Google keeps re-directing [INACTIVE]

(2 Pages)
1
2
→

You cannot start a new topic
This topic is locked

Google keeps re-directing [INACTIVE] Google keeps re-directing

#1 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 10 June 2011 - 05:44 PM

Hi, Google keeps re-directing and after some research it looks like my computer has caught quite a nasty little cold. Please help! Log to follow.

Back to top of the page up there ^
MultiQuote
Reply

#2 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 10 June 2011 - 05:45 PM

ComboFix 11-06-10.04 - Rob 06/10/2011 10:56:17.1.1 - x86
Microsoft Windows 7 Ultimate N 6.1.7600.0.1252.1.1033.18.1022.581 [GMT -4:00]
Running from: c:\users\Rob\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\html
c:\windows\system32\html\calendar.html
c:\windows\system32\html\calendarbottom.html
c:\windows\system32\html\calendartop.html
c:\windows\system32\html\crystalexportdialog.htm
c:\windows\system32\html\crystalprinthost.html
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
.
.
((((((((((((((((((((((((( Files Created from 2011-05-10 to 2011-06-10 )))))))))))))))))))))))))))))))
.
.
2011-06-10 15:09 . 2011-06-10 15:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-10 13:56 . 2011-06-10 13:56 20 ----a-w- c:\windows\system32\drivers\SMR200.dat
2011-06-10 13:56 . 2011-06-10 13:56 83064 ----a-w- c:\windows\system32\drivers\SMR200.SYS
2011-06-10 13:26 . 2011-06-10 13:58 -------- d-----w- c:\users\Rob\AppData\Local\NPE
2011-06-10 13:26 . 2011-06-10 13:26 -------- d-----w- c:\programdata\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2010-01-06 869736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-03 1594664]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-07-03 148888]
.
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptbehaviorAdmin"= 0 (0x0)
"ConsentPromptbehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [2009-07-14 265088]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [2009-07-13 11904]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-01-06 75112]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-28 1343400]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-10 47128]
R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [2010-01-06 24304]
S0 SMR200;Symantec SMR Utility Service 2.0.0;c:\windows\System32\drivers\SMR200.SYS [2011-06-10 83064]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-28 691696]
S2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [2010-01-06 132456]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-15 62320]
S3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [2008-07-10 31256]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 VSTHWICH;VSTHWICH;c:\windows\system32\DRIVERS\VSTICH3.SYS [2009-07-13 242176]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - SMR200
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2431647456-2543421603-4089080921-1000Core.job
- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-18 17:46]
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2431647456-2543421603-4089080921-1000UA.job
- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-18 17:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-06-10 11:12:46
ComboFix-quarantined-files.txt 2011-06-10 15:12
.
Pre-Run: 14,515,597,312 bytes free
Post-Run: 17,339,371,520 bytes free
.
- - End Of File - - 6756EDFDFAC896F941447ECF771F6F38

Back to top of the page up there ^
MultiQuote
Reply

#3 Fred Flintstone

Dave Gilmour

Group: Malware Experts
Posts: 2,515
Joined: 20-April 08
Gender:Male
Location:Somerset

Posted 10 June 2011 - 10:04 PM

Hi Rob,
Is that the entire ComboFix log??
Seems there were no files created in the past 3 months according to this log??

Important note:
Before we begin. I need to make you aware that I might be unable to reply on as timely a basis as I would like due to pressure of current work commitments.
I will of course attempt to keep a flow as time permits, but want you to be aware of the above circumstance beforehand.

That said:

Please download Malwarebytes Anti-Malware and save it to your desktop.

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:

Make sure the "Perform Quick Acan" option is selected.
Then click on the Scan button.

The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Next

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Hold down Control then click on the following link to open a new window to ESET online scannner
Then click on:

Quote
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on:
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on:
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

Please post back the MBAM and ESET logs in your next post and let me know if the problem persists.

Thanks
Fred

Back to top of the page up there ^
MultiQuote
Reply

#4 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 17 June 2011 - 12:36 AM

MBAM log:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6873

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/16/2011 8:33:58 PM
mbam-log-2011-06-16 (20-33-58).txt

Scan type: Quick scan
Objects scanned: 158195
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Rob\0.20014118551278504.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\Users\Rob\0.5353473670183881.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Back to top of the page up there ^
MultiQuote
Reply

#5 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 17 June 2011 - 01:53 AM

first one fixed it and I ran the second but deleted without getting the logs. thanks much.

Back to top of the page up there ^
MultiQuote
Reply

#6 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 18 June 2011 - 12:16 AM

Scratch that, still broke. So now clicking on google links within a google search brings the same exact search up again and then those links take you (me) to some random page. Help (again)!

Back to top of the page up there ^
MultiQuote
Reply

#7 Fred Flintstone

Dave Gilmour

Group: Malware Experts
Posts: 2,515
Joined: 20-April 08
Gender:Male
Location:Somerset

Posted 18 June 2011 - 07:51 PM

Hi Rob,

Download OTL by Old Timer and save it to your Desktop.

Right click on OTL.exe And select Run as administrator to run it.
Under Output, ensure that Minimal Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.

OTListIt.txt <-- Will be opened
Extra.txt <-- Will be minimized

Please post the contents of these 2 Notepad files in your next reply.

Thanks
Fred

Back to top of the page up there ^
MultiQuote
Reply

#8 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 18 June 2011 - 08:30 PM

OTL logfile created on: 6/18/2011 4:26:58 PM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Users\Rob\Desktop
Ultimate Edition N (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.49 Mb Total Physical Memory | 297.74 Mb Available Physical Memory | 29.12% Memory free
2.00 Gb Paging File | 0.80 Gb Available in Paging File | 40.20% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 37.16 Gb Total Space | 16.08 Gb Free Space | 43.26% Space Free | Partition Type: NTFS

Computer Name: ROB-LT | User Name: Rob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Rob\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre6\bin\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE (Lenovo.)
PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics Incorporated)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe (Lenovo Group Limited)
PRC - C:\Windows\System32\StikyNot.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Users\Rob\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (DozeSvc) -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE (Lenovo.)
SRV - (Power Manager DBC Service) -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE (Lenovo)
SRV - (TPHKSVC) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe (Lenovo Group Limited)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (LENOVO.MICMUTE) -- C:\Program Files\Lenovo\HOTKEY\micmute.exe (Lenovo Group Limited)
SRV - (msvsmon90) -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (DozeHDD) -- C:\Windows\System32\DRIVERS\DozeHDD.sys (Lenovo.)
DRV - (TPPWRIF) -- C:\Windows\System32\drivers\TPPWR32V.SYS (Lenovo Group Limited)
DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation)
DRV - (BrSerIb) Brother MFC Serial Interface Driver(WDM) -- C:\Windows\System32\drivers\BrSerIb.sys (Brother Industries Ltd.)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation)
DRV - (BrUsbSIb) Brother MFC Serial USB Driver(WDM) -- C:\Windows\System32\drivers\BrUsbSIb.sys (Brother Industries Ltd.)
DRV - (VSTHWICH) -- C:\Windows\System32\drivers\VSTICH3.SYS (Conexant Systems, Inc.)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (RsFx0102) -- C:\Windows\System32\drivers\RsFx0102.sys (Microsoft Corporation)
DRV - (w29n51) Intel® -- C:\Windows\System32\drivers\w29n51.sys (Intel® Corporation)
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Winbond Electronics Corp.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D8 E4 FD BA 19 B8 CA 01 [binary data]
IE - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

O1 HOSTS File: ([2011/06/10 11:10:24 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptbehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptbehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} https://transfers.ds...ransferCtrl.cab (DLC Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | -H-- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/18 16:25:13 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Users\Rob\Desktop\OTL.exe
[2011/06/17 16:58:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/06/17 16:58:49 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/06/17 16:58:29 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/06/16 20:42:14 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/16 20:27:05 | 000,000,000 | ---D | C] -- C:\Users\Rob\AppData\Roaming\Malwarebytes
[2011/06/16 20:25:50 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/06/16 20:25:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/16 20:25:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/06/16 20:25:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/16 20:24:57 | 009,435,312 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Rob\Desktop\mbam-setup-1.51.0.1200.exe
[2011/06/10 12:11:46 | 000,000,000 | ---D | C] -- C:\Users\Rob\AppData\Local\CrashDumps
[2011/06/10 11:12:52 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/06/10 11:12:48 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/06/10 10:54:28 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/06/10 10:54:28 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/06/10 10:54:28 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/06/10 10:54:19 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/06/10 10:54:14 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/10 10:44:29 | 004,118,452 | R--- | C] (Swearware) -- C:\Users\Rob\Desktop\ComboFix.exe
[2011/06/10 09:26:00 | 000,000,000 | ---D | C] -- C:\Users\Rob\AppData\Local\NPE
[2011/06/10 09:26:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2011/06/09 08:34:56 | 000,000,000 | -H-D | C] -- C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Restore

========== Files - Modified Within 30 Days ==========

[2011/06/18 16:25:23 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Rob\Desktop\OTL.exe
[2011/06/18 15:34:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2431647456-2543421603-4089080921-1000UA.job
[2011/06/18 09:34:01 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2431647456-2543421603-4089080921-1000Core.job
[2011/06/17 17:05:27 | 000,014,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/17 17:05:27 | 000,014,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/17 16:59:58 | 000,001,984 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/06/17 16:57:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/17 16:57:06 | 804,118,528 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/16 20:25:50 | 000,001,095 | ---- | M] () -- C:\Users\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/06/16 20:25:11 | 009,435,312 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Rob\Desktop\mbam-setup-1.51.0.1200.exe
[2011/06/16 14:55:41 | 000,770,512 | ---- | M] () -- C:\Users\Rob\Desktop\Whole_Grain_Morning_Loaf.jpg
[2011/06/16 14:53:11 | 000,680,672 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/06/16 14:53:11 | 000,127,512 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/06/10 11:10:24 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/06/10 10:49:06 | 000,973,180 | ---- | M] () -- C:\Users\Rob\Desktop\A guide and tutorial on using ComboFix.mht
[2011/06/10 10:44:58 | 004,118,452 | R--- | M] (Swearware) -- C:\Users\Rob\Desktop\ComboFix.exe
[2011/06/10 09:01:09 | 000,247,914 | ---- | M] () -- C:\Users\Rob\AppData\Local\census.cache
[2011/06/10 09:00:34 | 000,104,901 | ---- | M] () -- C:\Users\Rob\AppData\Local\ars.cache
[2011/06/10 08:49:18 | 000,000,036 | ---- | M] () -- C:\Users\Rob\AppData\Local\housecall.guid.cache
[2011/06/09 08:37:54 | 000,000,392 | -H-- | M] () -- C:\ProgramData\30859000
[2011/06/09 08:34:57 | 000,000,160 | -H-- | M] () -- C:\ProgramData\~30859000r
[2011/06/09 08:34:57 | 000,000,144 | -H-- | M] () -- C:\ProgramData\~30859000
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

========== Files Created - No Company Name ==========

[2011/06/17 16:59:00 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2011/06/17 16:59:00 | 000,001,984 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/06/16 20:25:50 | 000,001,095 | ---- | C] () -- C:\Users\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/06/16 14:55:21 | 000,770,512 | ---- | C] () -- C:\Users\Rob\Desktop\Whole_Grain_Morning_Loaf.jpg
[2011/06/10 10:54:28 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/06/10 10:54:28 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/06/10 10:54:28 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/06/10 10:54:28 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/06/10 10:54:28 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/06/10 10:49:03 | 000,973,180 | ---- | C] () -- C:\Users\Rob\Desktop\A guide and tutorial on using ComboFix.mht
[2011/06/10 09:01:09 | 000,247,914 | ---- | C] () -- C:\Users\Rob\AppData\Local\census.cache
[2011/06/10 09:00:34 | 000,104,901 | ---- | C] () -- C:\Users\Rob\AppData\Local\ars.cache
[2011/06/10 08:49:18 | 000,000,036 | ---- | C] () -- C:\Users\Rob\AppData\Local\housecall.guid.cache
[2011/06/09 08:34:57 | 000,000,160 | -H-- | C] () -- C:\ProgramData\~30859000r
[2011/06/09 08:34:57 | 000,000,144 | -H-- | C] () -- C:\ProgramData\~30859000
[2011/06/09 08:26:36 | 000,000,392 | -H-- | C] () -- C:\ProgramData\30859000
[2010/02/28 20:45:28 | 000,007,607 | -H-- | C] () -- C:\Users\Rob\AppData\Local\Resmon.ResmonCfg
[2010/02/28 20:08:42 | 000,000,172 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/02/28 01:36:57 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/07/14 00:55:27 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 00:02:04 | 000,346,160 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,680,672 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,127,512 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 20:19:49 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2008/12/01 21:46:12 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/12/01 21:08:40 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2008/10/30 15:45:42 | 000,180,720 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat

< End of report >

Back to top of the page up there ^
MultiQuote
Reply

#9 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 18 June 2011 - 08:50 PM

OTL logfile created on: 6/18/2011 4:32:20 PM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Users\Rob\Desktop
Ultimate Edition N (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.49 Mb Total Physical Memory | 374.61 Mb Available Physical Memory | 36.64% Memory free
2.00 Gb Paging File | 0.78 Gb Available in Paging File | 39.12% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 37.16 Gb Total Space | 16.08 Gb Free Space | 43.26% Space Free | Partition Type: NTFS

Computer Name: ROB-LT | User Name: Rob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Rob\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre6\bin\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE (Lenovo.)
PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics Incorporated)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe (Lenovo Group Limited)
PRC - C:\Windows\System32\StikyNot.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Users\Rob\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (DozeSvc) -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE (Lenovo.)
SRV - (Power Manager DBC Service) -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE (Lenovo)
SRV - (TPHKSVC) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe (Lenovo Group Limited)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (LENOVO.MICMUTE) -- C:\Program Files\Lenovo\HOTKEY\micmute.exe (Lenovo Group Limited)
SRV - (msvsmon90) -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (DozeHDD) -- C:\Windows\System32\DRIVERS\DozeHDD.sys (Lenovo.)
DRV - (TPPWRIF) -- C:\Windows\System32\drivers\TPPWR32V.SYS (Lenovo Group Limited)
DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation)
DRV - (BrSerIb) Brother MFC Serial Interface Driver(WDM) -- C:\Windows\System32\drivers\BrSerIb.sys (Brother Industries Ltd.)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation)
DRV - (BrUsbSIb) Brother MFC Serial USB Driver(WDM) -- C:\Windows\System32\drivers\BrUsbSIb.sys (Brother Industries Ltd.)
DRV - (VSTHWICH) -- C:\Windows\System32\drivers\VSTICH3.SYS (Conexant Systems, Inc.)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (RsFx0102) -- C:\Windows\System32\drivers\RsFx0102.sys (Microsoft Corporation)
DRV - (w29n51) Intel® -- C:\Windows\System32\drivers\w29n51.sys (Intel® Corporation)
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Winbond Electronics Corp.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D8 E4 FD BA 19 B8 CA 01 [binary data]
IE - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

O1 HOSTS File: ([2011/06/10 11:10:24 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptbehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptbehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2431647456-2543421603-4089080921-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} https://transfers.ds...ransferCtrl.cab (DLC Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | -H-- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/18 16:25:13 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Users\Rob\Desktop\OTL.exe
[2011/06/17 16:58:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/06/17 16:58:49 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/06/17 16:58:29 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/06/16 20:42:14 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/16 20:27:05 | 000,000,000 | ---D | C] -- C:\Users\Rob\AppData\Roaming\Malwarebytes
[2011/06/16 20:25:50 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/06/16 20:25:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/16 20:25:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/06/16 20:25:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/16 20:24:57 | 009,435,312 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Rob\Desktop\mbam-setup-1.51.0.1200.exe
[2011/06/10 12:11:46 | 000,000,000 | ---D | C] -- C:\Users\Rob\AppData\Local\CrashDumps
[2011/06/10 11:12:52 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/06/10 11:12:48 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/06/10 10:54:28 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/06/10 10:54:28 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/06/10 10:54:28 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/06/10 10:54:19 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/06/10 10:54:14 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/10 10:44:29 | 004,118,452 | R--- | C] (Swearware) -- C:\Users\Rob\Desktop\ComboFix.exe
[2011/06/10 09:26:00 | 000,000,000 | ---D | C] -- C:\Users\Rob\AppData\Local\NPE
[2011/06/10 09:26:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2011/06/09 08:34:56 | 000,000,000 | -H-D | C] -- C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Restore

========== Files - Modified Within 30 Days ==========

[2011/06/18 16:25:23 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Rob\Desktop\OTL.exe
[2011/06/18 15:34:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2431647456-2543421603-4089080921-1000UA.job
[2011/06/18 09:34:01 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2431647456-2543421603-4089080921-1000Core.job
[2011/06/17 17:05:27 | 000,014,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/17 17:05:27 | 000,014,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/17 16:59:58 | 000,001,984 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/06/17 16:57:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/17 16:57:06 | 804,118,528 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/16 20:25:50 | 000,001,095 | ---- | M] () -- C:\Users\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/06/16 20:25:11 | 009,435,312 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Rob\Desktop\mbam-setup-1.51.0.1200.exe
[2011/06/16 14:55:41 | 000,770,512 | ---- | M] () -- C:\Users\Rob\Desktop\Whole_Grain_Morning_Loaf.jpg
[2011/06/16 14:53:11 | 000,680,672 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/06/16 14:53:11 | 000,127,512 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/06/10 11:10:24 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/06/10 10:49:06 | 000,973,180 | ---- | M] () -- C:\Users\Rob\Desktop\A guide and tutorial on using ComboFix.mht
[2011/06/10 10:44:58 | 004,118,452 | R--- | M] (Swearware) -- C:\Users\Rob\Desktop\ComboFix.exe
[2011/06/10 09:01:09 | 000,247,914 | ---- | M] () -- C:\Users\Rob\AppData\Local\census.cache
[2011/06/10 09:00:34 | 000,104,901 | ---- | M] () -- C:\Users\Rob\AppData\Local\ars.cache
[2011/06/10 08:49:18 | 000,000,036 | ---- | M] () -- C:\Users\Rob\AppData\Local\housecall.guid.cache
[2011/06/09 08:37:54 | 000,000,392 | -H-- | M] () -- C:\ProgramData\30859000
[2011/06/09 08:34:57 | 000,000,160 | -H-- | M] () -- C:\ProgramData\~30859000r
[2011/06/09 08:34:57 | 000,000,144 | -H-- | M] () -- C:\ProgramData\~30859000
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

========== Files Created - No Company Name ==========

[2011/06/17 16:59:00 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2011/06/17 16:59:00 | 000,001,984 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/06/16 20:25:50 | 000,001,095 | ---- | C] () -- C:\Users\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/06/16 14:55:21 | 000,770,512 | ---- | C] () -- C:\Users\Rob\Desktop\Whole_Grain_Morning_Loaf.jpg
[2011/06/10 10:54:28 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/06/10 10:54:28 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/06/10 10:54:28 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/06/10 10:54:28 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/06/10 10:54:28 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/06/10 10:49:03 | 000,973,180 | ---- | C] () -- C:\Users\Rob\Desktop\A guide and tutorial on using ComboFix.mht
[2011/06/10 09:01:09 | 000,247,914 | ---- | C] () -- C:\Users\Rob\AppData\Local\census.cache
[2011/06/10 09:00:34 | 000,104,901 | ---- | C] () -- C:\Users\Rob\AppData\Local\ars.cache
[2011/06/10 08:49:18 | 000,000,036 | ---- | C] () -- C:\Users\Rob\AppData\Local\housecall.guid.cache
[2011/06/09 08:34:57 | 000,000,160 | -H-- | C] () -- C:\ProgramData\~30859000r
[2011/06/09 08:34:57 | 000,000,144 | -H-- | C] () -- C:\ProgramData\~30859000
[2011/06/09 08:26:36 | 000,000,392 | -H-- | C] () -- C:\ProgramData\30859000
[2010/02/28 20:45:28 | 000,007,607 | -H-- | C] () -- C:\Users\Rob\AppData\Local\Resmon.ResmonCfg
[2010/02/28 20:08:42 | 000,000,172 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/02/28 01:36:57 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/07/14 00:55:27 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 00:02:04 | 000,346,160 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,680,672 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,127,512 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 20:19:49 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2008/12/01 21:46:12 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/12/01 21:08:40 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2008/10/30 15:45:42 | 000,180,720 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat

< End of report >

Back to top of the page up there ^
MultiQuote
Reply

#10 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 18 June 2011 - 08:53 PM

Note that I had to run the scan twice because the first time the OLT file was blank/empty

Back to top of the page up there ^
MultiQuote
Reply

#11 Fred Flintstone

Dave Gilmour

Group: Malware Experts
Posts: 2,515
Joined: 20-April 08
Gender:Male
Location:Somerset

Posted 18 June 2011 - 11:14 PM

Hi Rob,

Please be sure to carry out the below steps in the order given.

First

ERUNT - Emergency Recovery Utility NT
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
This is a free program that allows you to keep a complete backup of your registry and restore it when needed.
ERUNT utility program
Download:

Please download ERUNT...by Lars Hederer. Save it to your desktop.
Double-click erunt-setup-exe to run the install process. Install ERUNT by following the prompts.
VISTA users must right-click erunt-setup-exe, select "Run As Administrator" to run the install process. Install by following prompts.
Use the default install settings... say "NO" to the section that asks you to add ERUNT to the Start-Up folder.
Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
VISTA users must right-click the desktop icon, select "Run As Administrator" or start it at the end of the setup process.
Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is fine.
Make sure the first two check boxes -> (Create ERUNT and NTREGOPT desktop icons) are checked.
Click on OK ... then click on "YES" to create the folder.

Run:
This will create a full backup of your registry... ERUNT can be used to restore the registry from this backup, if needed.

Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
Vista users: Right-click on ERUNT in the menu, then select "Run As Administrator". If UAC prompts, please allow it.
Click on OK within the pop-up menu.
In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
- System registry.
- Current user registry.
Next click on "OK"... at the prompt... reply "Yes".
After a short duration the Registry backup is complete! pop-up message will appear.
Now click on "OK". A registry backup has now been created.

< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Next

Run OTL Script

Double-click OTL.exe to start the program.

Copy and Paste the following code into the Custom scans / fixes box.

:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]

Then click the Run Fix button at the top.
Click .
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Next

GooredFix
Please download GooredFix...by jpshortstuff. Save it to your desktop.
Alternate download site.

Ensure all Firefox windows are closed.
Right-click GooredFix.exe... select Run As Administrator. If UAC prompts, allow it.
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log file will open... named "GooredFix.txt".
Please copy and paste the contents of the GooredFix.txt file in your next reply.

Finally

TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista - W7 users: Right-click and select "Run As Administrator".
If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
If you don't see file extensions, please see: How to change the file extension.
Click the Start Scan button. Do not use the computer during the scan!
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
- Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

Please post back the logs (use as many posts as required) and let me know how things are running now?

Thanks Fred..

Back to top of the page up there ^
MultiQuote
Reply

#12 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 18 June 2011 - 11:26 PM

All processes killed
Error: Unable to interpret <:Filesipconfig /flushdns /c:Commands[purity][resethosts][emptytemp][CREATERESTOREPOINT][EMPTYFLASH][Reboot]> in the current context!

OTL by OldTimer - Version 3.2.24.1 log created on 06182011_192235

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Back to top of the page up there ^
MultiQuote
Reply

#13 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 18 June 2011 - 11:28 PM

GooredFix by jpshortstuff (03.07.10.1)
Log created at 19:27 on 18/06/2011 (Rob)
Firefox version [Unable to determine]

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-

Back to top of the page up there ^
MultiQuote
Reply

#14 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 18 June 2011 - 11:44 PM

Cannot get TDSSKiller - Rootkit Removal Tool to run. Have tried renaming per the instructions. I click on the desktop icon and after selecting Run from the dialog box, nothing happens.

Back to top of the page up there ^
MultiQuote
Reply

#15 Fred Flintstone

Dave Gilmour

Group: Malware Experts
Posts: 2,515
Joined: 20-April 08
Gender:Male
Location:Somerset

Posted 20 June 2011 - 06:35 PM

Hi Rob,

Let's try SUPERAntiSpyware in safe mode.

Download and Install

Please download SUPERAntiSypware Free for Home Users...to your desktop.

Double-click SUPERAntiSypware.exe... use the default settings for installation.
Double-click the icon...created on your desktop... to launch the program.
Click "Yes" ... if asked to update definitions. If not...press the "Check for Updates"...button.
If you encounter any problems while downloading the updates, manually download and unzip them from Here.
Once the updates have been applied... STOP!
Close and exit SUPERAntiSypware.

Boot to Safe Mode
Make sure you have downloaded anything you need... print these instructions as well, you will not have Internet access!

Restart your computer. During start up... repeatedly tap the F8 key... When the menu appears...
Use up-arrow key to select "Safe Mode" and press Enter.
Once the system starts ...it displays various files/drivers being loaded, it may pause, that's normal.
When your desktop is loaded... reply "Yes" to the Safe Mode startup, if prompted.

Quote

If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1168605.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

SUPERAntiSpyware scan:

Double-click the SUPERAntiSypware icon...on your desktop... to launch the program.
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with... any items detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete".
Click "OK" and then click the "Finish" button to return to the main menu.
Reply "Yes" to the reboot prompt.
Launch SUPERAntispyware again....
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  Save the log file to your desktop...name it: saslog.txt
Click Close to exit the program.

If you have not rebooted your system... from the previous instructions...please do so now.
Please copy/paste entire contents of saslog.txt... in your next reply.

Also, try and re-run the TDss Killer tool now and let me know if you are successful this time.

Thanks
Fred

This post has been edited by Fred Flintstone: 20 June 2011 - 06:39 PM

Back to top of the page up there ^
MultiQuote
Reply

#16 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 21 June 2011 - 01:38 AM

for some reason there was no log file but running SUPERAntiSpyware did seem to make a difference.... for a minute or two and then it went back to redirecting. I did end up having to dump it on a USB and execute from there while in safe mode. ugh. Appreciate the help... got any other tricks up your sleve?

Back to top of the page up there ^
MultiQuote
Reply

#17 Fred Flintstone

Dave Gilmour

Group: Malware Experts
Posts: 2,515
Joined: 20-April 08
Gender:Male
Location:Somerset

Posted 21 June 2011 - 08:43 PM

Hi Rob,
We're not stumped yet!.. just need to find what's stopping the tools from running and producing logs..

This tool should kill all non essential processes:

Download TheKiller to your Desktop
Note that TheKiller is renamed as [B]explorer.exe[/B]
Run it by double click
Press [B]OK[/B] button after program finish
Do not restart your system after this step, but immediately run the next scan:

NOTE: If malware blocks TheKiller from running please try to run it several more times

Then see if Superantispyware and TDSSKiller will run..

If that doesn't work, try re-booting to safe mode and running ComboFix from there.

Please post the logs where possible.

Thanks
Fred

Back to top of the page up there ^
MultiQuote
Reply

#18 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 22 June 2011 - 12:05 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/21/2011 at 08:03 PM

Application Version : 4.54.1000

Core Rules Database Version : 7293
Trace Rules Database Version: 5105

Scan type : Complete Scan
Total Scan Time : 00:28:56

Memory items scanned : 504
Memory threats detected : 0
Registry items scanned : 9457
Registry threats detected : 0
File items scanned : 22956
File threats detected : 41

Adware.Tracking Cookie
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@pro-market[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@search.hippofind[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@tribalfusion[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@apmebf[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@at.atwola[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@www.find-quick-results[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@fastclick[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@advertise[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@interclick[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@advertising[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@a1.interclick[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@imrworldwide[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@burstnet[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@doubleclick[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@adbrite[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@content.yieldmanager[3].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@ads.undertone[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@ru4[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@atdmt[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@legolas-media[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@search.seekfinds[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@media6degrees[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@sales.liveperson[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@liveperson[3].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@invitemedia[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@tacoda.at.atwola[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@kontera[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@specificclick[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@cdn.jemamedia[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@ad.yieldmanager[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@mediaplex[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@serving-sys[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@educationcom.112.2o7[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@ads.blogtalkradio[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@yieldmanager[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@content.yieldmanager[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@liveperson[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@bs.serving-sys[1].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@revsci[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@collective-media[2].txt
C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Cookies\rob@www.burstnet[2].txt

Back to top of the page up there ^
MultiQuote
Reply

#19 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 22 June 2011 - 01:16 AM

ComboFix log too long to post. attached.

Attached File(s)

ComboFixLog.txt (1.67MB)
Number of downloads: 2

Back to top of the page up there ^
MultiQuote
Reply

#20 Robh123

Log'N'Rocker

Group: Members
Posts: 26
Joined: 10-June 11

Posted 22 June 2011 - 01:28 AM

So I can get ComboFix, SUPERAntiSpyware and TheKiller to run. No luck with tdsskiller. Going to reboot and see if we have any progress...

Back to top of the page up there ^
MultiQuote
Reply

(2 Pages)
1
2
→

You cannot start a new topic
This topic is locked

Log'N'Rock: Google keeps re-directing [INACTIVE] - Log'N'Rock

Google keeps re-directing [INACTIVE] Google keeps re-directing

#1 Robh123

#2 Robh123

#3 Fred Flintstone

#4 Robh123

#5 Robh123

#6 Robh123

#7 Fred Flintstone

#8 Robh123

#9 Robh123

#10 Robh123

#11 Fred Flintstone

#12 Robh123

#13 Robh123

#14 Robh123

#15 Fred Flintstone

#16 Robh123

#17 Fred Flintstone

#18 Robh123

#19 Robh123

Attached File(s)

#20 Robh123

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

Skin and Language

Execution Stats

Log'N'Rock: Google keeps re-directing [INACTIVE] - Log'N'Rock

Google keeps re-directing [INACTIVE] Google keeps re-directing

Attached File(s)

1 User(s) are reading this topic 0 members, 1 guests, 0 anonymous users

Skin and Language

Execution Stats

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users