Google Redirect Virus via Adobe Acrobat [Solved]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

Google Redirect Virus via Adobe Acrobat [Solved]

Options

jeevesthestag View Member Profile	Apr 25 2009, 05:03 PM Post #1
New Member Posts: 6 OS: Vista	Hi, I downloaded a dodgy version of Acrobat and I have got some sort of virus (serves me right!) that creates a fake Google search page. It also creates loads of pop ups and places inappropriate adverts on legit websites. I'm a computer novice but I've spent the day reading various forums to try to get tyo the bottom of this. I have created a hijackthis report as below: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:48:31, on 25/04/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18226) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Google\Quick Search Box\qsb.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Kontiki\KHost.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\ehome\ehtray.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Jamie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YATS4SNT\KillBox[1].exe C:\Windows\system32\NOTEPAD.EXE C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\qsb.exe" /autorun O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O17 - HKLM\System\CCS\Services\Tcpip\..\{210481C6-A77D-49D2-8C05-B713E04129CA}: NameServer = 85.255.112.62,85.255.112.231 O17 - HKLM\System\CCS\Services\Tcpip\..\{D5AF55DA-CE2B-439F-A27F-79E03DAB4404}: NameServer = 85.255.112.62,85.255.112.231 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.62,85.255.112.231 O17 - HKLM\System\CS1\Services\Tcpip\..\{210481C6-A77D-49D2-8C05-B713E04129CA}: NameServer = 85.255.112.62,85.255.112.231 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.62,85.255.112.231 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Update Service (gupdate1c9b058adbbd425) (gupdate1c9b058adbbd425) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe -- End of file - 7358 bytes Please could someone have a look at this. Any suggestions for sorting the problem would be greatly appreciated. Thanks

Rorschach112 View Member Profile	Apr 26 2009, 12:17 PM Post #2
GeekU Teacher Posts: 43,117 From: Dublin OS: XP	hello Download ComboFix from one of these locations: Link 1 Link 2 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on. Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** log in your next reply.

jeevesthestag View Member Profile	Apr 28 2009, 10:45 AM Post #3
New Member Posts: 6 OS: Vista	Thanks so much for the information. I've briefly tried Google and it seems to be working properly now, however sometimes the pop ups and re-directed pages don't come up first time. I'll keep you posted. Here's what the report has said. ComboFix 09-04-27.04 - Jamie 28/04/2009 17:30.1 - NTFSx86 Microsoft� Windows Vista� Home Premium 6.0.6001.1.1252.44.1033.18.1917.1423 [GMT 1:00] Running from: c:\users\Jamie\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf c:\recycler\S-1-0-88-100012757-100013902-100022762-9399.com c:\windows\system32\deposit.dll c:\windows\system32\drivers\gxvxceqqvsfuxiqctnfmoqbkipswxvnwspxgc.sys c:\windows\system32\gxvxccounter c:\windows\system32\gxvxcgvbnetpxhixibbbxwvdelbomywoxtdhe.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_GXVXCSERV.SYS -------\Service_GXVXCSERV.SYS ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 ))))))))))))))))))))))))))))))) . 2009-04-27 16:06 . 2009-04-27 16:06 -------- d-----w c:\users\Jamie\AppData\Local\Apple 2009-04-25 23:19 . 2009-04-25 23:19 -------- d-----w C:\Rooter$ 2009-04-25 23:13 . 2009-04-27 16:14 -------- d-----w c:\users\Jamie\AppData\Local\Adobe 2009-04-25 23:08 . 2009-04-25 23:08 -------- d-----w c:\program files\ERUNT 2009-04-25 22:23 . 2009-04-25 22:23 -------- d-----w c:\program files\Trend Micro 2009-04-25 22:17 . 2009-04-25 22:17 -------- d-----w C:\!KillBox 2009-04-25 22:16 . 2009-04-25 22:16 -------- d-----w c:\users\Jamie\AppData\Roaming\Yahoo! 2009-04-25 22:16 . 2009-04-25 22:21 -------- d-----w c:\programdata\Yahoo! Companion 2009-04-25 22:16 . 2009-04-25 22:21 -------- d-----w c:\users\All Users\Yahoo! Companion 2009-04-25 22:16 . 2009-04-25 22:16 -------- d-----w c:\program files\Yahoo! 2009-04-25 22:16 . 2009-04-25 22:16 -------- d-----w c:\program files\CCleaner 2009-04-25 22:01 . 2009-04-25 22:01 -------- d-----w c:\users\Jamie\Livestation 2009-04-25 21:53 . 2009-04-25 21:53 -------- d-----w c:\program files\STOPzilla! 2009-04-25 18:39 . 2009-04-25 18:39 680 ----a-w c:\users\Anne-Marie\AppData\Local\d3d9caps.dat 2009-04-25 17:48 . 2008-11-06 01:03 -------- d-----w C:\SDFix 2009-04-25 09:41 . 2009-04-25 09:41 -------- d-----w c:\program files\HeroCodec 2009-04-24 21:28 . 2009-04-24 21:28 75264 ----a-w c:\windows\cadkasdeinst01e.exe 2009-04-24 21:11 . 2009-04-24 21:11 -------- d-----w c:\users\Jamie\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 2009-04-24 17:26 . 2009-04-24 17:26 -------- d-----w c:\users\Anne-Marie\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1 2009-04-24 17:26 . 2009-04-24 17:26 -------- d-----w c:\program files\BBC iPlayer Desktop 2009-04-17 12:39 . 2009-04-17 12:41 -------- d-----w c:\users\Jamie\AppData\Roaming\Spotify 2009-04-17 12:39 . 2009-04-17 12:40 -------- d-----w c:\users\Jamie\AppData\Local\Spotify 2009-04-17 12:39 . 2009-04-17 12:39 -------- d-----w c:\program files\Spotify 2009-04-14 16:08 . 2009-04-28 16:02 -------- d--h--w C:\$AVG8.VAULT$ 2009-04-13 17:28 . 2008-04-17 11:12 107368 ----a-w c:\windows\system32\GEARAspi.dll 2009-04-13 17:28 . 2009-03-19 15:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-04-13 17:28 . 2009-04-13 17:28 -------- d-----w c:\program files\iPod 2009-04-13 17:28 . 2009-04-13 17:28 -------- d-----w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-06 15:16 . 2009-04-06 15:16 -------- d-----w c:\programdata\Apple 2009-04-06 15:16 . 2009-04-06 15:16 -------- d-----w c:\users\All Users\Apple 2009-04-05 16:07 . 2009-04-05 16:07 -------- d-----w c:\program files\SopCast 2009-04-05 13:20 . 2009-04-05 13:20 -------- d-----w c:\users\Jamie\AppData\Roaming\Livestation 2009-04-05 13:20 . 2009-04-05 13:20 -------- d-----w c:\users\Jamie\AppData\Roaming\Mchid 2009-04-05 13:20 . 2009-04-05 13:20 -------- d-----w c:\program files\OpenAL 2009-04-05 13:20 . 2009-04-05 13:20 413696 ----a-w c:\windows\system32\wrap_oal.dll 2009-04-05 13:20 . 2009-04-05 13:20 110592 ----a-w c:\windows\system32\OpenAL32.dll 2009-04-03 17:41 . 2009-04-03 17:43 -------- d-----w c:\users\Anne-Marie\AppData\Local\Google 2009-03-31 03:35 . 2008-04-12 03:32 784896 ----a-w c:\windows\system32\rpcrt4.dll 2009-03-31 03:35 . 2008-04-26 08:26 891448 ----a-w c:\windows\system32\drivers\tcpip.sys 2009-03-31 03:35 . 2008-04-05 01:21 72192 ----a-w c:\windows\system32\drivers\pacer.sys 2009-03-31 03:35 . 2008-04-05 03:34 15360 ----a-w c:\windows\system32\pacerprf.dll 2009-03-31 03:34 . 2008-09-18 04:56 147456 ----a-w c:\windows\system32\Faultrep.dll 2009-03-31 03:34 . 2008-09-18 04:56 125952 ----a-w c:\windows\system32\wersvc.dll 2009-03-31 03:34 . 2008-06-26 03:29 565248 ----a-w c:\windows\system32\emdmgmt.dll 2009-03-31 03:34 . 2008-08-02 01:01 625152 ----a-w c:\windows\system32\drivers\dxgkrnl.sys 2009-03-31 03:34 . 2008-06-26 03:29 45056 ----a-w c:\windows\system32\dataclen.dll 2009-03-31 03:34 . 2008-05-20 02:07 148480 ----a-w c:\windows\system32\drivers\nwifi.sys 2009-03-31 03:34 . 2008-08-02 03:26 36864 ----a-w c:\windows\system32\cdd.dll 2009-03-31 03:33 . 2008-05-08 21:59 430080 ----a-w c:\windows\system32\vbscript.dll 2009-03-31 03:33 . 2008-05-08 21:59 90112 ----a-w c:\windows\system32\wshext.dll 2009-03-31 03:33 . 2008-05-08 21:59 155648 ----a-w c:\windows\system32\wscript.exe 2009-03-31 03:33 . 2008-05-08 21:58 135168 ----a-w c:\windows\system32\cscript.exe 2009-03-31 03:33 . 2008-05-08 21:59 180224 ----a-w c:\windows\system32\scrobj.dll 2009-03-31 03:33 . 2008-05-08 21:59 172032 ----a-w c:\windows\system32\scrrun.dll 2009-03-30 15:51 . 2009-03-30 15:51 -------- d-----w C:\PerfLogs . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-28 16:36 . 2009-04-25 18:00 4838 ----a-w c:\windows\system32\PerfStringBackup.TMP 2009-04-24 17:26 . 2009-03-28 18:18 -------- d-----w c:\program files\Common Files\Adobe AIR 2009-04-18 02:15 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail 2009-04-13 17:28 . 2009-04-13 17:28 -------- d-----w c:\program files\iTunes 2009-04-13 17:28 . 2009-04-06 15:16 -------- d-----w c:\program files\Common Files\Apple 2009-04-12 12:40 . 2009-03-13 16:59 -------- d-----w c:\program files\Kontiki 2009-04-07 21:00 . 2009-04-07 21:00 -------- d-----w c:\program files\Chama Digital Media 2009-04-06 15:20 . 2009-04-06 15:20 -------- d-----w c:\program files\Bonjour 2009-04-06 15:19 . 2009-04-06 15:19 -------- d-----w c:\program files\QuickTime 2009-04-06 15:18 . 2009-04-06 15:18 -------- d-----w c:\program files\Apple Software Update 2009-04-06 15:17 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat 2009-04-06 15:17 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat 2009-04-06 15:17 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat 2009-04-01 18:58 . 2009-04-01 18:58 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf 2009-03-31 17:17 . 2009-03-31 17:17 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf 2009-03-30 16:09 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini 2009-03-30 15:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Sidebar 2009-03-30 15:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Calendar 2009-03-30 15:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Collaboration 2009-03-30 15:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Journal 2009-03-30 15:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Photo Gallery 2009-03-30 15:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Defender 2009-03-30 15:51 . 2006-11-02 10:25 665600 ----a-w c:\windows\inf\drvindex.dat 2009-03-30 06:45 . 2006-11-02 10:32 101888 ----a-w c:\windows\system32\ifxcardm.dll 2009-03-30 06:45 . 2006-11-02 10:32 82432 ----a-w c:\windows\system32\axaltocm.dll 2009-03-29 10:27 . 2009-03-29 10:27 -------- d-----w c:\program files\Common Files\xing shared 2009-03-29 10:26 . 2009-03-29 10:26 -------- d-----w c:\program files\Common Files\Real 2009-03-29 10:26 . 2009-03-29 10:26 499712 ----a-w c:\windows\system32\msvcp71.dll 2009-03-29 10:26 . 2009-03-29 10:26 348160 ----a-w c:\windows\system32\msvcr71.dll 2009-03-29 10:26 . 2009-03-29 10:26 -------- d-----w c:\program files\Real 2009-03-29 10:25 . 2009-03-28 15:10 -------- d-----w c:\program files\Google 2009-03-28 18:35 . 2009-03-28 18:35 -------- d-----w c:\program files\Veetle 2009-03-28 18:17 . 2009-03-28 18:16 -------- d-----w c:\program files\Common Files\Adobe 2009-03-24 20:45 . 2009-03-24 20:45 -------- d-----w c:\program files\VideoLAN 2009-03-24 18:09 . 2009-02-24 23:00 99864 ----a-w c:\users\Jamie\AppData\Local\GDIPFONTCACHEV1.DAT 2009-03-24 17:56 . 2009-02-23 21:53 99864 ----a-w c:\users\Anne-Marie\AppData\Local\GDIPFONTCACHEV1.DAT 2009-03-24 07:06 . 2009-03-24 07:06 -------- d-----w c:\program files\Microsoft Works 2009-03-24 07:06 . 2006-11-02 12:37 -------- d-----w c:\program files\MSBuild 2009-03-24 07:04 . 2009-03-24 07:04 -------- d-----w c:\program files\Microsoft.NET 2009-03-24 07:02 . 2009-03-24 07:02 -------- d-----w c:\program files\Microsoft Visual Studio 8 2009-03-23 14:35 . 2009-03-23 14:35 -------- d-----w c:\program files\Alcohol Soft 2009-03-23 14:33 . 2009-03-23 14:33 639224 ----a-w c:\windows\system32\drivers\sptd.sys 2009-03-23 14:16 . 2009-03-23 14:16 0 ----a-w c:\windows\nsreg.dat 2009-03-23 12:38 . 2009-03-23 12:37 -------- d-----w c:\program files\DivX 2009-03-23 12:38 . 2009-03-23 12:38 -------- d-----w c:\program files\Common Files\PX Storage Engine 2009-03-23 12:37 . 2009-03-23 12:37 -------- d-----w c:\program files\Common Files\DivX Shared 2009-03-23 12:20 . 2009-03-23 12:20 61480 ----a-w c:\users\Jamie\GoToAssistDownloadHelper.exe 2009-03-17 03:38 . 2009-04-16 14:18 40960 ----a-w c:\windows\AppPatch\apihex86.dll 2009-03-17 03:38 . 2009-04-16 14:18 13824 ----a-w c:\windows\system32\apilogen.dll 2009-03-17 03:38 . 2009-04-16 14:18 24064 ----a-w c:\windows\system32\amxread.dll 2009-03-16 17:18 . 2009-03-16 17:18 -------- d-----w c:\program files\uTorrent 2009-03-03 04:46 . 2009-04-16 14:18 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-03-03 04:46 . 2009-04-16 14:18 3547632 ----a-w c:\windows\system32\ntoskrnl.exe 2009-03-03 04:40 . 2009-04-16 14:18 827392 ----a-w c:\windows\system32\wininet.dll 2009-03-03 04:39 . 2009-04-16 14:18 183296 ----a-w c:\windows\system32\sdohlp.dll 2009-03-03 04:39 . 2009-04-16 14:18 551424 ----a-w c:\windows\system32\rpcss.dll 2009-03-03 04:39 . 2009-04-16 14:18 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll 2009-03-03 04:37 . 2009-04-16 14:18 78336 ----a-w c:\windows\system32\ieencode.dll 2009-03-03 04:37 . 2009-04-16 14:18 98304 ----a-w c:\windows\system32\iasrecst.dll 2009-03-03 04:37 . 2009-04-16 14:18 44032 ----a-w c:\windows\system32\iasdatastore.dll 2009-03-03 04:37 . 2009-04-16 14:18 54784 ----a-w c:\windows\system32\iasads.dll 2009-03-03 03:04 . 2009-04-16 14:18 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe 2009-03-03 02:38 . 2009-04-16 14:18 17408 ----a-w c:\windows\system32\iashost.exe 2009-03-03 02:28 . 2009-04-16 14:18 26624 ----a-w c:\windows\system32\ieUnatt.exe 2009-02-25 03:00 . 2009-02-25 03:00 269312 ----a-w c:\windows\system32\es.dll 2009-02-24 02:11 . 2009-02-24 02:11 61440 ----a-w c:\windows\system32\winipsec.dll 2009-02-24 02:11 . 2009-02-24 02:11 361984 ----a-w c:\windows\system32\IPSECSVC.DLL 2009-02-24 02:11 . 2009-02-24 02:11 28672 ----a-w c:\windows\system32\FwRemoteSvr.dll 2009-02-24 02:11 . 2009-02-24 02:11 272896 ----a-w c:\windows\system32\polstore.dll 2009-02-24 02:08 . 2009-02-24 02:08 241152 ----a-w c:\windows\system32\PortableDeviceApi.dll 2009-02-24 02:08 . 2009-02-24 02:08 94720 ----a-w c:\windows\system32\PortableDeviceClassExtension.dll 2009-02-24 02:08 . 2009-02-24 02:08 160768 ----a-w c:\windows\system32\PortableDeviceTypes.dll 2009-02-24 01:52 . 2009-02-24 01:52 296960 ----a-w c:\windows\system32\gdi32.dll 2009-02-24 01:50 . 2009-02-24 01:50 212480 ----a-w c:\windows\system32\drivers\mrxsmb10.sys 2009-02-24 01:48 . 2009-02-24 01:48 28672 ----a-w c:\windows\system32\Apphlpdm.dll 2009-02-24 01:48 . 2009-02-24 01:48 2560 ----a-w c:\windows\AppPatch\AcRes.dll 2009-02-24 01:48 . 2009-02-24 01:48 2154496 ----a-w c:\windows\AppPatch\AcGenral.dll 2009-02-24 01:48 . 2009-02-24 01:48 541696 ----a-w c:\windows\AppPatch\AcLayers.dll 2009-02-24 01:48 . 2009-02-24 01:48 460288 ----a-w c:\windows\AppPatch\AcSpecfc.dll 2009-02-24 01:48 . 2009-02-24 01:48 52736 ----a-w c:\windows\AppPatch\iebrshim.dll 2009-02-24 01:48 . 2009-02-24 01:48 173056 ----a-w c:\windows\AppPatch\AcXtrnal.dll 2009-02-24 01:48 . 2009-02-24 01:48 4240384 ----a-w c:\windows\system32\GameUXLegacyGDFs.dll 2009-02-24 01:48 . 2009-02-24 01:48 1695744 ----a-w c:\windows\system32\gameux.dll 2009-02-24 01:47 . 2009-02-24 01:47 303616 ----a-w c:\windows\system32\wmpeffects.dll 2009-02-24 01:45 . 2009-02-24 01:45 2048 ----a-w c:\windows\system32\msxml3r.dll 2009-02-24 01:45 . 2009-02-24 01:45 1191936 ----a-w c:\windows\system32\msxml3.dll 2009-02-24 01:39 . 2009-02-24 01:39 2048 ----a-w c:\windows\system32\tzres.dll 2009-02-24 01:36 . 2009-02-24 01:36 428544 ----a-w c:\windows\system32\EncDec.dll 2009-02-24 01:36 . 2009-02-24 01:36 293376 ----a-w c:\windows\system32\psisdecd.dll 2009-02-24 01:35 . 2009-02-24 01:35 0 ----a-w c:\windows\ativpsrm.bin 2009-02-24 01:26 . 2009-02-24 01:26 2927104 ----a-w c:\windows\explorer.exe 2009-02-24 01:17 . 2009-02-24 01:17 7042560 ----a-w c:\windows\system32\NlsLexicons081a.dll 2009-02-24 01:12 . 2009-02-24 01:12 6656 ----a-w c:\windows\system32\kbd106n.dll 2009-02-24 01:12 . 2009-02-24 01:12 988216 ----a-w c:\windows\system32\winload.exe 2009-02-24 01:12 . 2009-02-24 01:12 927288 ----a-w c:\windows\system32\winresume.exe 2009-02-24 01:12 . 2009-02-24 01:12 40960 ----a-w c:\windows\system32\srclient.dll 2009-02-24 01:12 . 2009-02-24 01:12 378368 ----a-w c:\windows\system32\srcore.dll 2009-02-24 01:12 . 2009-02-24 01:12 318464 ----a-w c:\windows\system32\rstrui.exe 2009-02-24 01:12 . 2009-02-24 01:12 14848 ----a-w c:\windows\system32\srdelayed.exe 2009-02-24 01:12 . 2009-02-24 01:12 19000 ----a-w c:\windows\system32\kd1394.dll 2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "kdx"="c:\program files\Kontiki\KHost.exe" [2009-01-02 1041960] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-28 39408] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "Google Quick Search Box"="c:\program files\Google\Quick Search Box\qsb.exe" [2009-03-28 68592] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-29 198160] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] c:\users\Anne-Marie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-4-24 95744] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{962BC7BB-AA5C-4712-A595-4A305C23E86B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{E9E401D2-C9E4-416B-A506-B25ECC1579C2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{B52DED74-9314-46C5-ADA0-96B0359194B1}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service "{2551E079-7033-48C2-9576-5BC83850E62A}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service "{34000AD5-F33E-4D34-A12A-3D224B2E574C}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service "{5DEA7108-353F-48F5-AE43-9F57D5CB4CD2}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service "{90C86B8C-3CEA-4A21-81CC-AB6792BF6A5F}"= UDP:c:\program files\uTorrent\uTorrent.exe:�Torrent (TCP-In) "{70B92B46-B0B6-44D2-BBBF-C4979E5D03FC}"= TCP:c:\program files\uTorrent\uTorrent.exe:�Torrent (UDP-In) "TCP Query User{C42F2A57-0BE4-4D6D-86F4-4979D895E638}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:�Torrent "UDP Query User{EC882FE8-539E-493B-8AED-11A216F31816}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:�Torrent "{3495940C-0A3F-46D1-B8BB-ED0A09A482C2}"= UDP:d:\x86\IbisCont.exe:BT Home Hub 2.0 "{D0966C0A-E561-4ABE-96C9-D95E5756BFB6}"= TCP:d:\x86\IbisCont.exe:BT Home Hub 2.0 "{989627E6-5CC8-47B9-87D6-3FFB123B3E76}"= TCP:6004\|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{D7757FB5-C6F6-440D-9F6C-CD3DB80CAB8A}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{3C4CA268-CBFB-46E1-B17B-094BE566F38C}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{A351D45B-F97A-486E-9081-0739A790EA0E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{15A26AF8-2D34-43CE-A21C-DE6F8229163D}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "TCP Query User{3D8F7379-1FB6-4822-B0EC-CB4EDBFC9F16}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{31726088-883D-4B86-945D-33CE083DCD33}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox "TCP Query User{67BA7F96-13F0-45DC-9E79-4A86E3EBD2EC}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver "UDP Query User{EA120DD8-CB3C-4797-B7A4-D03655E94D6C}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver "TCP Query User{3C819273-B079-4207-AE9C-2016CA92ED7D}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application "UDP Query User{6A37D3E7-86B6-4767-932C-380807BDA786}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application "{60024046-9CB2-467D-9742-95FF60F105AF}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{75086915-6634-4695-95ED-8F2428D0BE56}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "TCP Query User{A67D8841-1712-402E-9B4B-38346A390C8F}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{A5828352-F585-44C3-9DEB-AD328B12F948}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "{D8D35F5B-0E7B-4CF2-A771-2DFAE3B7C47A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{67EA4B03-51DA-43A5-84A6-BFA22B0FAAF0}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{4FE0C347-AB6C-4272-8AE7-0CA7BE9D33A2}"= UDP:c:\program files\Spotify\spotify.exe:Spotify "{EAEF15E1-FE2E-4D3A-A598-236B0ACB4C53}"= TCP:c:\program files\Spotify\spotify.exe:Spotify R2 gupdate1c9b058adbbd425;Google Update Service (gupdate1c9b058adbbd425);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-29 133104] . Contents of the 'Scheduled Tasks' folder 2009-04-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-29 10:25] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = .local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll FF - ProfilePath - c:\users\Jamie\AppData\Roaming\Mozilla\Firefox\Profiles\esvx5sz6.default\ FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Veetle\Player\npvlc.dll FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-28 17:38 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\users\Jamie\AppData\Local\Temp\gxvxc000 0 bytes scan completed successfully hidden files: 1 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101" [HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation] "Enabled"=dword:00000001 [HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe" [HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx" "ThreadingModel"="Apartment" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx, 1" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx" "ThreadingModel"="Apartment" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx, 1" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" [HKEY_USERS\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}] @Denied: (A 2) (Everyone) @="IFlashBroker2" [HKEY_USERS\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_USERS\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}] @Denied: (A 2) (Everyone) [HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0] @="Shockwave Flash" [HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}] @Denied: (A 2) (Everyone) @="" [HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0] @="FlashBroker" [HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_USERS\SYSTEM\ControlSet001\Services\gxvxcserv.sys] @DACL=(02 0000) "start"=dword:00000001 "type"=dword:00000001 "group"="file system" "imagepath"=expand:"\\systemroot\\system32\\drivers\\gxvxcmrbgcaetwpxrikelbioqkexohcmpqcwe.sys" [HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2009-04-28 17:39 ComboFix-quarantined-files.txt 2009-04-28 16:39 Pre-Run: 48,217,899,008 bytes free Post-Run: 48,310,607,872 bytes free 346 --- E O F --- 2009-04-24 16:24

Rorschach112 View Member Profile	Apr 28 2009, 12:23 PM Post #4
GeekU Teacher Posts: 43,117 From: Dublin OS: XP	hello 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: QUOTE File:: Rootkit:: c:\users\Jamie\AppData\Local\Temp\gxvxc000 C:\windows\system32\drivers\gxvxcmrbgcaetwpxrikelbioqkexohcmpqcwe.sys RegLockDel:: [HKEY_USERS\SYSTEM\ControlSet001\Services\gxvxcserv.sys] Folder:: Registry:: Driver:: Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

jeevesthestag View Member Profile	Apr 28 2009, 02:00 PM Post #5
New Member Posts: 6 OS: Vista	Hi, Here is the log as requested. Thanks ComboFix 09-04-27.04 - Jamie 28/04/2009 20:35.2 - NTFSx86 Microsoft� Windows Vista� Home Premium 6.0.6001.1.1252.44.1033.18.1917.1316 [GMT 1:00] Running from: c:\users\Jamie\Desktop\ComboFix.exe Command switches used :: c:\users\Jamie\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\gxvxcmrbgcaetwpxrikelbioqkexohcmpqcwe.sys c:\windows\system32\gxvxcryrthjfrfaimtwovcxwptfdokctpxxie.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_GXVXCSERV.SYS ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 ))))))))))))))))))))))))))))))) . 2009-04-28 18:53 . 2009-04-28 18:53 10520 ----a-w c:\windows\system32\avgrsstx.dll 2009-04-28 18:53 . 2009-04-28 18:53 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys 2009-04-28 18:53 . 2009-04-28 18:53 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-04-28 18:53 . 2009-04-28 18:55 -------- d-----w c:\windows\system32\drivers\Avg 2009-04-27 16:06 . 2009-04-27 16:06 -------- d-----w c:\users\Jamie\AppData\Local\Apple 2009-04-25 23:19 . 2009-04-25 23:19 -------- d-----w C:\Rooter$ 2009-04-25 23:13 . 2009-04-27 16:14 -------- d-----w c:\users\Jamie\AppData\Local\Adobe 2009-04-25 23:08 . 2009-04-25 23:08 -------- d-----w c:\program files\ERUNT 2009-04-25 22:23 . 2009-04-25 22:23 -------- d-----w c:\program files\Trend Micro 2009-04-25 22:17 . 2009-04-25 22:17 -------- d-----w C:\!KillBox 2009-04-25 22:16 . 2009-04-25 22:16 -------- d-----w c:\users\Jamie\AppData\Roaming\Yahoo! 2009-04-25 22:16 . 2009-04-25 22:21 -------- d-----w c:\programdata\Yahoo! Companion 2009-04-25 22:16 . 2009-04-25 22:21 -------- d-----w c:\users\All Users\Yahoo! Companion 2009-04-25 22:16 . 2009-04-25 22:16 -------- d-----w c:\program files\Yahoo! 2009-04-25 22:16 . 2009-04-25 22:16 -------- d-----w c:\program files\CCleaner 2009-04-25 22:01 . 2009-04-25 22:01 -------- d-----w c:\users\Jamie\Livestation 2009-04-25 21:53 . 2009-04-25 21:53 -------- d-----w c:\program files\STOPzilla! 2009-04-25 18:39 . 2009-04-25 18:39 680 ----a-w c:\users\Anne-Marie\AppData\Local\d3d9caps.dat 2009-04-25 17:48 . 2008-11-06 01:03 -------- d-----w C:\SDFix 2009-04-25 09:41 . 2009-04-25 09:41 -------- d-----w c:\program files\HeroCodec 2009-04-24 21:28 . 2009-04-24 21:28 75264 ----a-w c:\windows\cadkasdeinst01e.exe 2009-04-24 21:11 . 2009-04-24 21:11 -------- d-----w c:\users\Jamie\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 2009-04-24 17:26 . 2009-04-24 17:26 -------- d-----w c:\users\Anne-Marie\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1 2009-04-24 17:26 . 2009-04-24 17:26 -------- d-----w c:\program files\BBC iPlayer Desktop 2009-04-17 12:39 . 2009-04-17 12:41 -------- d-----w c:\users\Jamie\AppData\Roaming\Spotify 2009-04-17 12:39 . 2009-04-17 12:40 -------- d-----w c:\users\Jamie\AppData\Local\Spotify 2009-04-17 12:39 . 2009-04-17 12:39 -------- d-----w c:\program files\Spotify 2009-04-14 16:08 . 2009-04-28 16:02 -------- d--h--w C:\$AVG8.VAULT$ 2009-04-13 17:28 . 2008-04-17 11:12 107368 ----a-w c:\windows\system32\GEARAspi.dll 2009-04-13 17:28 . 2009-03-19 15:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-04-13 17:28 . 2009-04-13 17:28 -------- d-----w c:\program files\iPod 2009-04-13 17:28 . 2009-04-13 17:28 -------- d-----w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-06 15:16 . 2009-04-06 15:16 -------- d-----w c:\programdata\Apple 2009-04-06 15:16 . 2009-04-06 15:16 -------- d-----w c:\users\All Users\Apple 2009-04-05 16:07 . 2009-04-05 16:07 -------- d-----w c:\program files\SopCast 2009-04-05 13:20 . 2009-04-05 13:20 -------- d-----w c:\users\Jamie\AppData\Roaming\Livestation 2009-04-05 13:20 . 2009-04-05 13:20 -------- d-----w c:\users\Jamie\AppData\Roaming\Mchid 2009-04-05 13:20 . 2009-04-05 13:20 -------- d-----w c:\program files\OpenAL 2009-04-05 13:20 . 2009-04-05 13:20 413696 ----a-w c:\windows\system32\wrap_oal.dll 2009-04-05 13:20 . 2009-04-05 13:20 110592 ----a-w c:\windows\system32\OpenAL32.dll 2009-04-03 17:41 . 2009-04-03 17:43 -------- d-----w c:\users\Anne-Marie\AppData\Local\Google 2009-03-31 03:35 . 2008-04-12 03:32 784896 ----a-w c:\windows\system32\rpcrt4.dll 2009-03-31 03:35 . 2008-04-26 08:26 891448 ----a-w c:\windows\system32\drivers\tcpip.sys 2009-03-31 03:35 . 2008-04-05 01:21 72192 ----a-w c:\windows\system32\drivers\pacer.sys 2009-03-31 03:35 . 2008-04-05 03:34 15360 ----a-w c:\windows\system32\pacerprf.dll 2009-03-31 03:34 . 2008-09-18 04:56 147456 ----a-w c:\windows\system32\Faultrep.dll 2009-03-31 03:34 . 2008-09-18 04:56 125952 ----a-w c:\windows\system32\wersvc.dll 2009-03-31 03:34 . 2008-06-26 03:29 565248 ----a-w c:\windows\system32\emdmgmt.dll 2009-03-31 03:34 . 2008-08-02 01:01 625152 ----a-w c:\windows\system32\drivers\dxgkrnl.sys 2009-03-31 03:34 . 2008-06-26 03:29 45056 ----a-w c:\windows\system32\dataclen.dll 2009-03-31 03:34 . 2008-05-20 02:07 148480 ----a-w c:\windows\system32\drivers\nwifi.sys 2009-03-31 03:34 . 2008-08-02 03:26 36864 ----a-w c:\windows\system32\cdd.dll 2009-03-31 03:33 . 2008-05-08 21:59 430080 ----a-w c:\windows\system32\vbscript.dll 2009-03-31 03:33 . 2008-05-08 21:59 90112 ----a-w c:\windows\system32\wshext.dll 2009-03-31 03:33 . 2008-05-08 21:59 155648 ----a-w c:\windows\system32\wscript.exe 2009-03-31 03:33 . 2008-05-08 21:58 135168 ----a-w c:\windows\system32\cscript.exe 2009-03-31 03:33 . 2008-05-08 21:59 180224 ----a-w c:\windows\system32\scrobj.dll 2009-03-31 03:33 . 2008-05-08 21:59 172032 ----a-w c:\windows\system32\scrrun.dll 2009-03-30 15:51 . 2009-03-30 15:51 -------- d-----w C:\PerfLogs . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-28 19:41 . 2009-04-25 18:00 5018 ----a-w c:\windows\system32\PerfStringBackup.TMP 2009-04-24 17:26 . 2009-03-28 18:18 -------- d-----w c:\program files\Common Files\Adobe AIR 2009-04-18 02:15 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail 2009-04-13 17:28 . 2009-04-13 17:28 -------- d-----w c:\program files\iTunes 2009-04-13 17:28 . 2009-04-06 15:16 -------- d-----w c:\program files\Common Files\Apple 2009-04-12 12:40 . 2009-03-13 16:59 -------- d-----w c:\program files\Kontiki 2009-04-07 21:00 . 2009-04-07 21:00 -------- d-----w c:\program files\Chama Digital Media 2009-04-06 15:20 . 2009-04-06 15:20 -------- d-----w c:\program files\Bonjour 2009-04-06 15:19 . 2009-04-06 15:19 -------- d-----w c:\program files\QuickTime 2009-04-06 15:18 . 2009-04-06 15:18 -------- d-----w c:\program files\Apple Software Update 2009-04-06 15:17 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat 2009-04-06 15:17 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat 2009-04-06 15:17 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat 2009-04-01 18:58 . 2009-04-01 18:58 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf 2009-03-31 17:17 . 2009-03-31 17:17 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf 2009-03-30 16:09 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini 2009-03-30 15:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Sidebar 2009-03-30 15:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Calendar 2009-03-30 15:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Collaboration 2009-03-30 15:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Journal 2009-03-30 15:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Photo Gallery 2009-03-30 15:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Defender 2009-03-30 15:51 . 2006-11-02 10:25 665600 ----a-w c:\windows\inf\drvindex.dat 2009-03-30 06:45 . 2006-11-02 10:32 101888 ----a-w c:\windows\system32\ifxcardm.dll 2009-03-30 06:45 . 2006-11-02 10:32 82432 ----a-w c:\windows\system32\axaltocm.dll 2009-03-29 10:27 . 2009-03-29 10:27 -------- d-----w c:\program files\Common Files\xing shared 2009-03-29 10:26 . 2009-03-29 10:26 -------- d-----w c:\program files\Common Files\Real 2009-03-29 10:26 . 2009-03-29 10:26 499712 ----a-w c:\windows\system32\msvcp71.dll 2009-03-29 10:26 . 2009-03-29 10:26 348160 ----a-w c:\windows\system32\msvcr71.dll 2009-03-29 10:26 . 2009-03-29 10:26 -------- d-----w c:\program files\Real 2009-03-29 10:25 . 2009-03-28 15:10 -------- d-----w c:\program files\Google 2009-03-28 18:35 . 2009-03-28 18:35 -------- d-----w c:\program files\Veetle 2009-03-28 18:17 . 2009-03-28 18:16 -------- d-----w c:\program files\Common Files\Adobe 2009-03-24 20:45 . 2009-03-24 20:45 -------- d-----w c:\program files\VideoLAN 2009-03-24 18:09 . 2009-02-24 23:00 99864 ----a-w c:\users\Jamie\AppData\Local\GDIPFONTCACHEV1.DAT 2009-03-24 17:56 . 2009-02-23 21:53 99864 ----a-w c:\users\Anne-Marie\AppData\Local\GDIPFONTCACHEV1.DAT 2009-03-24 07:06 . 2009-03-24 07:06 -------- d-----w c:\program files\Microsoft Works 2009-03-24 07:06 . 2006-11-02 12:37 -------- d-----w c:\program files\MSBuild 2009-03-24 07:04 . 2009-03-24 07:04 -------- d-----w c:\program files\Microsoft.NET 2009-03-24 07:02 . 2009-03-24 07:02 -------- d-----w c:\program files\Microsoft Visual Studio 8 2009-03-23 14:35 . 2009-03-23 14:35 -------- d-----w c:\program files\Alcohol Soft 2009-03-23 14:33 . 2009-03-23 14:33 639224 ----a-w c:\windows\system32\drivers\sptd.sys 2009-03-23 14:16 . 2009-03-23 14:16 0 ----a-w c:\windows\nsreg.dat 2009-03-23 12:38 . 2009-03-23 12:37 -------- d-----w c:\program files\DivX 2009-03-23 12:38 . 2009-03-23 12:38 -------- d-----w c:\program files\Common Files\PX Storage Engine 2009-03-23 12:37 . 2009-03-23 12:37 -------- d-----w c:\program files\Common Files\DivX Shared 2009-03-23 12:20 . 2009-03-23 12:20 61480 ----a-w c:\users\Jamie\GoToAssistDownloadHelper.exe 2009-03-17 03:38 . 2009-04-16 14:18 40960 ----a-w c:\windows\AppPatch\apihex86.dll 2009-03-17 03:38 . 2009-04-16 14:18 13824 ----a-w c:\windows\system32\apilogen.dll 2009-03-17 03:38 . 2009-04-16 14:18 24064 ----a-w c:\windows\system32\amxread.dll 2009-03-16 17:18 . 2009-03-16 17:18 -------- d-----w c:\program files\uTorrent 2009-03-03 04:46 . 2009-04-16 14:18 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-03-03 04:46 . 2009-04-16 14:18 3547632 ----a-w c:\windows\system32\ntoskrnl.exe 2009-03-03 04:40 . 2009-04-16 14:18 827392 ----a-w c:\windows\system32\wininet.dll 2009-03-03 04:39 . 2009-04-16 14:18 183296 ----a-w c:\windows\system32\sdohlp.dll 2009-03-03 04:39 . 2009-04-16 14:18 551424 ----a-w c:\windows\system32\rpcss.dll 2009-03-03 04:39 . 2009-04-16 14:18 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll 2009-03-03 04:37 . 2009-04-16 14:18 78336 ----a-w c:\windows\system32\ieencode.dll 2009-03-03 04:37 . 2009-04-16 14:18 98304 ----a-w c:\windows\system32\iasrecst.dll 2009-03-03 04:37 . 2009-04-16 14:18 44032 ----a-w c:\windows\system32\iasdatastore.dll 2009-03-03 04:37 . 2009-04-16 14:18 54784 ----a-w c:\windows\system32\iasads.dll 2009-03-03 03:04 . 2009-04-16 14:18 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe 2009-03-03 02:38 . 2009-04-16 14:18 17408 ----a-w c:\windows\system32\iashost.exe 2009-03-03 02:28 . 2009-04-16 14:18 26624 ----a-w c:\windows\system32\ieUnatt.exe 2009-02-25 03:00 . 2009-02-25 03:00 269312 ----a-w c:\windows\system32\es.dll 2009-02-24 02:11 . 2009-02-24 02:11 61440 ----a-w c:\windows\system32\winipsec.dll 2009-02-24 02:11 . 2009-02-24 02:11 361984 ----a-w c:\windows\system32\IPSECSVC.DLL 2009-02-24 02:11 . 2009-02-24 02:11 28672 ----a-w c:\windows\system32\FwRemoteSvr.dll 2009-02-24 02:11 . 2009-02-24 02:11 272896 ----a-w c:\windows\system32\polstore.dll 2009-02-24 02:08 . 2009-02-24 02:08 241152 ----a-w c:\windows\system32\PortableDeviceApi.dll 2009-02-24 02:08 . 2009-02-24 02:08 94720 ----a-w c:\windows\system32\PortableDeviceClassExtension.dll 2009-02-24 02:08 . 2009-02-24 02:08 160768 ----a-w c:\windows\system32\PortableDeviceTypes.dll 2009-02-24 01:52 . 2009-02-24 01:52 296960 ----a-w c:\windows\system32\gdi32.dll 2009-02-24 01:50 . 2009-02-24 01:50 212480 ----a-w c:\windows\system32\drivers\mrxsmb10.sys 2009-02-24 01:48 . 2009-02-24 01:48 28672 ----a-w c:\windows\system32\Apphlpdm.dll 2009-02-24 01:48 . 2009-02-24 01:48 2560 ----a-w c:\windows\AppPatch\AcRes.dll 2009-02-24 01:48 . 2009-02-24 01:48 2154496 ----a-w c:\windows\AppPatch\AcGenral.dll 2009-02-24 01:48 . 2009-02-24 01:48 541696 ----a-w c:\windows\AppPatch\AcLayers.dll 2009-02-24 01:48 . 2009-02-24 01:48 460288 ----a-w c:\windows\AppPatch\AcSpecfc.dll 2009-02-24 01:48 . 2009-02-24 01:48 52736 ----a-w c:\windows\AppPatch\iebrshim.dll 2009-02-24 01:48 . 2009-02-24 01:48 173056 ----a-w c:\windows\AppPatch\AcXtrnal.dll 2009-02-24 01:48 . 2009-02-24 01:48 4240384 ----a-w c:\windows\system32\GameUXLegacyGDFs.dll 2009-02-24 01:48 . 2009-02-24 01:48 1695744 ----a-w c:\windows\system32\gameux.dll 2009-02-24 01:47 . 2009-02-24 01:47 303616 ----a-w c:\windows\system32\wmpeffects.dll 2009-02-24 01:45 . 2009-02-24 01:45 2048 ----a-w c:\windows\system32\msxml3r.dll 2009-02-24 01:45 . 2009-02-24 01:45 1191936 ----a-w c:\windows\system32\msxml3.dll 2009-02-24 01:39 . 2009-02-24 01:39 2048 ----a-w c:\windows\system32\tzres.dll 2009-02-24 01:36 . 2009-02-24 01:36 428544 ----a-w c:\windows\system32\EncDec.dll 2009-02-24 01:36 . 2009-02-24 01:36 293376 ----a-w c:\windows\system32\psisdecd.dll 2009-02-24 01:35 . 2009-02-24 01:35 0 ----a-w c:\windows\ativpsrm.bin 2009-02-24 01:26 . 2009-02-24 01:26 2927104 ----a-w c:\windows\explorer.exe 2009-02-24 01:17 . 2009-02-24 01:17 7042560 ----a-w c:\windows\system32\NlsLexicons081a.dll 2009-02-24 01:12 . 2009-02-24 01:12 6656 ----a-w c:\windows\system32\kbd106n.dll 2009-02-24 01:12 . 2009-02-24 01:12 988216 ----a-w c:\windows\system32\winload.exe 2009-02-24 01:12 . 2009-02-24 01:12 927288 ----a-w c:\windows\system32\winresume.exe 2009-02-24 01:12 . 2009-02-24 01:12 40960 ----a-w c:\windows\system32\srclient.dll 2009-02-24 01:12 . 2009-02-24 01:12 378368 ----a-w c:\windows\system32\srcore.dll 2009-02-24 01:12 . 2009-02-24 01:12 318464 ----a-w c:\windows\system32\rstrui.exe 2009-02-24 01:12 . 2009-02-24 01:12 14848 ----a-w c:\windows\system32\srdelayed.exe 2009-02-24 01:12 . 2009-02-24 01:12 19000 ----a-w c:\windows\system32\kd1394.dll 2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT . ((((((((((((((((((((((((((((( SnapShot@2009-04-28_16.38.07 ))))))))))))))))))))))))))))))))))))))))) . + 2009-02-24 08:59 . 2009-04-28 19:49 30282 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2006-11-02 13:05 . 2009-04-28 19:49 52238 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2009-04-28 18:53 . 2009-04-28 18:53 27656 c:\windows\System32\drivers\avgmfx86.sys - 2006-11-02 13:02 . 2009-04-28 16:29 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2006-11-02 13:02 . 2009-04-28 19:47 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2006-11-02 13:02 . 2009-04-28 19:47 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2006-11-02 13:02 . 2009-04-28 16:29 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2006-11-02 13:02 . 2009-04-28 19:47 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2006-11-02 13:02 . 2009-04-28 16:29 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2009-02-25 07:36 . 2009-04-28 19:49 6654 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3041026416-2446386552-3979688592-1001_UserData.bin - 2009-04-28 16:29 . 2009-04-28 16:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2009-04-28 19:47 . 2009-04-28 19:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2009-04-28 19:47 . 2009-04-28 19:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2009-04-28 16:29 . 2009-04-28 16:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "kdx"="c:\program files\Kontiki\KHost.exe" [2009-01-02 1041960] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-28 39408] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "Google Quick Search Box"="c:\program files\Google\Quick Search Box\qsb.exe" [2009-03-28 68592] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-29 198160] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-28 1932568] c:\users\Anne-Marie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-4-24 95744] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{962BC7BB-AA5C-4712-A595-4A305C23E86B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{E9E401D2-C9E4-416B-A506-B25ECC1579C2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{B52DED74-9314-46C5-ADA0-96B0359194B1}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service "{2551E079-7033-48C2-9576-5BC83850E62A}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service "{34000AD5-F33E-4D34-A12A-3D224B2E574C}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service "{5DEA7108-353F-48F5-AE43-9F57D5CB4CD2}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service "{90C86B8C-3CEA-4A21-81CC-AB6792BF6A5F}"= UDP:c:\program files\uTorrent\uTorrent.exe:�Torrent (TCP-In) "{70B92B46-B0B6-44D2-BBBF-C4979E5D03FC}"= TCP:c:\program files\uTorrent\uTorrent.exe:�Torrent (UDP-In) "TCP Query User{C42F2A57-0BE4-4D6D-86F4-4979D895E638}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:�Torrent "UDP Query User{EC882FE8-539E-493B-8AED-11A216F31816}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:�Torrent "{3495940C-0A3F-46D1-B8BB-ED0A09A482C2}"= UDP:d:\x86\IbisCont.exe:BT Home Hub 2.0 "{D0966C0A-E561-4ABE-96C9-D95E5756BFB6}"= TCP:d:\x86\IbisCont.exe:BT Home Hub 2.0 "{989627E6-5CC8-47B9-87D6-3FFB123B3E76}"= TCP:6004\|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{D7757FB5-C6F6-440D-9F6C-CD3DB80CAB8A}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{3C4CA268-CBFB-46E1-B17B-094BE566F38C}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{A351D45B-F97A-486E-9081-0739A790EA0E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{15A26AF8-2D34-43CE-A21C-DE6F8229163D}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "TCP Query User{3D8F7379-1FB6-4822-B0EC-CB4EDBFC9F16}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{31726088-883D-4B86-945D-33CE083DCD33}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox "TCP Query User{67BA7F96-13F0-45DC-9E79-4A86E3EBD2EC}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver "UDP Query User{EA120DD8-CB3C-4797-B7A4-D03655E94D6C}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver "TCP Query User{3C819273-B079-4207-AE9C-2016CA92ED7D}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application "UDP Query User{6A37D3E7-86B6-4767-932C-380807BDA786}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application "{60024046-9CB2-467D-9742-95FF60F105AF}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{75086915-6634-4695-95ED-8F2428D0BE56}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "TCP Query User{A67D8841-1712-402E-9B4B-38346A390C8F}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{A5828352-F585-44C3-9DEB-AD328B12F948}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "{D8D35F5B-0E7B-4CF2-A771-2DFAE3B7C47A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{67EA4B03-51DA-43A5-84A6-BFA22B0FAAF0}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{4FE0C347-AB6C-4272-8AE7-0CA7BE9D33A2}"= UDP:c:\program files\Spotify\spotify.exe:Spotify "{EAEF15E1-FE2E-4D3A-A598-236B0ACB4C53}"= TCP:c:\program files\Spotify\spotify.exe:Spotify "{98935866-D7CC-4381-8B2E-1542EB311179}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe "{D0659B70-F2BE-404F-8E9E-C1FB954B6321}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe R2 gupdate1c9b058adbbd425;Google Update Service (gupdate1c9b058adbbd425);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-29 133104] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-28 325640] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-28 108552] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-28 298264] --- Other Services/Drivers In Memory --- Deregistered - sptd . Contents of the 'Scheduled Tasks' folder 2009-04-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-29 10:25] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = .local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll FF - ProfilePath - c:\users\Jamie\AppData\Roaming\Mozilla\Firefox\Profiles\esvx5sz6.default\ FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Veetle\Player\npvlc.dll FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-28 20:47 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101" [HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation] "Enabled"=dword:00000001 [HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe" [HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx" "ThreadingModel"="Apartment" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx, 1" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx" "ThreadingModel"="Apartment" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx, 1" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" [HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" [HKEY_USERS\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}] @Denied: (A 2) (Everyone) @="IFlashBroker2" [HKEY_USERS\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_USERS\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}] @Denied: (A 2) (Everyone) [HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0] @="Shockwave Flash" [HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}] @Denied: (A 2) (Everyone) @="" [HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0] @="FlashBroker" [HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\Ati2evxx.exe c:\windows\System32\audiodg.exe c:\windows\System32\Ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Kontiki\KService.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\AVG\AVG8\avgtray.exe c:\program files\Windows Media Player\wmpnscfg.exe c:\windows\ehome\ehmsas.exe c:\program files\iPod\bin\iPodService.exe c:\windows\servicing\TrustedInstaller.exe . ************************************************************************ . Completion time: 2009-04-28 20:56 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-28 19:56 ComboFix2.txt 2009-04-28 16:39 Pre-Run: 49,413,234,688 bytes free Post-Run: 49,090,985,984 bytes free 387 --- E O F --- 2009-04-24 16:24

Rorschach112 View Member Profile	Apr 28 2009, 02:45 PM Post #6
GeekU Teacher Posts: 43,117 From: Dublin OS: XP	hello Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Please download Malwarebytes' Anti-Malware from Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Go to Kaspersky website and perform an online antivirus scan. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

jeevesthestag View Member Profile	Apr 29 2009, 12:21 PM Post #7
New Member Posts: 6 OS: Vista	Here is the mbam log. Malwarebytes' Anti-Malware 1.36 Database version: 2056 Windows 6.0.6001 Service Pack 1 28/04/2009 22:13:51 mbam-log-2009-04-28 (22-13-51).txt Scan type: Quick Scan Objects scanned: 73172 Time elapsed: 10 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 3 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\HeroCodec (Trojan.DNSChanger) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\HeroCodecSoft (Trojan.DNSChanger) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HeroCodec (Trojan.DNSChanger) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Users\Jamie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HeroCodec (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HeroCodec (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\Program Files\HeroCodec (Trojan.DNSChanger) -> Quarantined and deleted successfully. Files Infected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HeroCodec\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\Program Files\HeroCodec\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully. Here is the Kaspersky report. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Wednesday, April 29, 2009 Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Tuesday, April 28, 2009 22:28:38 Records in database: 2087797 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Files scanned: 110790 Threat name: 3 Infected objects: 3 Suspicious objects: 3 Duration of the scan: 03:55:03 File name / Threat name / Threats count C:\backup\Jamie\AppData\Local\Temp\tmp5F20.tmp Infected: Packed.Win32.Tdss.c 1 C:\backup\Jamie\AppData\Local\Temp\tmp6098.tmp Suspicious: Trojan.Win32.Patched.dy 1 C:\backup\Jamie\AppData\Local\Temp\tmp8429.tmp Infected: Packed.Win32.Tdss.c 1 C:\backup\Jamie\AppData\Local\Temp\tmp8488.tmp Suspicious: Trojan.Win32.Patched.dy 1 C:\backup\Jamie\AppData\Local\Temp\tmpC770.tmp Suspicious: Trojan.Win32.Patched.dy 1 C:\Qoobox\Quarantine\C\Windows\System32\gxvxcgvbnetpxhixibbbxwvdelbomywoxtdhe.dll.vir Infected: Trojan-Downloader.Win32.Agent.brpo 1 The selected area was scanned. Thanks once again.

Rorschach112 View Member Profile	Apr 29 2009, 12:34 PM Post #8
GeekU Teacher Posts: 43,117 From: Dublin OS: XP	hello Please download OTMoveIt3 by OldTimer Save it to your desktop. Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): CODE :Processes explorer.exe :Services :Reg :Files C:\backup\Jamie\AppData\Local\Temp\tmp5F20.tmp C:\backup\Jamie\AppData\Local\Temp\tmp6098.tmp C:\backup\Jamie\AppData\Local\Temp\tmp8429.tmp C:\backup\Jamie\AppData\Local\Temp\tmp8488.tmp C:\backup\Jamie\AppData\Local\Temp\tmpC770.tmp :Commands [purity] [emptytemp] [start explorer] [Reboot] Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. Click the red Moveit! button. Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt3 Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter .log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. also post a new HJT log

jeevesthestag View Member Profile	Apr 29 2009, 01:12 PM Post #9
New Member Posts: 6 OS: Vista	Hi, Here is the OTMove log: ========== PROCESSES ========== Process explorer.exe killed successfully. ========== SERVICES/DRIVERS ========== ========== REGISTRY ========== ========== FILES ========== File/Folder C:\backup\Jamie\AppData\Local\Temp\tmp5F20.tmp not found. C:\backup\Jamie\AppData\Local\Temp\tmp6098.tmp moved successfully. File/Folder C:\backup\Jamie\AppData\Local\Temp\tmp8429.tmp not found. C:\backup\Jamie\AppData\Local\Temp\tmp8488.tmp moved successfully. File/Folder C:\backup\Jamie\AppData\Local\Temp\tmpC770.tmp not found. ========== COMMANDS ========== File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\Arj.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\avlib.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\Avp1.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\AvpMgr.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\btimages.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\CAB.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\dmap.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\dtreg.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\FsDrvPlg.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\FSSync.dll scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\HashCont.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\HashMD5.PPL scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\HCCMP.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\ichk2.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\iChkSA.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\Inflate.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\IWGen.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\kave.dll scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\kosglue-7.0.26.0.dll scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\lha.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\L_llio.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\mdb.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\MDMAP.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\MemModSc.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\MemScan.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\minizip.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\MKavIO.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\msoe.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\nfio.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\NTFSstrm.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\prKernel.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\prLoader.dll scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\prseqio.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\PrUtil.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\rar.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\ScanningProcess.exe scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\sfdb.PPL scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\TempFile.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\thpimpl.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\UniArc.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\UnLZX.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\UnStored.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\WDiskIO.ppl scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\hsperfdata_Jamie\4088 scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\hsperfdata_Jamie\4232 scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\qsb.log scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\~DF29E3.tmp scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\~DF8CD0.tmp scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\~DFB451.tmp scheduled to be deleted on reboot. File delete failed. C:\Users\Jamie\AppData\Local\Temp\~DFB471.tmp scheduled to be deleted on reboot. User's Temp folder emptied. User's Internet Explorer cache folder emptied. Windows Temp folder emptied. FireFox cache emptied. Temp folders emptied. Explorer started successfully OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04292009_194253 Files moved on Reboot... C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\Arj.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\avlib.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\Avp1.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\AvpMgr.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\btimages.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\CAB.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\dmap.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\dtreg.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\FsDrvPlg.ppl moved successfully. DllUnregisterServer procedure not found in C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\FSSync.dll C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\FSSync.dll NOT unregistered. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\FSSync.dll moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\HashCont.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\HashMD5.PPL moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\HCCMP.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\ichk2.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\iChkSA.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\Inflate.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\IWGen.ppl moved successfully. DllUnregisterServer procedure not found in C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\kave.dll C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\kave.dll NOT unregistered. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\kave.dll moved successfully. DllUnregisterServer procedure not found in C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\kosglue-7.0.26.0.dll C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\kosglue-7.0.26.0.dll NOT unregistered. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\kosglue-7.0.26.0.dll moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\lha.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\L_llio.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\mdb.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\MDMAP.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\MemModSc.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\MemScan.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\minizip.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\MKavIO.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\msoe.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\nfio.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\NTFSstrm.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\prKernel.ppl moved successfully. DllUnregisterServer procedure not found in C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\prLoader.dll C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\prLoader.dll NOT unregistered. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\prLoader.dll moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\prseqio.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\PrUtil.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\rar.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\ScanningProcess.exe moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\sfdb.PPL moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\TempFile.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\thpimpl.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\UniArc.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\UnLZX.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\UnStored.ppl moved successfully. C:\Users\Jamie\AppData\Local\Temp\jkos-Jamie\binaries\WDiskIO.ppl moved successfully. File C:\Users\Jamie\AppData\Local\Temp\hsperfdata_Jamie\4088 not found! File C:\Users\Jamie\AppData\Local\Temp\hsperfdata_Jamie\4232 not found! C:\Users\Jamie\AppData\Local\Temp\qsb.log moved successfully. C:\Users\Jamie\AppData\Local\Temp\~DF29E3.tmp moved successfully. C:\Users\Jamie\AppData\Local\Temp\~DF8CD0.tmp moved successfully. File C:\Users\Jamie\AppData\Local\Temp\~DFB451.tmp not found! File C:\Users\Jamie\AppData\Local\Temp\~DFB471.tmp not found! and this is the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:11:21, on 29/04/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18226) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Google\Quick Search Box\qsb.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Kontiki\KHost.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\ehome\ehtray.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\AVG\AVG8\aAvgApi.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\qsb.exe" /autorun O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Update Service (gupdate1c9b058adbbd425) (gupdate1c9b058adbbd425) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe -- End of file - 6656 bytes Thanks

Rorschach112 View Member Profile	Apr 29 2009, 01:36 PM Post #10
GeekU Teacher Posts: 43,117 From: Dublin OS: XP	Your logs are clean Follow these steps to uninstall Combofix and tools used in the removal of malware Click START then RUN Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there. Download OTCleanIt to your desktop and run it Click Yes to beginning the Cleanup process and remove these components, including this application. You will be asked to reboot the machine to finish the Cleanup process. Choose Yes. Below I have included a number of recommendations for how to protect your computer against malware infections. Keep Windows updated by regularly checking their website at : http://windowsupdate.microsoft.com/ This will ensure your computer has always the latest security updates available installed on your computer. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict. Make Internet Explorer more secure Click Start > Run Type Inetcpl.cpl & click OK Click on the Security tab Click Reset all zones to default level Make sure the Internet Zone is selected & Click Custom level In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable". Next Click OK, then Apply button and then OK to exit the Internet Properties page. ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future. Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure. NoScript - for blocking ads and other potential website attacks McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws. Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask. Please read my guide on how to prevent malware and about safe computing here Thank you for your patience, and performing all of the procedures requested.

jeevesthestag View Member Profile	Apr 30 2009, 12:02 AM Post #11
New Member Posts: 6 OS: Vista	Thank you for your help. It has been a godsend. What you guys do is briliant.

Rorschach112 View Member Profile	Apr 30 2009, 08:33 AM Post #12
GeekU Teacher Posts: 43,117 From: Dublin OS: XP	Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Google redirect virus, (HiJackThis Log included) [Solved]	10 / 944	9th November 2009 - 09:05 AM Dadnlad started - last by Rorschach112
Virus, Spyware and Trojan Removal Google Redirect Virus! Help! [Solved] 123	33 / 1,088	14th December 2009 - 02:23 PM Ambargh started - last by Essexboy
Virus, Spyware and Trojan Removal have google redirect virus ... I think ... very frustrated [Solved]	13 / 585	1st December 2009 - 05:18 PM FrustratedMel started - last by Essexboy
Virus, Spyware and Trojan Removal Google redirect virus - NEED HELP! [Solved]	13 / 371	29th December 2009 - 05:58 PM need-hijack-help started - last by Rorschach112