- c:\users\Dean Wallace\AppData\Local\ElevatedDiagnostics
2009-11-26 06:14 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-19 09:27 . 2009-11-19 09:49 -------- d-----w- c:\program files\Dell Photo AIO Printer 922
2009-11-19 09:27 . 2009-12-11 09:13 -------- d-----w- C:\Temp
2009-11-19 09:27 . 2009-11-19 10:04 -------- d-----w- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2009-11-19 09:26 . 2009-11-19 09:26 -------- d-----w- C:\Dell922
2009-11-19 09:17 . 2009-11-19 09:17 -------- d-----w- c:\windows\system32\Spool\prtprocs\w32x86\9
2009-11-19 08:59 . 2009-11-19 08:59 -------- d--h--w- c:\programdata\CanonBJ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-18 00:04 . 2009-02-10 06:35 -------- d-----w- c:\users\Dean Wallace\AppData\Roaming\DNA
2009-12-18 00:04 . 2009-02-10 06:35 -------- d-----w- c:\program files\DNA
2009-12-16 19:50 . 2009-08-04 16:57 -------- d-----w- c:\program files\Full Tilt Poker
2009-12-13 12:01 . 2009-12-13 12:01 682241 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{B65FD14D-4B1C-BBBA-98D5-16DB2A931011}-setup.exe
2009-12-13 11:50 . 2008-05-07 07:24 -------- d-----w- c:\programdata\Lavasoft
2009-12-13 10:23 . 2009-10-08 05:31 195376 ----a-w- c:\programdata\nvModes.dat
2009-12-13 01:14 . 2009-12-13 01:14 470785 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{F2C86A9F-802B-7831-8A41-E5EFD88B7161}-avcenter.exe
2009-12-12 03:09 . 2009-02-24 04:59 -------- d-----w- c:\program files\Sophos
2009-12-12 01:28 . 2008-03-11 19:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-11 08:03 . 2009-12-11 08:03 439816 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-12-10 09:55 . 2009-03-02 02:45 -------- d-----w- c:\users\Dean Wallace\AppData\Roaming\IGN_DLM
2009-12-09 01:11 . 2008-03-18 23:40 -------- d-----w- c:\programdata\Microsoft Help
2009-11-30 06:52 . 2009-10-15 21:31 143976 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Move Networks\uninstall.exe
2009-11-30 06:51 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2009-11-30 06:51 . 2008-04-09 00:38 -------- d-----w- c:\users\Dean Wallace\AppData\Roaming\Move Networks
2009-11-19 09:54 . 2009-04-22 02:55 -------- d-----w- c:\program files\dl_Cats
2009-11-17 22:01 . 2009-04-24 03:51 -------- d-----w- c:\programdata\Stanford
2009-11-17 18:30 . 2009-11-17 18:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-11 08:28 . 2009-11-11 08:28 247280 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2009-11-10 05:33 . 2009-11-10 05:33 -------- d-----w- c:\programdata\SupportSoft
2009-11-10 05:33 . 2009-11-10 05:33 -------- d-----w- c:\program files\Comcast
2009-11-10 05:33 . 2009-01-09 06:33 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-11-03 04:42 . 2009-10-03 00:39 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-27 03:01 . 2008-04-29 01:35 -------- d-----w- c:\program files\Google
2009-10-21 22:51 . 2008-03-11 19:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-19 14:42 . 2009-10-19 14:42 -------- d-----w- c:\users\Dean Wallace\AppData\Roaming\vlc
2009-10-15 21:31 . 2009-06-16 06:35 4183416 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-08 05:51 . 2009-10-08 05:51 110048 ----a-w- c:\users\Dean Wallace\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-08 05:36 . 2009-10-08 05:36 65536 ----a-w- c:\users\Dean Wallace\AppData\Roaming\Microsoft\Windows\.autobahn\libwin32proxyconfig.dll
2009-10-08 05:13 . 2009-10-08 05:13 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-02 04:06 . 2009-10-15 21:21 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-26 23:16 . 2009-09-26 23:16 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\Spool\prtprocs\w32x86\9 ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 04:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 04:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-12 323392]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"Google Update"="c:\users\Dean Wallace\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-08-30 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-03 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-03 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-09-03 96800]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-12-03 405504]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-06 144792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-09 198160]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]

c:\users\Dean Wallace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MLB.TV NexDef Plug-in.lnk - c:\users\Dean Wallace\AppData\Local\Autobahn\mlb-nexdef-autobahn.exe [2009-4-1 801032]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 04:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 23:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

R1 SAVOnAccess;SAVOnAccess;c:\windows\System32\drivers\savonaccess.sys [2/26/2009 5:58 PM 93192]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [7/13/2009 3:52 PM 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [10/7/2009 8:35 PM 73728]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/5/2009 3:22 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 1:36 AM 98304]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\System32\drivers\vwifimp.sys [7/13/2009 3:52 PM 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\System32\drivers\yk62x86.sys [7/13/2009 2:02 PM 311296]
S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [3/11/2008 7:13 PM 209408]
S4 SophosBootDriver;SophosBootDriver;c:\windows\System32\drivers\SophosBootDriver.sys [2/26/2009 5:58 PM 20288]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Dean Wallace\AppData\Roaming\Mozilla\Firefox\Profiles\5vfeu3m5.default\
FF - prefs.js: browser.startup.homepage - nytimes.com
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\users\Dean Wallace\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\Dean Wallace\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Dean Wallace\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\Dean Wallace\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - plugin: c:\users\Dean Wallace\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4BAF.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(516)
c:\windows\system32\psqlpwd.DLL
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(2720)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\windows\system32\rundll32.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\STacSV.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\users\Dean Wallace\AppData\Local\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2009-12-17 16:10:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-18 00:10
ComboFix2.txt 2009-12-17 01:04

Pre-Run: 103,227,580,416 bytes free
Post-Run: 103,163,625,472 bytes free

- - End Of File - - 9B94745B8F8C55DDAF119E6365D9C021

#36
Rorschach112

Posted 22 December 2009 - 04:54 AM

Ralphie

Retired Staff
47,710 posts

hi

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
:Processes

:Services

:Reg

:Files
c:\windows\system32\Spool\prtprocs\w32x86\9
:Commands
[purity]
[emptytemp]
[Reboot]
```
Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

update mbam run a quick scan post that log

and tell me how its running

#37
Rorschach112

Posted 28 December 2009 - 10:10 AM

Ralphie

Retired Staff
47,710 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.