Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

http://search.certified-toolbar.com virus [Solved]


  • This topic is locked This topic is locked

#1
Chris Yard

Chris Yard

    Member

  • Member
  • PipPip
  • 46 posts
Hi,

I am using Chrome, and when ever I search for something in the address bar I get redirected to hXXp://search.certified-toolbar.com. So far I have run Malwarebytes Anti-Malware and SUPERAntiSpyware Free Edition and they have found and removed some stuff but the virus is still there.

Here is my OTL log.

Thanks in advance.

Chris


OTL logfile created on: 01/11/2012 21:27:23 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator.LCI\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.51% Memory free
3.85 Gb Paging File | 3.41 Gb Available in Paging File | 88.67% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 34.40 Gb Free Space | 46.16% Space Free | Partition Type: NTFS
Drive D: | 2.04 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: PDAVIS | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/11/01 19:37:17 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.LCI\My Documents\Downloads\OTL.exe
PRC - [2012/10/30 18:14:45 | 001,252,888 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/07/11 18:54:49 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2011/10/08 04:50:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2007/06/13 10:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/04/20 08:07:32 | 000,385,024 | R--- | M] (JMicron Technology Corp.) -- C:\WINDOWS\system32\JMRaidTool.exe


========== Modules (No Company Name) ==========

MOD - [2012/10/30 18:14:42 | 000,459,800 | ---- | M] () -- C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.1\ppgooglenaclpluginchrome.dll
MOD - [2012/10/30 18:14:41 | 012,456,984 | ---- | M] () -- C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.1\PepperFlash\pepflashplayer.dll
MOD - [2012/10/30 18:14:39 | 004,012,056 | ---- | M] () -- C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.1\pdf.dll
MOD - [2012/10/30 18:13:19 | 000,597,528 | ---- | M] () -- C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.1\libglesv2.dll
MOD - [2012/10/30 18:13:18 | 000,123,928 | ---- | M] () -- C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.1\libegl.dll
MOD - [2012/10/30 18:13:15 | 001,552,408 | ---- | M] () -- C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.1\ffmpegsumo.dll
MOD - [2006/02/28 12:00:00 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/02/28 12:00:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\DM9102.dll -- (gbpoll)
SRV - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/07/11 18:54:49 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore.exe -- (!SASCORE)
SRV - [2012/01/24 11:25:20 | 000,078,336 | ---- | M] (Dassault Systèmes) [On_Demand | Stopped] -- C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe -- (DraftSight API Service)
SRV - [2011/10/08 04:50:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\NTGLM7X.sys -- (SetupNTGLM7X)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\NTACCESS.sys -- (NTACCESS)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/07/22 16:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 21:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/07/13 15:51:12 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/05/04 08:13:52 | 004,271,616 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService)
DRV - [2006/04/20 08:02:44 | 000,042,368 | R--- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\jraid.sys -- (JRAID)
DRV - [2006/02/26 21:46:20 | 000,081,408 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2006/02/07 11:52:58 | 000,006,912 | R--- | M] (JMicron ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\JGOGO.sys -- (JGOGO)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/
IE - HKLM\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




IE - HKU\S-1-5-21-837310289-879497696-1013717309-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
IE - HKU\S-1-5-21-837310289-879497696-1013717309-500\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://companyweb
IE - HKU\S-1-5-21-837310289-879497696-1013717309-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKU\S-1-5-21-837310289-879497696-1013717309-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-837310289-879497696-1013717309-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-837310289-879497696-1013717309-500\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/
IE - HKU\S-1-5-21-837310289-879497696-1013717309-500\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.helperba...q={searchTerms}
IE - HKU\S-1-5-21-837310289-879497696-1013717309-500\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKU\S-1-5-21-837310289-879497696-1013717309-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKU\S-1-5-21-837310289-879497696-1013717309-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-837310289-879497696-1013717309-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)


[2012/04/12 07:04:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

========== Chrome ==========

CHR - homepage: http://search.certif...e=true&tid=2938
CHR - default_search_provider: Web Search (Enabled)
CHR - default_search_provider: search_url = http://search.certif...q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - homepage: http://search.certif...e=true&tid=2938
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.1\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Disabled) = C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.1\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.1\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
CHR - Extension: Google Search = C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
CHR - Extension: Gmail = C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

O1 HOSTS File: ([2006/02/28 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe (JMicron Technology Corp.)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NWEReboot] File not found
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()
O4 - HKU\S-1-5-21-837310289-879497696-1013717309-500..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-759657905-2212592364-2257267456-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-837310289-879497696-1013717309-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\wshbth.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\wshbth.dll File not found
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} http://10.0.0.1/Conn...uter/nshelp.dll (NSHelp Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1173367481442 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LCI.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{17D2FB16-FD21-4077-8EF8-22C1C277DDCC}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/03/05 09:13:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/04/04 15:12:12 | 000,000,000 | R--D | M] - D:\autorun -- [ UDF ]
O32 - AutoRun File - [2005/01/07 13:19:58 | 000,643,072 | R--- | M] (Blue Byte Software, Inc.) - D:\autorun.exe -- [ UDF ]
O32 - AutoRun File - [2005/01/13 11:36:06 | 000,000,083 | R--- | M] () - D:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/01 19:54:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.LCI\Application Data\SUPERAntiSpyware.com
[2012/11/01 19:54:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2012/11/01 19:54:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2012/11/01 19:54:07 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/11/01 08:26:44 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.LCI\Recent
[2012/10/30 21:08:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.LCI\Desktop\Robot Arm
[2012/10/30 19:19:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/10/30 19:19:52 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/10/30 19:19:52 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/10/30 13:53:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/10/30 13:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/10/29 20:40:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.LCI\Application Data\WinRAR
[2012/10/29 20:38:52 | 000,000,000 | ---D | C] -- C:\Program Files\Red Sky
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/11/01 21:17:00 | 000,001,018 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-837310289-879497696-1013717309-500UA.job
[2012/11/01 21:15:04 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\Administrator.LCI\Desktop\Shortcut to OTL.lnk
[2012/11/01 21:11:19 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/11/01 21:11:17 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/11/01 21:11:09 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\HP Photo Creations Communicator.job
[2012/11/01 21:10:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/11/01 21:10:01 | 000,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2012/11/01 21:08:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/11/01 19:54:21 | 000,000,512 | ---- | M] () -- C:\WINDOWS\tasks\SUPERAntiSpyware Scheduled Task f9c1ad30-891e-491a-b828-c9116edd0f99.job
[2012/11/01 19:54:20 | 000,000,512 | ---- | M] () -- C:\WINDOWS\tasks\SUPERAntiSpyware Scheduled Task 997bdcb9-6d0a-470d-a1df-2efdb0977c33.job
[2012/11/01 19:54:10 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/11/01 18:17:00 | 000,000,966 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-837310289-879497696-1013717309-500Core.job
[2012/10/31 08:29:08 | 000,002,394 | ---- | M] () -- C:\Documents and Settings\Administrator.LCI\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/10/30 22:35:30 | 000,118,152 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/10/30 19:19:54 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/30 19:17:57 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/10/30 19:07:09 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/10/29 20:43:56 | 000,000,014 | ---- | M] () -- C:\end
[2012/10/29 08:00:22 | 000,000,040 | ---- | M] () -- C:\biosinfo
[2012/10/28 10:51:12 | 000,444,802 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/10/28 10:51:12 | 000,072,360 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/10/05 20:45:25 | 000,055,680 | ---- | M] () -- C:\Documents and Settings\Administrator.LCI\Desktop\spicanflowchart.jpg
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/01 21:15:04 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\Administrator.LCI\Desktop\Shortcut to OTL.lnk
[2012/11/01 19:54:20 | 000,000,512 | ---- | C] () -- C:\WINDOWS\tasks\SUPERAntiSpyware Scheduled Task f9c1ad30-891e-491a-b828-c9116edd0f99.job
[2012/11/01 19:54:20 | 000,000,512 | ---- | C] () -- C:\WINDOWS\tasks\SUPERAntiSpyware Scheduled Task 997bdcb9-6d0a-470d-a1df-2efdb0977c33.job
[2012/11/01 19:54:10 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/10/30 22:35:30 | 000,118,152 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/10/30 19:19:54 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/30 13:47:42 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/10/29 20:40:33 | 000,015,432 | ---- | C] () -- C:\WINDOWS\Launcher.exe
[2012/10/29 20:38:52 | 000,000,014 | ---- | C] () -- C:\end
[2012/10/13 14:41:41 | 000,025,927 | ---- | C] () -- C:\Documents and Settings\Administrator.LCI\Desktop\I sense.pdf
[2012/10/05 20:45:22 | 000,055,680 | ---- | C] () -- C:\Documents and Settings\Administrator.LCI\Desktop\spicanflowchart.jpg
[2012/07/13 20:18:00 | 004,389,441 | ---- | C] () -- C:\WINDOWS\System32\USBAccessLink.dll
[2012/07/13 20:18:00 | 000,229,376 | ---- | C] () -- C:\WINDOWS\System32\SerialAccessLink.dll
[2012/06/05 10:10:39 | 000,136,507 | ---- | C] () -- C:\WINDOWS\hphins33.dat
[2012/06/05 10:10:39 | 000,000,512 | ---- | C] () -- C:\WINDOWS\hphmdl33.dat
[2012/04/27 19:26:41 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\Administrator.LCI\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/19 13:58:58 | 000,364,544 | ---- | C] () -- C:\WINDOWS\System32\mpPathan.dll
[2012/04/16 10:34:22 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\MPMapTrace.dll
[2012/02/14 12:18:01 | 000,000,012 | ---- | C] () -- C:\WINDOWS\bthservsdp.dat
[2012/01/28 19:36:20 | 000,286,052 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2012/01/28 19:36:20 | 000,286,052 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2012/01/28 19:36:20 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2012/01/28 19:35:47 | 002,130,002 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2012/01/28 19:18:34 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/02 14:12:06 | 000,303,104 | ---- | C] () -- C:\WINDOWS\System32\eST3snm.dll
[2007/03/09 09:46:54 | 000,004,396 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== ZeroAccess Check ==========

[2007/03/08 15:53:16 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2007/01/04 14:05:30 | 001,498,112 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 10:20:33 | 000,473,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2006/02/28 12:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/04/27 19:41:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.LCI\Application Data\.mplab_ide
[2012/07/13 20:31:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.LCI\Application Data\.wireless_development_studio
[2012/08/18 14:57:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.LCI\Application Data\CadSoft
[2012/10/06 22:21:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.LCI\Application Data\DAEMON Tools Pro
[2012/02/07 21:26:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.LCI\Application Data\DraftSight
[2008/04/24 16:11:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.LCI\Application Data\IMSIDesign
[2012/08/17 21:19:18 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\Administrator.LCI\Application Data\Microchip
[2012/08/22 18:26:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.LCI\Application Data\OpenCandy
[2012/08/29 13:15:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.LCI\Application Data\Unity
[2012/09/29 20:56:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.LCI\Application Data\Visan
[2012/06/02 22:22:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Big Fish Games
[2012/08/22 18:32:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
[2012/02/07 21:26:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dassault Systemes
[2012/08/29 20:54:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DipTrace
[2012/06/02 22:26:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HipSoft
[2007/03/09 10:13:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus for Windows Workstations
[2012/10/02 18:20:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2008/06/20 10:35:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pegasus
[2012/10/29 20:36:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2012/07/20 16:39:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/08/22 07:27:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TOSHIBA
[2012/09/29 20:56:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Visan

========== Purity Check ==========



========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB59785$] -> Error: Cannot create file handle -> Unknown point type

========== Alternate Data Streams ==========

@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C86B29EB

< End of report >

Edited by Dakeyras, 01 November 2012 - 03:47 PM.
Disabled malicious URL for safety reasons.

  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there you have a multiple infection

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

THEN

CLEAR THE BAD TOOLBARS

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

Posted Image

Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that
  • 0

#3
Chris Yard

Chris Yard

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Thank you for the quick reply, just running combo fix now
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I am going off line now but the runs you are doing should alleviate the majority of the problems
  • 0

#5
Chris Yard

Chris Yard

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Still have search.certified virus when tried in chrome

Combofix log as follows, adwcleaner to follow


ComboFix 12-10-31.03 - Administrator 01/11/2012 22:45:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2046.1718 [GMT 0:00]
Running from: c:\documents and settings\Administrator.LCI\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\$NtUninstallKB59785$
c:\windows\$NtUninstallKB59785$\1058525278
c:\windows\$NtUninstallKB59785$\2322031598\@
c:\windows\$NtUninstallKB59785$\2322031598\cfg.ini
c:\windows\$NtUninstallKB59785$\2322031598\Desktop.ini
c:\windows\$NtUninstallKB59785$\2322031598\L\[email protected]
c:\windows\$NtUninstallKB59785$\2322031598\L\201d3dde
c:\windows\$NtUninstallKB59785$\2322031598\L\gelwxpwo
c:\windows\$NtUninstallKB59785$\2322031598\U\[email protected]
c:\windows\$NtUninstallKB59785$\2322031598\U\[email protected]
c:\windows\$NtUninstallKB59785$\2322031598\U\[email protected]
c:\windows\$NtUninstallKB59785$\2322031598\U\[email protected]
c:\windows\$NtUninstallKB59785$\2322031598\U\[email protected]
c:\windows\$NtUninstallKB59785$\2322031598\U\[email protected]
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\system32\WinSys.exe
.
c:\windows\system32\drivers\Serial.sys was missing
Restored copy from - c:\system volume information\_restore{CB4F704D-C3CB-4978-831A-1AEA0937734A}\RP1171\A0470213.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-10-01 to 2012-11-01 )))))))))))))))))))))))))))))))
.
.
2012-11-01 22:56 . 2006-02-28 12:00 64896 -c--a-w- c:\windows\system32\dllcache\serial.sys
2012-11-01 22:56 . 2006-02-28 12:00 64896 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-11-01 19:54 . 2012-11-01 19:54 -------- d-----w- c:\documents and settings\Administrator.LCI\Application Data\SUPERAntiSpyware.com
2012-11-01 19:54 . 2012-11-01 19:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-11-01 19:54 . 2012-11-01 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-10-30 19:19 . 2012-10-30 19:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-30 19:19 . 2012-09-29 19:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-29 20:40 . 2012-08-30 03:01 15432 ----a-w- c:\windows\Launcher.exe
2012-10-29 20:38 . 2012-10-29 20:38 -------- d-----w- c:\program files\Red Sky
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-10-16 4762496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-04-20 385024]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-02-28 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ----a-r- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-05-04 07:59 16206848 ----a-r- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-04-24 07:20 1448960 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
2006-05-18 01:15 208896 ----a-r- c:\windows\system32\sw20.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
2006-05-17 02:37 69632 ----a-r- c:\windows\system32\sw24.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Farming Simulator 2011\\FarmingSimulator2011.exe"=
"c:\\Program Files\\Farming Simulator 2011\\game.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ubisoft\\Blue Byte\\THE SETTLERS - Heritage of Kings\\bin\\settlershok.exe"=
"c:\\Documents and Settings\\Administrator.LCI\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 16:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 21:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [11/07/2012 18:54 116608]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [30/10/2012 19:19 399432]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [28/01/2012 19:36 2253120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [30/10/2012 19:19 22856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/08/2012 19:53 116648]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [30/10/2012 19:19 676936]
S3 DraftSight API Service;DraftSight API Service;c:\program files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [24/01/2012 11:25 78336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [21/08/2012 19:53 116648]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gbpoll
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-21 19:53]
.
2012-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-21 19:53]
.
2012-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-837310289-879497696-1013717309-500Core.job
- c:\documents and settings\Administrator.LCI\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-28 23:07]
.
2012-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-837310289-879497696-1013717309-500UA.job
- c:\documents and settings\Administrator.LCI\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-28 23:07]
.
2012-11-01 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2012-09-29 20:55]
.
2012-11-01 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 997bdcb9-6d0a-470d-a1df-2efdb0977c33.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-11-01 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task f9c1ad30-891e-491a-b828-c9116edd0f99.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=GB&userid=b59ba342-f1d7-4d53-b7df-bbdfebbc16f0&affid=111585&searchtype=ds&babsrc=lnkry&q={searchTerms}
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-NWEReboot - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-01 22:59
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-837310289-879497696-1013717309-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1156E2EA-08A6-B7DD-1015-63E8D8D913A2}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"halklnhnfoadoine"=hex:61,61,00,00
"halklnhnhngdopmp"=hex:61,61,00,00
"iahnhejppomliiabhj"=hex:6a,61,6c,67,63,67,63,6e,6c,68,63,6a,62,6d,61,6c,6c,6f,
6c,70,00,a0
"hajnbgjbeimkgfgd"=hex:6b,61,6c,67,64,67,62,6e,62,65,70,67,6c,66,70,63,65,6b,
62,63,6f,6e,00,03
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1156E2EA-08A6-B7DD-1015-63E8D8D913A2}\InProcServer32*]
"iafnckjaimdhnbppel"=hex:61,61,00,00
"iafnckjaimjglblcoc"=hex:61,61,00,00
"jafnojlecgodkecamell"=hex:6a,61,6c,67,63,67,63,6e,6c,68,63,6a,62,6d,61,6c,6c,
6f,6c,70,00,a0
"iafnijnhobmikneinj"=hex:6a,61,65,67,6d,67,6b,6d,67,6c,61,6b,62,62,61,67,66,67,
69,6f,00,1e
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3308)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\RunDLL32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2012-11-01 23:05:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-01 23:05
.
Pre-Run: 36,808,511,488 bytes free
Post-Run: 37,668,184,064 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 180704FFB932A4BA262F8AF91DF3A621
  • 0

#6
Chris Yard

Chris Yard

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
adwcleaner log: virus still there, although PC is running a bit quicker than normal now

Thanks again, will wait for your next instruction.






# AdwCleaner v2.006 - Logfile created 11/01/2012 at 23:11:35
# Updated 30/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
# User : Administrator - PDAVIS
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator.LCI\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\user.js
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2D360201-FFF5-11D1-8D03-00A0C959BC0A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.5730.11

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=GB&userid=b59ba342-f1d7-4d53-b7df-bbdfebbc16f0&affid=111585&searchtype=ds&babsrc=lnkry&q={searchTerms} --> hxxp://www.google.com

-\\ Google Chrome v24.0.1312.1

*************************

AdwCleaner[S1].txt - [2511 octets] - [01/11/2012 23:11:35]

########## EOF - C:\AdwCleaner[S1].txt - [2571 octets] ##########

  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
For Chrome you will need to reset manually

Full details are here

Once done let me know of any outstanding problems
  • 0

#8
Chris Yard

Chris Yard

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Ok thanks Essexboy, I am at work at the moment, but will do when I get home and will let you know.
  • 0

#9
Chris Yard

Chris Yard

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Essexboy,

I have reset Chrome, and it is now NOT coming up with the search.certified toolbar any more.

Thank you so much for your quick response and fix

Chris
  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK a result :)

Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run AdwCleaner and select Uninstall

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [emptytemp]
    [CLEARALLRESTOREPOINTS]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall
    (Notice the space between the "x" and "/")
    then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Posted Image Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:
  • 0

#11
Chris Yard

Chris Yard

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Again thank you so much Essexboy, I will be more careful what I download, have done everything asked in your last post.
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
:) Keep safe now and enjoy, if anything else pops up just shout :)
  • 0

#13
Chris Yard

Chris Yard

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Essexboy,

Everything is looking good and running as it should, again thank you for your help, I think this thread can be closed now

Chris
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP