I am experiencing problems with a pesky redirector. I have run anti virus, malware byte , tfc, gooredfix etc, and still have issues. Seems to be a file wdmaud in sys 32 directory out of place. I tried to move it or rename and gets put back...Also opens web pages by itself. If anyone could assist me please...
google redirect problems [Closed]
Started by
robert1234
, Nov 28 2009 08:54 AM
-
This topic is locked
#1
Posted 28 November 2009 - 08:54 AM
robert1234
-
- Member
-
- 57 posts
Member
I am experiencing problems with a pesky redirector. I have run anti virus, malware byte , tfc, gooredfix etc, and still have issues. Seems to be a file wdmaud in sys 32 directory out of place. I tried to move it or rename and gets put back...Also opens web pages by itself. If anyone could assist me please...
#2
Posted 28 November 2009 - 09:20 AM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Hi I need to see what is occuring on your system before I can assist 
Download OTS to your Desktop
To attach a file, do the following:
THEN
We Need to check for Rootkits with RootRepeal
Download OTS to your Desktop
- Close ALL OTHER PROGRAMS.
- Double-click on OTS.exe to start the program.
- Check the box that says Scan All Users
- Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
- Under custom scans copy and paste the following:netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
CREATERESTOREPOINT[/b] - Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
To attach a file, do the following:
- Click Add Reply
- Under the reply panel is the Attachments Panel
- Browse for the attachment file you want to upload, then click the green Upload button
- Once it has uploaded, click the Manage Current Attachments drop down box
- Click on
to insert the attachment into your post
THEN
We Need to check for Rootkits with RootRepeal
- Download RootRepeal from the following location and save it to your desktop.
- Zip Mirrors (Recommended)
- Rar Mirrors - Only if you know what a RAR is and can extract it.
- Zip Mirrors (Recommended)
- Extract RootRepeal.exe from the archive.
- Open
on your desktop. - Click the
tab. - Click the
button. - Check all seven boxes:
- Push Ok
- Check the box for your main system drive (Usually C:), and press Ok.
- Allow RootRepeal to run a scan of your system. This may take some time.
- Once the scan completes, push the
button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
#3
Posted 28 November 2009 - 10:12 AM
robert1234
- Topic Starter
-
- Member
-
- 57 posts
Member
Hello,
Reports attached.
Reports attached.
Attached Files
-
OTS.Txt 170.49KB
115 downloads
-
RootRepeal_report_11_28_09__11_06_38_.txt 1.36KB
116 downloads
#4
Posted 28 November 2009 - 10:14 AM
robert1234
- Topic Starter
-
- Member
-
- 57 posts
Member
RootRepeal_report_11_28_09__11_06_38_.txt 1.36KB
75 downloads
Attached Files
-
OTS.Txt 170.49KB
129 downloads
#5
Posted 28 November 2009 - 10:55 AM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
I see you have run combofix - could you post the log please. Also the full file path of what you believe to be the infected file
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {24180B00-2EB6-11d7-BD6F-004854603DCE} [HKLM] -> C:\Program Files\Trellian\Toolbar\toolbar.dll [Trellian BHO Impl]
YY -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} [HKLM] -> C:\Program Files\BAE\BAE.dll [CBrowserHelperObject Object]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{BA52B914-B692-46c4-B683-905236F6F655}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY -> 18467.exe -> C:\WINDOWS\System32\18467.exe
NY -> logo.gif.gif -> C:\Documents and Settings\robert\Desktop\logo.gif.gif
[Files - No Company Name]
NY -> 2995.exe -> C:\WINDOWS\System32\2995.exe
NY -> 491.exe -> C:\WINDOWS\System32\491.exe
NY -> 9961.exe -> C:\WINDOWS\System32\9961.exe
NY -> 16827.exe -> C:\WINDOWS\System32\16827.exe
NY -> 23281.exe -> C:\WINDOWS\System32\23281.exe
NY -> 28145.exe -> C:\WINDOWS\System32\28145.exe
NY -> 5705.exe -> C:\WINDOWS\System32\5705.exe
NY -> 24464.exe -> C:\WINDOWS\System32\24464.exe
NY -> 26962.exe -> C:\WINDOWS\System32\26962.exe
NY -> 29358.exe -> C:\WINDOWS\System32\29358.exe
NY -> 11478.exe -> C:\WINDOWS\System32\11478.exe
NY -> 15724.exe -> C:\WINDOWS\System32\15724.exe
NY -> 19169.exe -> C:\WINDOWS\System32\19169.exe
NY -> 26500.exe -> C:\WINDOWS\System32\26500.exe
NY -> 6334.exe -> C:\WINDOWS\System32\6334.exe
NY -> 18467.exe -> C:\WINDOWS\System32\18467.exe
NY -> 248109B8F8.sys -> C:\WINDOWS\System32\248109B8F8.sys
[File - Lop Check]
NY -> Trellian -> C:\Documents and Settings\robert\Application Data\Trellian
[Custom Items]
:files
C:\Program Files\Trellian
:end
[Empty Temp Folders]The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
#7
Posted 28 November 2009 - 11:17 AM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
So you do not have a combofix log ?
Have you run the OTS fix ? And what are your current problems
Have you run the OTS fix ? And what are your current problems
#8
Posted 28 November 2009 - 11:45 AM
robert1234
- Topic Starter
-
- Member
-
- 57 posts
Member
ots log
I'm not sure if I ran combo fix.
I'm not sure if I ran combo fix.
#9
Posted 28 November 2009 - 11:46 AM
robert1234
- Topic Starter
-
- Member
-
- 57 posts
Member
still getting redirected.
also having problems uploading ots log.
also having problems uploading ots log.
#11
Posted 28 November 2009 - 12:03 PM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Ok then to continue The most obvious ones have now gone so lets see what remains
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
The most obvious ones have now gone so lets see what remains Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
#12
Posted 28 November 2009 - 01:03 PM
robert1234
- Topic Starter
-
- Member
-
- 57 posts
Member
combo fix log
combofix_log_112809_1359.txt 14.2KB
136 downloads
ComboFix 09-11-27.07 - robert 11/28/2009 13:27.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.127 [GMT -5:00]
Running from: c:\documents and settings\robert\Desktop\ComboFix.exe
AV: Avanquest SystemSuite *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Avanquest NetDefense Firewall *enabled* {E9CD9D09-CF58-4ec3-9B3F-E6B12C3E4171}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\windows\system32\bszip.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.
2009-11-28 17:31 . 2009-11-28 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-28 17:17 . 2009-11-28 17:17 -------- d-----w- C:\_OTS
2009-11-28 08:23 . 2009-11-28 17:33 -------- d-----w- c:\windows\system32\wbem\Logs
2009-11-28 01:00 . 2009-11-28 01:00 -------- d-----w- C:\_OTM
2009-11-27 15:38 . 2009-08-11 00:10 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2009-11-27 15:38 . 2009-05-13 22:30 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2009-11-23 04:49 . 2008-10-09 14:48 202928 ----a-w- c:\windows\system32\drivers\sbtis.sys
2009-11-23 04:47 . 2009-11-23 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-11-23 03:45 . 2009-11-23 03:45 -------- d-----w- c:\program files\VS Revo Group
2009-11-22 19:42 . 2009-11-22 19:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-22 19:13 . 2009-11-22 19:13 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-22 15:55 . 2009-11-22 15:55 -------- d-----w- c:\documents and settings\robert\.COMMgr
2009-11-18 01:12 . 2009-11-27 13:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-17 04:27 . 2009-11-18 01:10 -------- d-----w- c:\documents and settings\Roberto(2)\Local Settings(2)
2009-11-17 04:27 . 2009-11-18 01:10 -------- d-----w- c:\documents and settings\Roberto(2)
2009-11-15 15:53 . 2009-11-15 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Avanquest
2009-11-15 15:50 . 2009-11-15 15:50 -------- d-----r- C:\_Backup.RC
2009-11-15 15:50 . 2009-11-28 18:01 -------- d-----w- C:\_Backup
2009-11-15 15:47 . 2009-11-27 15:19 -------- d-----w- c:\documents and settings\robert\Application Data\Avanquest
2009-11-15 15:47 . 2009-11-27 14:58 -------- d-----w- c:\program files\Common Files\AntiVirus
2009-11-15 15:45 . 2009-11-15 15:45 -------- d-----w- c:\program files\Avanquest
2009-11-08 14:53 . 2009-11-17 01:49 -------- d-----w- c:\program files\SEO Munchies
2009-10-29 22:23 . 2009-11-01 14:25 -------- d-----w- c:\program files\SpeedyPC
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 17:18 . 2006-07-19 11:48 -------- d-----w- c:\program files\BAE
2009-11-27 03:39 . 2004-08-04 02:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-22 15:55 . 2009-11-22 15:55 0 ----a-w- c:\documents and settings\robert\1A2.tmp
2009-11-22 15:55 . 2009-11-22 15:55 44 ----a-w- c:\documents and settings\robert\132.tmp
2009-11-18 01:13 . 2009-11-18 01:13 -------- d-----w- c:\documents and settings\Roberto\Application Data\GTek
2009-11-18 01:09 . 2007-09-27 23:02 -------- d-----w- c:\program files\Common Files\HP
2009-11-18 01:09 . 2006-07-19 11:37 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-17 03:53 . 2009-08-31 23:41 -------- d-----w- c:\documents and settings\robert\Application Data\Skype
2009-11-17 02:14 . 2009-08-31 23:54 -------- d-----w- c:\documents and settings\robert\Application Data\skypePM
2009-11-16 02:08 . 2007-11-24 01:21 -------- d-----w- c:\program files\Kim Enders' Sales Page Rapid-Fire
2009-11-13 22:51 . 2007-10-08 02:03 88392 ----a-w- c:\documents and settings\Barbie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 03:35 . 2007-09-27 15:02 -------- d-----w- c:\program files\Interbank FX Trader 4
2009-10-23 03:22 . 2006-07-21 19:50 88392 ----a-w- c:\documents and settings\robert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-22 07:12 . 2009-08-16 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-22 07:08 . 2006-07-19 11:38 -------- d-----w- c:\program files\Microsoft Works
2009-10-20 07:06 . 2009-10-20 07:06 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-20 05:13 . 2009-10-19 23:47 -------- d-----w- c:\documents and settings\robert\Application Data\Free Monitor for Google
2009-10-19 23:46 . 2009-10-19 23:46 -------- d-----w- c:\program files\Free Monitor for Google
2009-10-09 23:05 . 2007-09-27 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-09-25 05:49 . 2004-08-11 21:00 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:48 . 2004-08-11 21:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:03 . 2004-08-11 21:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-06-28 21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-28 21:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2004-08-11 21:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 23:54 . 2009-08-31 23:54 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2007-11-28 02:26 . 2006-07-26 21:49 1290 --sh--w- c:\windows\lcfep5.drv
2007-11-28 02:50 . 2007-11-28 02:49 1234 --sh--w- c:\windows\lcfep6c.drv
2009-05-24 04:33 . 2006-10-10 20:07 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-05 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"3xAV"="c:\program files\Enounce\MySpeed\MySpeed.exe" [2009-06-19 855520]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
c:\documents and settings\robert\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-5-17 811008]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2006-7-19 921704]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
2005-12-23 00:08 450646 ----a-w- c:\windows\system32\PRISMAPI.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [11/27/2009 10:38 AM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/30/2009 1:56 PM 93360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [11/22/2009 11:49 PM 202928]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [7/19/2006 6:34 AM 61526]
R2 SBAMSvc;SystemSuite;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [6/10/2009 6:00 AM 980264]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [11/27/2009 10:38 AM 69936]
R3 KFilter;KFilter;c:\progra~1\AVANQU~1\SYSTEM~1\KFilter.sys [8/28/2009 6:07 PM 61560]
R3 TFilter;TFilter;c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [8/28/2009 6:07 PM 26952]
.
Contents of the 'Scheduled Tasks' folder
2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
2009-11-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-08-08 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trafficswarm.com/cgi-bin/swarm.cgi?442783&78fff65fb18123bfa8ac4ea7c4cd3289
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\robert\Application Data\Mozilla\Firefox\Profiles\uhndt51q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Avanquest\SystemSuite\Firefox3DV\components\VaultComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
AddRemove-SEOToolkit30_is1 - c:\program files\TRELLIAN\SEO Toolkit v3.0\unins000.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe
AddRemove-ToolbarBrowser_is1 - c:\program files\TRELLIAN\Toolbar\unToolbarBrowser\unins000.exe
AddRemove-Trellian WebPage_is1 - c:\program files\Trellian\Trellian WebPage\unins000.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 13:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x82B48369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8539fc3
\Driver\ACPI -> ACPI.sys @ 0xf83cccb8
\Driver\atapi -> atapi.sys @ 0xf835e7b4
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\PRISMAPI.DLL
c:\windows\system32\igfxdev.dll
- - - - - - - > 'lsass.exe'(884)
c:\windows\system32\PRISMAPI.DLL
.
Completion time: 2009-11-28 13:51
ComboFix-quarantined-files.txt 2009-11-28 18:51
Pre-Run: 46,011,760,640 bytes free
Post-Run: 45,964,406,784 bytes free
- - End Of File - - 222A609C01AEACB8077F0D513AF808BA
combofix_log_112809_1359.txt 14.2KB
136 downloadsComboFix 09-11-27.07 - robert 11/28/2009 13:27.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.127 [GMT -5:00]
Running from: c:\documents and settings\robert\Desktop\ComboFix.exe
AV: Avanquest SystemSuite *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Avanquest NetDefense Firewall *enabled* {E9CD9D09-CF58-4ec3-9B3F-E6B12C3E4171}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\windows\system32\bszip.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.
2009-11-28 17:31 . 2009-11-28 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-28 17:17 . 2009-11-28 17:17 -------- d-----w- C:\_OTS
2009-11-28 08:23 . 2009-11-28 17:33 -------- d-----w- c:\windows\system32\wbem\Logs
2009-11-28 01:00 . 2009-11-28 01:00 -------- d-----w- C:\_OTM
2009-11-27 15:38 . 2009-08-11 00:10 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2009-11-27 15:38 . 2009-05-13 22:30 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2009-11-23 04:49 . 2008-10-09 14:48 202928 ----a-w- c:\windows\system32\drivers\sbtis.sys
2009-11-23 04:47 . 2009-11-23 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-11-23 03:45 . 2009-11-23 03:45 -------- d-----w- c:\program files\VS Revo Group
2009-11-22 19:42 . 2009-11-22 19:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-22 19:13 . 2009-11-22 19:13 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-22 15:55 . 2009-11-22 15:55 -------- d-----w- c:\documents and settings\robert\.COMMgr
2009-11-18 01:12 . 2009-11-27 13:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-17 04:27 . 2009-11-18 01:10 -------- d-----w- c:\documents and settings\Roberto(2)\Local Settings(2)
2009-11-17 04:27 . 2009-11-18 01:10 -------- d-----w- c:\documents and settings\Roberto(2)
2009-11-15 15:53 . 2009-11-15 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Avanquest
2009-11-15 15:50 . 2009-11-15 15:50 -------- d-----r- C:\_Backup.RC
2009-11-15 15:50 . 2009-11-28 18:01 -------- d-----w- C:\_Backup
2009-11-15 15:47 . 2009-11-27 15:19 -------- d-----w- c:\documents and settings\robert\Application Data\Avanquest
2009-11-15 15:47 . 2009-11-27 14:58 -------- d-----w- c:\program files\Common Files\AntiVirus
2009-11-15 15:45 . 2009-11-15 15:45 -------- d-----w- c:\program files\Avanquest
2009-11-08 14:53 . 2009-11-17 01:49 -------- d-----w- c:\program files\SEO Munchies
2009-10-29 22:23 . 2009-11-01 14:25 -------- d-----w- c:\program files\SpeedyPC
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 17:18 . 2006-07-19 11:48 -------- d-----w- c:\program files\BAE
2009-11-27 03:39 . 2004-08-04 02:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-22 15:55 . 2009-11-22 15:55 0 ----a-w- c:\documents and settings\robert\1A2.tmp
2009-11-22 15:55 . 2009-11-22 15:55 44 ----a-w- c:\documents and settings\robert\132.tmp
2009-11-18 01:13 . 2009-11-18 01:13 -------- d-----w- c:\documents and settings\Roberto\Application Data\GTek
2009-11-18 01:09 . 2007-09-27 23:02 -------- d-----w- c:\program files\Common Files\HP
2009-11-18 01:09 . 2006-07-19 11:37 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-17 03:53 . 2009-08-31 23:41 -------- d-----w- c:\documents and settings\robert\Application Data\Skype
2009-11-17 02:14 . 2009-08-31 23:54 -------- d-----w- c:\documents and settings\robert\Application Data\skypePM
2009-11-16 02:08 . 2007-11-24 01:21 -------- d-----w- c:\program files\Kim Enders' Sales Page Rapid-Fire
2009-11-13 22:51 . 2007-10-08 02:03 88392 ----a-w- c:\documents and settings\Barbie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 03:35 . 2007-09-27 15:02 -------- d-----w- c:\program files\Interbank FX Trader 4
2009-10-23 03:22 . 2006-07-21 19:50 88392 ----a-w- c:\documents and settings\robert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-22 07:12 . 2009-08-16 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-22 07:08 . 2006-07-19 11:38 -------- d-----w- c:\program files\Microsoft Works
2009-10-20 07:06 . 2009-10-20 07:06 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-20 05:13 . 2009-10-19 23:47 -------- d-----w- c:\documents and settings\robert\Application Data\Free Monitor for Google
2009-10-19 23:46 . 2009-10-19 23:46 -------- d-----w- c:\program files\Free Monitor for Google
2009-10-09 23:05 . 2007-09-27 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-09-25 05:49 . 2004-08-11 21:00 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:48 . 2004-08-11 21:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:03 . 2004-08-11 21:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-06-28 21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-28 21:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2004-08-11 21:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 23:54 . 2009-08-31 23:54 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2007-11-28 02:26 . 2006-07-26 21:49 1290 --sh--w- c:\windows\lcfep5.drv
2007-11-28 02:50 . 2007-11-28 02:49 1234 --sh--w- c:\windows\lcfep6c.drv
2009-05-24 04:33 . 2006-10-10 20:07 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-05 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"3xAV"="c:\program files\Enounce\MySpeed\MySpeed.exe" [2009-06-19 855520]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
c:\documents and settings\robert\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-5-17 811008]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2006-7-19 921704]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
2005-12-23 00:08 450646 ----a-w- c:\windows\system32\PRISMAPI.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [11/27/2009 10:38 AM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/30/2009 1:56 PM 93360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [11/22/2009 11:49 PM 202928]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [7/19/2006 6:34 AM 61526]
R2 SBAMSvc;SystemSuite;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [6/10/2009 6:00 AM 980264]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [11/27/2009 10:38 AM 69936]
R3 KFilter;KFilter;c:\progra~1\AVANQU~1\SYSTEM~1\KFilter.sys [8/28/2009 6:07 PM 61560]
R3 TFilter;TFilter;c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [8/28/2009 6:07 PM 26952]
.
Contents of the 'Scheduled Tasks' folder
2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
2009-11-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-08-08 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trafficswarm.com/cgi-bin/swarm.cgi?442783&78fff65fb18123bfa8ac4ea7c4cd3289
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\robert\Application Data\Mozilla\Firefox\Profiles\uhndt51q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Avanquest\SystemSuite\Firefox3DV\components\VaultComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
AddRemove-SEOToolkit30_is1 - c:\program files\TRELLIAN\SEO Toolkit v3.0\unins000.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe
AddRemove-ToolbarBrowser_is1 - c:\program files\TRELLIAN\Toolbar\unToolbarBrowser\unins000.exe
AddRemove-Trellian WebPage_is1 - c:\program files\Trellian\Trellian WebPage\unins000.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 13:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x82B48369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8539fc3
\Driver\ACPI -> ACPI.sys @ 0xf83cccb8
\Driver\atapi -> atapi.sys @ 0xf835e7b4
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\PRISMAPI.DLL
c:\windows\system32\igfxdev.dll
- - - - - - - > 'lsass.exe'(884)
c:\windows\system32\PRISMAPI.DLL
.
Completion time: 2009-11-28 13:51
ComboFix-quarantined-files.txt 2009-11-28 18:51
Pre-Run: 46,011,760,640 bytes free
Post-Run: 45,964,406,784 bytes free
- - End Of File - - 222A609C01AEACB8077F0D513AF808BA
#13
Posted 28 November 2009 - 01:37 PM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Let me know of any problems on completion of this
1. Please open Notepad
2. Now copy/paste the entire content of the codebox below into the Notepad window:
3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
4. Save the above as CFScript.txt
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File:: c:\documents and settings\robert\1A2.tmp c:\documents and settings\robert\132.tmp Fcopy:: C:\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
4. Save the above as CFScript.txt
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
- A new OTListit log.
#14
Posted 28 November 2009 - 01:58 PM
robert1234
- Topic Starter
-
- Member
-
- 57 posts
Member
Hello
I'm terribly sorry, but I don't understand the start run instructions for notepad?
Maybe I missed something...
I'm terribly sorry, but I don't understand the start run instructions for notepad?
Maybe I missed something...
#15
Posted 28 November 2009 - 02:00 PM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
No problem that is just an instruction to open Windows Notepad - sometimes that is the only way to open it
Similar Topics
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
