Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google redirect - TDSSKiller not finding a thing.


  • Please log in to reply

#1
Happlo

Happlo

    New Member

  • Member
  • Pip
  • 2 posts
Hi, I'm new here, been having a terrible time trying to figure out how to get this google redirect virus off of my computer that I somehow got a few days ago. I have tried tons of different anti-virus programs, including many designed specifically for malware. One of them was TDSSKiller, which seems to be recommended everywhere, including this site..but it isn't finding a thing. I'm honestly out of ideas on how to get this off of my computer, other than wiping my hard drive, but saddly I don't have a windows disc to reinstall windows so I can't do that. Can anybody offer some advice so I don't have to spend money on a new windows disc? I also don't have any restore points from before the virus...

Any help would be greatly appreciated.
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
Happlo

Happlo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I have a slight update since I made the first post, after reading through these forums I used a program called HijackThis (before you made your reply) and discovered suspicious "hosts" entries that I deleted, now the google redirect seems to have stopped completely..for now. I'm still worried that simply deleting those hasn't gotten rid of the virus if there is one.

Also, when I ran combofix just now, it didn't actually ask me about a recovery point, it seemed to just start scanning by itself unexpectedly, so I might do a re-scan with the right prerequisites after this. Here is the log file for now anyway though. Thank you for the quick reply by the way.

---------------

ComboFix 10-08-25.01 - Happlo 08/26/2010 11:02:22.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2099 [GMT -5:00]
Running from: c:\users\Happlo\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe
c:\users\Happlo\AppData\Local\Windows Server
c:\users\Happlo\AppData\Local\Windows Server\flags.ini
c:\users\Happlo\AppData\Local\Windows Server\hlp.dat
c:\users\Happlo\AppData\Local\Windows Server\uses32.dat

c:\windows\system32\wininit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
.

2010-08-26 16:12 . 2010-08-26 16:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-26 15:59 . 2010-08-26 15:59 -------- d-----w- C:\32788R22FWJFW
2010-08-26 09:13 . 2010-08-26 09:13 -------- d-----w- c:\program files\Trend Micro
2010-08-26 05:51 . 2010-08-26 05:51 93056 ----a-w- C:\pxryrpoc.sys
2010-08-26 03:54 . 2010-08-26 03:54 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-26 03:09 . 2010-08-26 05:02 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-08-26 02:47 . 2010-08-26 02:57 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-26 02:46 . 2010-08-26 02:46 -------- d-----w- c:\programdata\Hitman Pro
2010-08-26 02:46 . 2010-08-26 02:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-24 18:22 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-24 06:26 . 2010-08-26 03:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-24 06:26 . 2010-08-26 03:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-24 06:06 . 2010-08-26 03:06 -------- d-----w- c:\program files\AA Antimalware
2010-08-24 01:04 . 2010-08-24 01:04 -------- d-----w- c:\users\Happlo\AppData\Roaming\Malwarebytes
2010-08-24 01:04 . 2010-08-24 01:04 -------- d-----w- c:\programdata\Malwarebytes
2010-08-23 23:46 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-23 23:46 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-23 23:46 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-23 23:46 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-23 23:46 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-08-23 23:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-23 23:44 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-23 23:44 . 2010-08-23 23:44 -------- d-----w- c:\program files\Alwil Software
2010-08-14 18:43 . 2010-08-14 18:43 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-08-10 17:42 . 2008-01-08 10:10 98304 ----a-w- c:\windows\RTKAUDIOSERVICE.EXE
2010-08-10 17:42 . 2010-08-10 17:42 -------- d-----w- c:\windows\system32\RTCOM
2010-08-09 22:53 . 2010-08-09 22:53 -------- d-----w- c:\users\Happlo\AppData\Local\CrashRpt
2010-08-09 20:53 . 2010-08-13 01:21 -------- d-----w- c:\programdata\WebcamMax
2010-08-09 20:53 . 2010-08-09 20:53 -------- d-----w- c:\users\Happlo\AppData\Roaming\WebcamMax
2010-08-09 20:53 . 2010-08-09 20:53 -------- d-----w- c:\program files\WebcamMax
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-sh--w- c:\users\Happlo\AppData\Roaming\ms-drivers
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-sh--w- c:\users\Happlo\wc
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-----w- c:\users\Happlo\AppData\Local\Universe Sandbox
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-sh--w- c:\users\Happlo\AppData\Roaming\wyUpdate AU
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-----w- c:\program files\Universe Sandbox
2010-08-05 11:07 . 2010-08-05 11:07 -------- d-----w- c:\windows\system32\Adobe
2010-08-04 09:13 . 2010-08-04 09:14 -------- d--h--w- c:\program files\Temp
2010-08-03 09:20 . 2010-08-23 23:44 -------- d-----w- c:\programdata\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-26 16:11 . 2010-04-04 01:12 -------- d-----w- c:\users\Happlo\AppData\Roaming\Skype
2010-08-26 15:47 . 2010-04-04 01:19 -------- d-----w- c:\users\Happlo\AppData\Roaming\skypePM
2010-08-26 09:47 . 2010-06-20 03:30 -------- d-----w- c:\program files\Messenger_Plus_Live_US
2010-08-26 09:47 . 2010-04-30 03:20 -------- d-----w- c:\program files\DVDVideoSoft
2010-08-26 09:47 . 2010-04-04 05:09 -------- d-----w- c:\program files\Vuze_Remote
2010-08-26 09:47 . 2010-04-03 23:21 -------- d-----w- c:\program files\AIM Toolbar
2010-08-26 09:23 . 2010-04-12 09:16 -------- d-----w- c:\program files\kikin
2010-08-26 09:13 . 2010-08-26 09:13 388096 ----a-r- c:\users\Happlo\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-24 07:24 . 2010-04-17 09:25 -------- d-----w- c:\users\Happlo\AppData\Roaming\.bitblinder
2010-08-24 07:07 . 2010-04-06 08:40 -------- d-----w- c:\users\Happlo\AppData\Roaming\vlc
2010-08-24 02:54 . 2010-04-03 23:23 58336 ----a-w- c:\users\Happlo\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-24 02:19 . 2010-07-20 20:31 -------- d-----w- c:\program files\Pando Networks
2010-08-24 01:19 . 2010-06-02 11:17 -------- d-sh--w- c:\users\Happlo\AppData\Roaming\lowsec
2010-08-23 23:23 . 2010-04-29 11:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-23 23:23 . 2010-07-20 20:50 -------- d-----w- c:\program files\Outspark
2010-08-23 23:18 . 2010-04-30 03:20 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-08-23 19:25 . 2010-04-12 09:16 -------- d-----w- c:\users\Happlo\AppData\Roaming\kikin
2010-08-20 16:20 . 2010-04-04 05:09 -------- d-----w- c:\users\Happlo\AppData\Roaming\Azureus
2010-08-14 18:45 . 2010-08-14 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01009.Wdf
2010-08-09 22:53 . 2010-07-04 21:24 -------- d-----w- c:\program files\Livestream Procaster
2010-08-08 10:49 . 2010-06-20 03:30 -------- d-----w- c:\program files\Messenger Plus! Live
2010-08-05 16:29 . 2010-04-04 05:39 -------- d-----w- c:\programdata\Norton
2010-08-04 10:50 . 2010-07-25 07:37 -------- d-----w- c:\program files\GGPO
2010-08-04 10:50 . 2010-04-03 20:43 -------- d-----w- c:\program files\Common Files\Steam
2010-08-04 10:50 . 2010-07-25 08:07 -------- d-----w- c:\program files\Ventrilo
2010-08-04 10:49 . 2010-07-25 08:08 -------- d-----w- c:\users\Happlo\AppData\Roaming\Ventrilo
2010-08-03 11:33 . 2010-04-25 00:48 -------- d-----w- c:\users\Happlo\AppData\Roaming\Abyxiw
2010-08-03 10:01 . 2010-05-29 22:01 -------- d-----w- c:\users\Happlo\AppData\Roaming\Hiohc
2010-07-29 06:30 . 2010-08-11 21:51 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 21:51 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-25 07:51 . 2010-07-25 07:51 -------- d-----w- c:\users\Happlo\AppData\Roaming\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2010-07-25 07:37 . 2010-07-25 07:37 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-25 07:36 . 2010-07-25 07:37 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-24 00:09 . 2010-04-03 20:43 -------- d-----w- c:\program files\Steam
2010-07-05 23:03 . 2010-07-05 23:03 -------- d-----w- c:\programdata\Hewlett-Packard
2010-07-05 10:29 . 2010-07-05 10:29 176 ----a-w- c:\users\Happlo\AppData\Roaming\Azureus\restart.bat
2010-07-05 10:26 . 2010-04-04 05:09 -------- d-----w- c:\program files\Vuze
2010-07-02 11:27 . 2010-07-02 11:27 120 ----a-w- c:\users\Happlo\AppData\Roaming\71c387e8.dat
2010-06-30 06:25 . 2010-08-11 21:51 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-22 02:47 . 2010-08-11 21:51 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 21:51 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 21:51 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-19 06:33 . 2010-08-11 21:51 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 21:51 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23 . 2010-08-11 21:51 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 04:07 . 2010-08-11 21:51 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 05:48 . 2010-08-11 21:51 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 06:12 . 2010-08-11 21:51 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-08 06:02 . 2010-08-11 21:51 1233920 ----a-w- c:\windows\system32\msxml3.dll
2010-06-03 07:55 . 2010-06-03 07:55 8854 ----a-r- c:\users\Happlo\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2010-06-03 07:55 . 2010-06-03 07:55 40960 ----a-r- c:\users\Happlo\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-06-03 07:55 . 2010-06-03 07:55 40960 ----a-r- c:\users\Happlo\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-06-02 16:02 . 2010-06-02 11:15 190 --s-a-w- c:\users\Happlo\AppData\Local\2678616684.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WeGame.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WeGame.lnk
backup=c:\windows\pss\WeGame.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-03-08 21:04 3972440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-04 01:05 136176 ----atw- c:\users\Happlo\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livestream Procaster]
2010-07-19 11:12 3577120 ----a-w- c:\program files\Livestream Procaster\Procaster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-10-03 16:40 13826664 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 08:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 22:57 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-10 22:50 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 16:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebcamMaxAutoRun]
2010-07-08 01:06 6043888 ----a-w- c:\program files\WebcamMax\WebcamMax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
2009-09-30 22:57 718688 ----a-w- c:\program files\Microsoft Xbox 360 Accessories\XBoxStat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 19:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-04 1343400]
R3 XDva344;XDva344;c:\windows\system32\XDva344.sys [x]
S1 aswSP;aswSP; [x]
S2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2010-07-28 1935656]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-10 18944]
S3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2010-06-28 71008]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-10 33792]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]

.
Contents of the 'Scheduled Tasks' folder

2010-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3396681394-3423609913-100917528-1001Core.job
- c:\users\Happlo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-04 01:05]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3396681394-3423609913-100917528-1001UA.job
- c:\users\Happlo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-04 01:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.plusnetwork.com
IE: {{0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - {E601996F-E400-41CA-804B-CD6373A7EEE2} -
FF - ProfilePath - c:\users\Happlo\AppData\Roaming\Mozilla\Firefox\Profiles\x3t6k72g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Happlo\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
Toolbar-{e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - (no file)
Toolbar-{de404f4c-3cde-4d74-a6fb-052d099c104c} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
WebBrowser-{E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} - (no file)
WebBrowser-{DE404F4C-3CDE-4D74-A6FB-052D099C104C} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
SafeBoot-klmdb.sys
MSConfigStartUp-d5d45fc0-78a3-49c6-9302-ac860f8bf36e_46 - c:\users\Happlo\AppData\Roaming\d5d45fc0-78a3-49c6-9302-ac860f8bf36e_46.avi
MSConfigStartUp-d5d45fc0-78a3-49c6-9302-ac860f8bf36e_47 - c:\users\Happlo\AppData\Roaming\d5d45fc0-78a3-49c6-9302-ac860f8bf36e_47.avi
MSConfigStartUp-userinit - c:\users\Happlo\AppData\Roaming\sdra64.exe
MSConfigStartUp-{D9B3D3A2-CB93-65F9-10CA-59E1D03E287E} - c:\users\Happlo\AppData\Roaming\Abyxiw\vyla.exe
AddRemove-BitBlinder - c:\program files\BitBlinder\Uninstall.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2010-08-26 11:20:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-26 16:20

Pre-Run: 126,391,468,032 bytes free
Post-Run: 128,634,707,968 bytes free

- - End Of File - - F14362319E9F3DDB9355A2E2EECF98EA
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Restore::
c:\windows\system32\wininit.exe

File::
c:\users\Happlo\AppData\Local\2678616684.dat


Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP