Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Microsoft Security Essentials Wont Start Up


  • This topic is locked This topic is locked

#1
Iain Cook

Iain Cook

    New Member

  • Member
  • Pip
  • 5 posts
Hi guys,

First post on the forums, thought I would seek to pick you brains on an issue I am having.

At the start of this week I noticed my MSE was not enabled, so i clicked to enable it from Programs list.

The program appears for half a second then disappears, checking task list its not in the background.

I have tried to uninstall and reinstall it. I did a full scan with Malwarebytes and Super AntiSpyware and detected nada.

I am also experiencing a redirect everytime I try to search something on google.com.

I have downloaded OTL, Combofix and TDSS Killer, however before making any changes I thought I would post a log here and seek some advice.

Thanks in advance.

OTL logfile created on: 29/09/2011 16:10:38 - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Users\Iain\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 0.87 Gb Available Physical Memory | 43.72% Memory free
4.00 Gb Paging File | 2.57 Gb Available in Paging File | 64.41% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.66 Gb Total Space | 65.83 Gb Free Space | 14.14% Space Free | Partition Type: NTFS
Drive D: | 320.44 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 5.15 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 465.76 Gb Total Space | 26.43 Gb Free Space | 5.68% Space Free | Partition Type: NTFS

Computer Name: IAIN-PC | User Name: Iain | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/29 15:58:05 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Users\Iain\Downloads\OTL.exe
PRC - [2011/09/29 15:47:38 | 004,611,456 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\464361e8-d4aa-4418-9cb8-f4e2a394daad.com
PRC - [2011/09/29 15:41:22 | 012,961,112 | ---- | M] (SQUARE ENIX CO., LTD.) -- C:\Program Files\SquareEnix\FINAL FANTASY XIV\ffxivboot.exe
PRC - [2011/09/23 21:08:53 | 000,149,904 | ---- | M] (Microsoft ® Corporation) -- C:\Users\Iain\Forefront UAG Remote Access Agent\mailbskybcom\exchange2010red1\uagqecsvc.exe
PRC - [2011/09/07 17:58:20 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/08/23 16:25:03 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
PRC - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/05/25 07:09:08 | 000,839,272 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
PRC - [2011/05/25 07:09:07 | 000,373,864 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
PRC - [2011/05/25 07:09:06 | 002,214,504 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2011/05/20 22:35:16 | 000,378,472 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2010/11/20 13:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/20 13:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/29 15:47:42 | 000,063,488 | ---- | M] () -- C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
MOD - [2011/09/29 15:47:42 | 000,052,736 | ---- | M] () -- C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
MOD - [2011/09/23 21:08:04 | 006,277,280 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2011/09/07 17:58:20 | 001,846,232 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/08/25 17:11:41 | 000,117,760 | ---- | M] () -- C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
MOD - [2011/08/25 17:11:41 | 000,052,224 | ---- | M] () -- C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
MOD - [2011/05/20 22:35:00 | 000,247,400 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\3D Vision\Nv3DVStreaming.dll
MOD - [2011/03/21 17:30:20 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/03/02 12:40:51 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/09/23 21:08:53 | 000,149,904 | ---- | M] (Microsoft ® Corporation) [Auto | Running] -- C:\Users\Iain\Forefront UAG Remote Access Agent\mailbskybcom\exchange2010red1\uagqecsvc.exe -- (uagqecsvc)
SRV - [2011/08/23 16:25:03 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/05/25 07:09:06 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/05/20 22:35:16 | 000,378,472 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/07/16 17:04:16 | 000,316,664 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/08/23 16:25:00 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/08/23 16:24:59 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2011/05/25 07:09:05 | 010,589,800 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2011/04/27 15:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2010/11/20 11:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/01/19 12:49:48 | 000,105,088 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2010/01/19 12:49:48 | 000,105,088 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2010/01/19 12:49:48 | 000,105,088 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2010/01/19 12:49:48 | 000,009,216 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\massfilter.sys -- (massfilter)
DRV - [2009/07/14 00:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009/07/13 23:02:46 | 001,096,704 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2007/08/07 01:15:07 | 000,033,052 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\scdemu.sys -- (SCDEmu)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 60 C4 BF 6F 21 FC CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.co.uk"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/04/17 21:15:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/04/17 21:15:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/07 17:58:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/04/18 18:57:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Iain\AppData\Roaming\Mozilla\Extensions
[2011/04/19 20:03:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/19 20:03:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/09/07 17:58:20 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/08/30 16:26:47 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

========== Chrome ==========

CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\14.0.835.186\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.220.4 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U22 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\14.0.835.186\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\14.0.835.186\pdf.dll
CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: NVIDIA 3D Vision (Enabled) = C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll
CHR - plugin: NVIDIA 3D VISION (Enabled) = C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: DivX HiQ = C:\Users\Iain\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnjbmmemklcjgepojigaapkoodmkgbae\2.1.1.94_0\
CHR - Extension: DivX Plus Web Player HTML5 \u003Cvideo\u003E = C:\Users\Iain\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.1.94_0\

O1 HOSTS File: ([2011/09/29 00:35:58 | 000,000,797 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKCU..\Run: [AttachmentWipermail.bskyb.com] C:\Users\Iain\Forefront UAG Remote Access Agent\mailbskybcom\exchange2010red1\AttachmentWiper.exeBatchRun\run.bat ()
O4 - HKCU..\Run: [NCsoft] File not found
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2D1A6C50-A54B-4D60-8C66-CDF40AA67D29}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D967B24D-869E-4CA7-8D74-C9E67CA7E477}: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/06/27 09:56:24 | 000,000,053 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O33 - MountPoints2\{27385c93-680c-11e0-bf4a-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{27385c93-680c-11e0-bf4a-806e6f6e6963}\Shell\AutoRun\command - "" = E:\ffxivsetup.exe -- [2010/07/15 14:15:01 | 000,230,744 | R--- | M] (SQUARE ENIX CO., LTD.)
O33 - MountPoints2\{4e7cc9d1-b15b-11e0-9727-001fd0b4ac61}\Shell - "" = AutoRun
O33 - MountPoints2\{4e7cc9d1-b15b-11e0-9727-001fd0b4ac61}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\SETUP.EXE
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\SETUP.EXE
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/29 16:04:59 | 004,232,958 | ---- | C] (Swearware) -- C:\Users\Iain\Desktop\ComboFix.exe
[2011/09/29 15:50:41 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/09/29 15:48:52 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/09/29 15:48:36 | 000,000,000 | ---D | C] -- C:\4095b4cf581732eeb0
[2011/09/29 15:24:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SQUARE ENIX
[2011/09/29 15:04:54 | 000,000,000 | ---D | C] -- C:\Program Files\SquareEnix
[2011/09/29 00:30:59 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/09/29 00:30:59 | 000,000,000 | ---D | C] -- C:\Users\Iain\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/09/28 21:40:24 | 000,000,000 | ---D | C] -- C:\Users\Iain\AppData\Local\{88CB9F89-1903-486F-8ECF-EABFBA233240}
[2011/09/28 21:40:12 | 000,000,000 | ---D | C] -- C:\Users\Iain\AppData\Local\{F0DBBD1B-8CA6-49F0-929A-7C8B79A944AE}
[2011/09/27 22:44:26 | 000,000,000 | ---D | C] -- C:\Users\Iain\AppData\Local\NCSoft
[2011/09/27 22:36:28 | 000,000,000 | ---D | C] -- C:\Users\Iain\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCsoft
[2011/09/27 22:36:02 | 000,000,000 | ---D | C] -- C:\Users\Iain\AppData\Local\assembly
[2011/09/27 22:35:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCsoft
[2011/09/27 22:35:43 | 000,000,000 | ---D | C] -- C:\Program Files\NCSoft
[2011/09/27 22:35:07 | 000,000,000 | ---D | C] -- C:\Users\Iain\AppData\Roaming\GetRightToGo
[2011/09/26 23:51:44 | 000,000,000 | ---D | C] -- C:\Users\Iain\Desktop\NDS GAMES
[2011/09/25 14:39:39 | 000,000,000 | ---D | C] -- C:\Users\Iain\Desktop\Comics
[2011/09/24 19:20:37 | 000,000,000 | ---D | C] -- C:\Users\Iain\Desktop\Wedding Photos
[2011/09/23 21:08:50 | 000,000,000 | ---D | C] -- C:\Users\Iain\Forefront UAG Remote Access Agent
[2011/09/17 18:32:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo II
[2011/09/17 18:30:40 | 000,000,000 | ---D | C] -- C:\Program Files\Diablo II
[2011/09/08 18:18:21 | 000,000,000 | ---D | C] -- C:\Users\Iain\AppData\Local\{A29D3337-788A-4557-B0C8-071A5F153DFA}
[2011/09/08 18:18:10 | 000,000,000 | ---D | C] -- C:\Users\Iain\AppData\Local\{324598B1-5E00-4E56-9271-D56C35C9A7D1}
[2011/09/06 23:47:39 | 000,000,000 | ---D | C] -- C:\Users\Iain\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Electronic Arts
[2011/08/30 16:29:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/08/30 16:29:32 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/08/30 16:29:31 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/08/30 16:27:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/08/30 16:27:44 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2011/08/30 16:26:50 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour

========== Files - Modified Within 30 Days ==========

[2011/09/29 16:05:02 | 004,232,958 | ---- | M] (Swearware) -- C:\Users\Iain\Desktop\ComboFix.exe
[2011/09/29 15:59:53 | 001,529,134 | ---- | M] () -- C:\Users\Iain\Desktop\tdsskiller.zip
[2011/09/29 15:50:52 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/09/29 15:50:46 | 000,653,550 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/09/29 15:50:46 | 000,121,382 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/09/29 15:34:03 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/09/29 15:27:42 | 000,001,994 | ---- | M] () -- C:\Users\Public\Desktop\FINAL FANTASY XIV.lnk
[2011/09/29 14:23:04 | 000,022,576 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/09/29 14:23:04 | 000,022,576 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/09/29 14:16:00 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/09/29 14:15:55 | 000,000,308 | -HS- | M] () -- C:\Windows\tasks\Uliqbtlnq.job
[2011/09/29 14:15:51 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/09/29 14:15:47 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/29 00:38:31 | 000,029,172 | ---- | M] () -- C:\Users\Iain\Documents\cc_20110929_003828.reg
[2011/09/29 00:25:15 | 000,001,607 | ---- | M] () -- C:\Users\Iain\Desktop\CivilizationV - Shortcut.lnk
[2011/09/28 23:21:13 | 000,062,464 | RHS- | M] () -- C:\Windows\System32\comresv.dll
[2011/09/28 21:23:33 | 000,067,136 | ---- | M] () -- C:\Users\Iain\Desktop\3306684355_e067f1836e_z.jpg
[2011/09/28 21:22:24 | 000,078,435 | ---- | M] () -- C:\Users\Iain\Desktop\sappho-eats-600x700-500x583.jpg
[2011/09/28 20:39:39 | 000,052,056 | ---- | M] () -- C:\Users\Iain\Desktop\giant-otter_542_600x450.jpg
[2011/09/27 22:39:34 | 000,002,118 | ---- | M] () -- C:\Users\Iain\Desktop\City of Heroes (EU).lnk
[2011/09/27 22:35:44 | 000,001,974 | ---- | M] () -- C:\Users\Public\Desktop\NCsoft Launcher.lnk
[2011/09/27 00:23:59 | 000,000,011 | R--- | M] () -- C:\Windows\amunres.lsl
[2011/09/23 21:08:05 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/09/12 00:48:48 | 005,843,182 | ---- | M] () -- C:\Users\Iain\Desktop\Caledonia - Poalo Nutini.mp3
[2011/09/09 00:16:17 | 000,000,193 | ---- | M] () -- C:\Windows\WORDPAD.INI
[2011/09/08 23:13:56 | 000,048,960 | ---- | M] () -- C:\Users\Iain\Desktop\CV 2011 - IC.rtf
[2011/09/06 23:47:39 | 000,001,334 | ---- | M] () -- C:\Users\Iain\Desktop\Warhammer Online - Age of Reckoning.lnk
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2011/09/29 15:59:49 | 001,529,134 | ---- | C] () -- C:\Users\Iain\Desktop\tdsskiller.zip
[2011/09/29 15:50:42 | 000,001,897 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/09/29 15:27:42 | 000,001,994 | ---- | C] () -- C:\Users\Public\Desktop\FINAL FANTASY XIV.lnk
[2011/09/29 00:38:30 | 000,029,172 | ---- | C] () -- C:\Users\Iain\Documents\cc_20110929_003828.reg
[2011/09/29 00:25:15 | 000,001,607 | ---- | C] () -- C:\Users\Iain\Desktop\CivilizationV - Shortcut.lnk
[2011/09/28 23:21:13 | 000,062,464 | RHS- | C] () -- C:\Windows\System32\comresv.dll
[2011/09/28 23:21:13 | 000,000,308 | -HS- | C] () -- C:\Windows\tasks\Uliqbtlnq.job
[2011/09/28 21:23:32 | 000,067,136 | ---- | C] () -- C:\Users\Iain\Desktop\3306684355_e067f1836e_z.jpg
[2011/09/28 21:22:23 | 000,078,435 | ---- | C] () -- C:\Users\Iain\Desktop\sappho-eats-600x700-500x583.jpg
[2011/09/28 20:39:38 | 000,052,056 | ---- | C] () -- C:\Users\Iain\Desktop\giant-otter_542_600x450.jpg
[2011/09/27 22:39:34 | 000,002,118 | ---- | C] () -- C:\Users\Iain\Desktop\City of Heroes (EU).lnk
[2011/09/27 22:35:44 | 000,001,974 | ---- | C] () -- C:\Users\Public\Desktop\NCsoft Launcher.lnk
[2011/09/27 00:23:59 | 000,000,011 | R--- | C] () -- C:\Windows\amunres.lsl
[2011/09/12 00:48:35 | 005,843,182 | ---- | C] () -- C:\Users\Iain\Desktop\Caledonia - Poalo Nutini.mp3
[2011/09/08 23:13:54 | 000,048,960 | ---- | C] () -- C:\Users\Iain\Desktop\CV 2011 - IC.rtf
[2011/09/08 18:38:21 | 000,000,193 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2011/09/06 23:47:39 | 000,001,334 | ---- | C] () -- C:\Users\Iain\Desktop\Warhammer Online - Age of Reckoning.lnk
[2011/06/12 16:36:14 | 000,000,116 | ---- | C] () -- C:\Windows\T211.INI
[2011/05/20 22:35:28 | 000,304,744 | ---- | C] () -- C:\Windows\System32\nvStreaming.exe
[2011/05/19 21:04:44 | 000,000,114 | ---- | C] () -- C:\Windows\T307.INI
[2011/05/08 20:34:06 | 000,023,040 | ---- | C] () -- C:\Users\Iain\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/30 23:02:08 | 000,012,588 | -HS- | C] () -- C:\Users\Iain\AppData\Local\34352o2be027ho55i2d7a7vvq87lyn
[2011/04/30 23:02:08 | 000,012,588 | -HS- | C] () -- C:\ProgramData\34352o2be027ho55i2d7a7vvq87lyn
[2011/04/18 18:57:36 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2011/04/17 22:43:50 | 000,175,616 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2011/04/09 18:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2010/01/19 12:49:54 | 000,466,944 | ---- | C] () -- C:\Windows\System32\RemoveDevice.dll
[2009/07/14 05:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 05:33:53 | 000,293,224 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/14 03:05:48 | 000,653,550 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/14 03:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/14 03:05:48 | 000,121,382 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/14 03:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/14 03:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/14 03:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/14 00:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 22:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2002/09/18 00:45:00 | 000,119,808 | ---- | C] () -- C:\Windows\lsb_un20.exe

< End of report >
  • 0

Advertisements


#2
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :)

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • Please tell me if you have your original Windows CD/DVD available
  • When in doubt, please stop and ask first. There's no harm in asking questions!

Please try to run this one:

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply.
  • Also in Desktop there should be a file called MBR.dat after that, zip it and then attach it here

Please don't run any other tool for now.
  • 0

#3
Iain Cook

Iain Cook

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
aswMBR LOG:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-29 23:42:39
-----------------------------
23:42:39.674 OS Version: Windows 6.1.7601 Service Pack 1
23:42:39.674 Number of processors: 2 586 0x203
23:42:39.674 ComputerName: IAIN-PC UserName: Iain
23:42:41.733 Initialize success
23:43:15.306 AVAST engine defs: 11092902
23:43:23.854 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
23:43:23.870 Disk 0 Vendor: WDC_WD5000YS-01MPB0 09.02E09 Size: 476938MB BusType: 3
23:43:25.882 Disk 0 MBR read successfully
23:43:25.882 Disk 0 MBR scan
23:43:25.882 Disk 0 Windows 7 default MBR code
23:43:25.898 Disk 0 scanning sectors +976766976
23:43:25.976 Disk 0 scanning C:\Windows\system32\drivers
23:43:35.274 Service scanning
23:43:36.553 Modules scanning
23:43:42.450 Disk 0 trace - called modules:
23:43:42.465 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
23:43:42.481 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85654a18]
23:43:42.481 3 CLASSPNP.SYS[88d9859e] -> nt!IofCallDriver -> [0x8516e938]
23:43:42.481 5 ACPI.sys[887bd3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85564908]
23:43:44.041 AVAST engine scan C:\Windows
23:43:46.241 AVAST engine scan C:\Windows\system32
23:43:53.869 File: C:\Windows\system32\comresv.dll **INFECTED** Win32:Suprchu [Adw]
23:45:32.477 AVAST engine scan C:\Windows\system32\drivers
23:45:44.380 AVAST engine scan C:\Users\Iain
23:47:58.633 AVAST engine scan C:\ProgramData
23:48:22.345 Scan finished successfully
23:49:05.339 Disk 0 MBR has been saved successfully to "C:\Users\Iain\Desktop\MBR.dat"
23:49:05.355 The log file has been saved successfully to "C:\Users\Iain\Desktop\aswMBR.txt"

Attached File  MBR.zip   559bytes   15 downloads

Thanks again for assistance.
  • 0

#4
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection
  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review

Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall.
  • 0

#5
Iain Cook

Iain Cook

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I was unable to stop Microsoft Security Essentials from running in the background as the task wasnt listed in Task Manager.

ComboFix 11-09-29.06 - Iain 30/09/2011 0:17.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2046.1111 [GMT 1:00]
Running from: c:\users\Iain\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-29 )))))))))))))))))))))))))))))))
.
.
2011-09-29 18:13 . 2008-08-08 01:09 86528 ----a-w- c:\windows\system32\E_FLBFAE.DLL
2011-09-29 18:13 . 2007-12-07 01:01 78848 ----a-w- c:\windows\system32\E_FD4BFAE.DLL
2011-09-29 18:13 . 2007-04-10 00:06 8192 ----a-w- c:\windows\system32\E_DCINST.DLL
2011-09-29 18:13 . 2011-09-29 18:14 -------- d-----w- c:\programdata\EPSON
2011-09-29 14:50 . 2011-09-29 14:50 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-29 14:48 . 2011-09-29 14:49 -------- d-----w- C:\4095b4cf581732eeb0
2011-09-29 14:04 . 2011-09-29 14:04 -------- d-----w- c:\program files\SquareEnix
2011-09-28 23:30 . 2011-09-28 23:30 388096 ----a-r- c:\users\Iain\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-28 23:30 . 2011-09-28 23:30 -------- d-----w- c:\program files\Trend Micro
2011-09-28 22:21 . 2011-09-28 22:21 62464 --sha-r- c:\windows\system32\comresv.dll
2011-09-27 21:44 . 2011-09-27 21:44 -------- d-----w- c:\users\Iain\AppData\Local\NCSoft
2011-09-27 21:36 . 2011-09-27 21:36 -------- d-----w- c:\users\Iain\AppData\Local\assembly
2011-09-27 21:35 . 2011-09-27 21:39 -------- d-----w- c:\program files\NCSoft
2011-09-27 21:35 . 2011-09-27 21:39 -------- d-----w- c:\users\Iain\AppData\Roaming\GetRightToGo
2011-09-23 20:08 . 2011-09-23 20:10 -------- d-----w- c:\users\Iain\Forefront UAG Remote Access Agent
2011-09-17 17:30 . 2011-09-26 23:23 -------- d-----w- c:\program files\Diablo II
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-23 20:08 . 2011-05-23 07:19 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-31 16:00 . 2011-04-30 22:29 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-23 20:09 . 2011-08-23 20:09 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-07-12 10:20 . 2011-07-12 10:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 10:20 . 2011-07-12 10:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 10:20 . 2011-07-12 10:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 10:20 . 2011-07-12 10:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-05 17:37 . 2011-07-05 17:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 17:37 . 2011-07-05 17:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-09-07 16:58 . 2011-04-18 17:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]
"AttachmentWipermail.bskyb.com"="c:\users\Iain\Forefront UAG Remote Access Agent\mailbskybcom\exchange2010red1\AttachmentWiper.exeBatchRun\run.bat" [2011-09-29 690]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-23 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Iain^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\users\Iain\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 21:10 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-08-19 00:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 17:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-04-29 20:00 1242448 ----a-w- c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-23 136176]
R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\users\Iain\Forefront UAG Remote Access Agent\mailbskybcom\exchange2010red1\uagqecsvc.exe [2011-09-23 149904]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-23 136176]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-01-19 9216]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-08-23 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-08-23 67664]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-23 116608]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-05-20 378472]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - MPFILTER
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-23 23:14]
.
2011-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-23 23:14]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Iain\AppData\Roaming\Mozilla\Firefox\Profiles\tocvfilc.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-NCsoft - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3996297972-3602422328-976562816-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3996297972-3602422328-976562816-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-09-30 00:25:59
ComboFix-quarantined-files.txt 2011-09-29 23:25
.
Pre-Run: 70,894,632,960 bytes free
Post-Run: 70,893,887,488 bytes free
.
- - End Of File - - 9478112F487D6068B4E0086225528033
  • 0

#6
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts

I was unable to stop Microsoft Security Essentials from running in the background as the task wasnt listed in Task Manager.

As I understand your initial problem is that MSE is not running.

Are redirects evident in IE, Firefox and Chrome?

Do you use a router and are any other computers using it experiencing the same redirects?
  • 0

#7
Iain Cook

Iain Cook

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
As I understand your initial problem is that MSE is not running.
You are correct, however when running combofix, it is still detecting MSE is running, however there is no listen or visible activity.

Are redirects evident in IE, Firefox and Chrome?
They are evident in IE and Firefox.

Do you use a router and are any other computers using it experiencing the same redirects?
I use a router and only my PC is experiencing redirects
  • 0

#8
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK. Now please temporary uninstall MSE, restart, delete your old Combofix files and then download and run Combofix once again as described here.
  • 0

#9
Iain Cook

Iain Cook

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Performed the steps above.

Strangely, even after the uninstall and reboot, combofix detected MSE still running.

Here is the new scan.

ComboFix 11-09-30.05 - Iain 01/10/2011 11:40:02.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2046.1323 [GMT 1:00]
Running from: c:\users\Iain\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-01 to 2011-10-01 )))))))))))))))))))))))))))))))
.
.
2011-10-01 10:46 . 2011-10-01 10:46 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-10-01 10:46 . 2011-10-01 10:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-30 15:58 . 2011-09-30 15:58 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-09-30 15:57 . 2011-09-30 15:57 -------- d-----w- c:\program files\Microsoft Sync Framework
2011-09-30 15:57 . 2011-09-30 15:57 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-09-30 15:56 . 2011-09-30 15:56 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-09-30 15:56 . 2011-09-30 15:56 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-09-30 15:55 . 2011-09-30 15:55 -------- d-----w- c:\users\Iain\AppData\Local\Microsoft Help
2011-09-30 15:55 . 2011-09-30 16:01 -------- d-----w- c:\programdata\Microsoft Help
2011-09-30 15:54 . 2011-09-30 15:54 -------- d-----r- C:\MSOCache
2011-09-30 15:49 . 2011-09-30 15:49 -------- d-----w- c:\program files\Microsoft Forefront UAG
2011-09-30 12:27 . 2011-04-28 03:15 60416 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS
2011-09-30 12:27 . 2011-04-28 03:15 393728 ----a-w- c:\windows\system32\drivers\bthport.sys
2011-09-29 23:26 . 2011-10-01 10:46 -------- d-----w- c:\users\Iain\AppData\Local\temp
2011-09-29 18:13 . 2008-08-08 01:09 86528 ----a-w- c:\windows\system32\E_FLBFAE.DLL
2011-09-29 18:13 . 2007-12-07 01:01 78848 ----a-w- c:\windows\system32\E_FD4BFAE.DLL
2011-09-29 18:13 . 2007-04-10 00:06 8192 ----a-w- c:\windows\system32\E_DCINST.DLL
2011-09-29 18:13 . 2011-09-29 18:14 -------- d-----w- c:\programdata\EPSON
2011-09-29 14:04 . 2011-09-29 14:04 -------- d-----w- c:\program files\SquareEnix
2011-09-28 23:30 . 2011-09-28 23:30 388096 ----a-r- c:\users\Iain\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-28 23:30 . 2011-09-28 23:30 -------- d-----w- c:\program files\Trend Micro
2011-09-28 22:21 . 2011-09-28 22:21 62464 --sha-r- c:\windows\system32\comresv.dll
2011-09-27 21:44 . 2011-09-27 21:44 -------- d-----w- c:\users\Iain\AppData\Local\NCSoft
2011-09-27 21:36 . 2011-09-27 21:36 -------- d-----w- c:\users\Iain\AppData\Local\assembly
2011-09-27 21:35 . 2011-09-27 21:39 -------- d-----w- c:\program files\NCSoft
2011-09-27 21:35 . 2011-09-27 21:39 -------- d-----w- c:\users\Iain\AppData\Roaming\GetRightToGo
2011-09-23 20:08 . 2011-09-23 20:10 -------- d-----w- c:\users\Iain\Forefront UAG Remote Access Agent
2011-09-17 17:30 . 2011-09-26 23:23 -------- d-----w- c:\program files\Diablo II
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-23 20:08 . 2011-05-23 07:19 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-31 16:00 . 2011-04-30 22:29 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-23 20:09 . 2011-08-23 20:09 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-07-12 10:20 . 2011-07-12 10:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 10:20 . 2011-07-12 10:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 10:20 . 2011-07-12 10:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 10:20 . 2011-07-12 10:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-05 17:37 . 2011-07-05 17:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 17:37 . 2011-07-05 17:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-09-07 16:58 . 2011-04-18 17:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]
"AttachmentWipermail.bskyb.com"="c:\users\Iain\Forefront UAG Remote Access Agent\mailbskybcom\exchange2010red1\AttachmentWiper.exeBatchRun\run.bat" [2011-10-01 808]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-23 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Users^Iain^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\users\Iain\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 21:10 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-08-19 00:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 17:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-04-29 20:00 1242448 ----a-w- c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-23 136176]
R3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\DOWNLO~1\DMService.exe [2011-09-30 487312]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-23 136176]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-01-19 9216]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-08-23 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-08-23 67664]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-23 116608]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-05-20 378472]
S2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [2010-11-25 150928]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-23 23:14]
.
2011-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-23 23:14]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.bskyb.com/
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Iain\AppData\Roaming\Mozilla\Firefox\Profiles\tocvfilc.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3996297972-3602422328-976562816-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3996297972-3602422328-976562816-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-01 11:48:29
ComboFix-quarantined-files.txt 2011-10-01 10:48
ComboFix2.txt 2011-09-29 23:26
.
Pre-Run: 67,980,394,496 bytes free
Post-Run: 67,602,128,896 bytes free
.
- - End Of File - - 6C3B4079C487088CAA96A699DEB815C9
  • 0

#10
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Please follow these instructions here to manually remove MSE.
  • 0

#11
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP