Unsolved
This post is more than 5 years old
12 Posts
0
1865
Google redirect and homepage reset
Google searches redirect to random sites occasionally help centre will open instead of link and my browser home page keeps resetting to movieint.com
I have run tdsskiller with nothing found
Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 14:38:17, on 27/07/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.17096) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Intel\ASF Agent\ASFAgent.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\McAfee\Common Framework\naPrdMgr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe C:\Program Files\Wave Systems Corp\SecureUpgrade.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Windows Live\Toolbar\wltuser.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe C:\WINDOWS\system32\SearchProtocolHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://movieint.com/one/?pid=2170 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.uk.msn.com/USREL/2 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.10.10.46:8080;https=10.10.10.46:8080;ftp=10.10.10.46:8080;socks=10.10.10.46:1080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;*.granet.com;172.*;vionline*;192.*; O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe /T:NTRU12 O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe O4 - HKLM\..\Run: [SecureUpgrade] "C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" O4 - HKLM\..\Run: [EmbassySecurityCheck] "C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S95.tmp" /EF "HKLM" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [Rjafari] rundll32.exe "C:\Documents and Settings\jlangham-service\Local Settings\Application Data\asafijocifalut.dll",Startup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Oxoqeburimuqu] rundll32.exe "C:\Documents and Settings\jlangham-service\Local Settings\Application Data\mst5DOM2.dll",Startup O4 - HKCU\..\Run: [Rjafari] rundll32.exe "C:\Documents and Settings\jlangham-service\Local Settings\Application Data\asafijocifalut.dll",Startup O4 - HKCU\..\Run: [{31551C9A-8DB8-380B-34C7-9BDFF8002140}] "C:\Documents and Settings\jlangham-service\Application Data\Epad\igero.exe" O4 - HKCU\..\Run: [{E8D46C76-D27D-EAD4-CA69-B0BFACBD7103}] "C:\Documents and Settings\jlangham-service\Application Data\Kyxoon\izde.exe" O4 - HKCU\..\Run: [{31551C90-8DB2-380B-34C7-9BDFF8002140}] "C:\Documents and Settings\jlangham-service\Application Data\Epad\igero.exe" O4 - HKUS\S-1-5-21-527237240-1303643608-682003330-10793\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-527237240-1303643608-682003330-49735\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-527237240-1303643608-682003330-58673\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Shortcut to NOTES.lnk = C:\Documents and Settings\jlangham-service\Desktop\NOTES.tex O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.google.com O15 - Trusted Zone: *.granet.com O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (BitDefender QuickScan Control) - http://quickscan.bitdefender.com/qsax/qsax.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GRANET.COM O17 - HKLM\Software\..\Telephony: DomainName = GRANET.COM O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GRANET.COM O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe O23 - Service: NTRU TSS v1.2.1.28 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 11159 bytes
kevinf80_1d0ac6
1.1K Posts
0
July 28th, 2011 00:00
Hi
I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE
** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE
Please proceed as follows :-
Open Notepad select "Format" make sure "Word Wrap" is not selected, close Notepad.
Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-
Link 1
Link 2
Before saving Combofix to the Desktop re-name to Gotcha.exe as below:
****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.
*EXTRA NOTES*
Post the log in next reply please...
Kevin
Hokin
12 Posts
0
July 29th, 2011 00:00
Thanks for offering to help Kevin, I could not stop the macafee virus scan it kept restarting
regards
John
ComboFix 11-07-25.02 - jlangham-service 28/07/2011 16:37:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1980.1580 [GMT 1:00]
Running from: c:\documents and settings\jlangham-service\Desktop\gotcha.exe
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ddeath\vion.scr
c:\documents and settings\fenw_j\WINDOWS
c:\documents and settings\jlangham-service\Application Data\Anaxca
c:\documents and settings\jlangham-service\Application Data\Anaxca\fuopu.exe
c:\documents and settings\jlangham-service\Application Data\Avulyx
c:\documents and settings\jlangham-service\Application Data\Avulyx\miigy.exe
c:\documents and settings\jlangham-service\Application Data\Epad
c:\documents and settings\jlangham-service\Application Data\Epad\igero.exe
c:\documents and settings\jlangham-service\Application Data\Kyxoon
c:\documents and settings\jlangham-service\Application Data\Kyxoon\izde.exe
c:\documents and settings\jlangham-service\Application Data\Ofgiuc
c:\documents and settings\jlangham-service\Application Data\Ofgiuc\ehoq.exe
c:\documents and settings\jlangham-service\Application Data\Qoes
c:\documents and settings\jlangham-service\Application Data\Qoes\ilupr.exe
c:\documents and settings\jlangham-service\Application Data\Upfo
c:\documents and settings\jlangham-service\Application Data\Upfo\awuzx.exe
c:\documents and settings\jlangham-service\Desktop\weather.lnk
c:\documents and settings\jlangham-service\Local Settings\Application Data\asafijocifalut.dll
c:\documents and settings\jlangham-service\Local Settings\Application Data\mst5DOM2.dll
c:\documents and settings\jlangham-service\vion.scr
c:\documents and settings\rmarcon\vion.scr
C:\hdwe2y7.bin
c:\hdwe2y7.bin\02126517933.exe
c:\hdwe2y7.bin\3D04942A5F7C22C
c:\windows\system32\searchindexer.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_WSearch
-------\Service_WSearch
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-28 )))))))))))))))))))))))))))))))
.
.
2011-07-25 09:15 . 2011-07-25 09:15 -------- d-----w- c:\documents and settings\jlangham-service\Application Data\Hohe
2011-07-15 08:20 . 2011-07-15 08:20 -------- d-----w- c:\documents and settings\jlangham-service\Application Data\Okmie
2011-07-08 06:54 . 2011-07-08 06:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-01 06:57 . 2011-07-01 07:09 -------- d-----w- c:\documents and settings\jlangham-service\Application Data\PhotoScape
2011-07-01 06:57 . 2011-07-01 07:11 -------- d-----w- c:\program files\PhotoScape
2011-07-01 05:45 . 2011-07-01 05:45 388096 ----a-r- c:\documents and settings\jlangham-service\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-01 05:45 . 2011-07-01 05:45 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-28 15:59 . 2009-05-12 15:25 0 ----a-w- c:\documents and settings\jlangham-service\Local Settings\Application Data\WavXMapDrive.bat
2011-07-19 09:25 . 2010-03-15 16:09 0 ----a-w- c:\documents and settings\rmarcon\Local Settings\Application Data\WavXMapDrive.bat
2011-07-08 09:20 . 2010-02-01 08:10 619 ----a-w- c:\documents and settings\jlangham-service\vpnicons.bat
2011-05-05 06:56 . 2011-03-31 10:51 0 ----a-w- c:\documents and settings\jlangham-service\Local Settings\Application Data\Qkemoyuli.bin
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"
[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]
2007-10-24 01:47 282112 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"
[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]
2007-10-24 01:47 282112 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-09-01 1044480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-11 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-11 141336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-05 136600]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-08-21 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-08-22 145408]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2008-08-28 656696]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-08-28 91448]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-08-13 111952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\jlangham-service\Start Menu\Programs\Startup\
Shortcut to NOTES.lnk - c:\documents and settings\jlangham-service\Desktop\NOTES.tex [2011-1-11 954]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-49735\Scripts\Logon\0\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58071\Scripts\Logon\0\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\vionscreensaver.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58071\Scripts\Logon\1\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58071\Scripts\Logon\2\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\Enablefiles.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\0\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\Flash\Flash10.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\1\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\Logon.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\1\1]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\vionscreensaver.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\2\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\poultryicons.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\3\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\IE7\IE7.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\4\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\vpnicons.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\5\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\6\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\Enablefiles.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58621\Scripts\Logon\0\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\vpnicons.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58621\Scripts\Logon\1\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58621\Scripts\Logon\2\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\Enablefiles.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58673\Scripts\Logon\0\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\vpnicons.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58673\Scripts\Logon\1\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58673\Scripts\Logon\2\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\disablefiles.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61081\Scripts\Logon\0\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\0\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\Flash\Flash10.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\1\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\Logon.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\1\1]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\vionscreensaver.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\2\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\poultryicons.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\3\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\IE7\IE7.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\4\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\5\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\disablefiles.vbs
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [06/03/2009 06:36 24064]
R1 NEOFLTR_550_11965;Juniper Networks TDI Filter Driver (NEOFLTR_550_11965);c:\windows\system32\drivers\NEOFLTR_550_11965.sys [16/07/2007 23:27 63008]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [19/04/2007 06:56 133968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [06/03/2009 06:36 144480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://movieint.com/one/?pid=2170
uInternet Settings,ProxyServer = http=10.10.10.46:8080;https=10.10.10.46:8080;ftp=10.10.10.46:8080;socks=10.10.10.46:1080
uInternet Settings,ProxyOverride = 10.*;*.granet.com;172.*;vionline*;192.*;
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: granet.com
TCP: DhcpNameServer = 10.10.10.58 10.85.10.31 10.50.11.5
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Oxoqeburimuqu - c:\documents and settings\jlangham-service\Local Settings\Application Data\mst5DOM2.dll
HKCU-Run-Rjafari - c:\documents and settings\jlangham-service\Local Settings\Application Data\asafijocifalut.dll
HKCU-Run-{31551C9A-8DB8-380B-34C7-9BDFF8002140} - c:\documents and settings\jlangham-service\Application Data\Epad\igero.exe
HKCU-Run-{E8D46C76-D27D-EAD4-CA69-B0BFACBD7103} - c:\documents and settings\jlangham-service\Application Data\Kyxoon\izde.exe
HKCU-Run-{31551C90-8DB2-380B-34C7-9BDFF8002140} - c:\documents and settings\jlangham-service\Application Data\Epad\igero.exe
HKCU-Run-4E4H6UZX1HUBXEUFCW - c:\hdwe2y7.bin\02126517933.exe
HKLM-Run-Rjafari - c:\documents and settings\jlangham-service\Local Settings\Application Data\asafijocifalut.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-28 16:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(768)
c:\program files\Juniper Networks\Secure Application Manager\samnsp.dll
.
- - - - - - - > 'explorer.exe'(3532)
c:\windows\system32\WININET.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmUserInterface.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\McTray.exe
.
**************************************************************************
.
Completion time: 2011-07-28 17:07:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-28 16:07
.
Pre-Run: 22,345,572,352 bytes free
Post-Run: 22,892,122,112 bytes free
.
- - End Of File - - 624DDD22A1C408E71A91FE6C870D5A0D
kevinf80_1d0ac6
1.1K Posts
0
July 29th, 2011 04:00
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
Note: If you have SP2 or SP3, use the SP2 package.
Transfer all files you just downloaded, to the desktop of the infected computer.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Please post the C:\ComboFix.txt in your next reply.
Next,
Run ESET Online Scan
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.
Also be aware this scan can take between one and several hours to complete depending on the size of your system.
ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".
Let me see the logs from CF and ESET in next reply...
Kevin
Hokin
12 Posts
0
July 29th, 2011 05:00
still wont let me stop virus scan even tried killing with taskman
CF
ComboFix 11-07-25.02 - jlangham-service 29/07/2011 11:40:18.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1980.1393 [GMT 1:00]
Running from: c:\documents and settings\jlangham-service\Desktop\gotcha.exe
Command switches used :: c:\documents and settings\jlangham-service\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\jlangham-service\Local Settings\Application Data\{4583BDD1-3659-48A5-A238-11429F7CB9C4}
c:\documents and settings\jlangham-service\Local Settings\Application Data\{4583BDD1-3659-48A5-A238-11429F7CB9C4}\chrome.manifest
c:\documents and settings\jlangham-service\Local Settings\Application Data\{4583BDD1-3659-48A5-A238-11429F7CB9C4}\chrome\content\_cfg.js
c:\documents and settings\jlangham-service\Local Settings\Application Data\{4583BDD1-3659-48A5-A238-11429F7CB9C4}\chrome\content\overlay.xul
c:\documents and settings\jlangham-service\Local Settings\Application Data\{4583BDD1-3659-48A5-A238-11429F7CB9C4}\install.rdf
c:\documents and settings\jlangham-service\vion.scr
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-29 )))))))))))))))))))))))))))))))
.
.
2011-07-25 09:15 . 2011-07-25 09:15 -------- d-----w- c:\documents and settings\jlangham-service\Application Data\Hohe
2011-07-15 08:20 . 2011-07-15 08:20 -------- d-----w- c:\documents and settings\jlangham-service\Application Data\Okmie
2011-07-08 06:54 . 2011-07-08 06:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-01 06:57 . 2011-07-01 07:09 -------- d-----w- c:\documents and settings\jlangham-service\Application Data\PhotoScape
2011-07-01 06:57 . 2011-07-01 07:11 -------- d-----w- c:\program files\PhotoScape
2011-07-01 05:45 . 2011-07-01 05:45 388096 ----a-r- c:\documents and settings\jlangham-service\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-01 05:45 . 2011-07-01 05:45 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-29 07:49 . 2009-05-12 15:25 0 ----a-w- c:\documents and settings\jlangham-service\Local Settings\Application Data\WavXMapDrive.bat
2011-07-19 09:25 . 2010-03-15 16:09 0 ----a-w- c:\documents and settings\rmarcon\Local Settings\Application Data\WavXMapDrive.bat
2011-07-08 09:20 . 2010-02-01 08:10 619 ----a-w- c:\documents and settings\jlangham-service\vpnicons.bat
2011-05-05 06:56 . 2011-03-31 10:51 0 ----a-w- c:\documents and settings\jlangham-service\Local Settings\Application Data\Qkemoyuli.bin
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-28_15.58.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-29 03:43 . 2011-07-29 03:43 16384 c:\windows\Temp\Perflib_Perfdata_6a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"
[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]
2007-10-24 01:47 282112 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"
[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]
2007-10-24 01:47 282112 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-09-01 1044480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-11 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-11 141336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-05 136600]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-08-21 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-08-22 145408]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2008-08-28 656696]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-08-28 91448]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-08-13 111952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\jlangham-service\Start Menu\Programs\Startup\
Shortcut to NOTES.lnk - c:\documents and settings\jlangham-service\Desktop\NOTES.tex [2011-1-11 954]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-49735\Scripts\Logon\0\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58071\Scripts\Logon\0\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\vionscreensaver.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58071\Scripts\Logon\1\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58071\Scripts\Logon\2\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\Enablefiles.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\0\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\Flash\Flash10.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\1\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\Logon.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\1\1]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\vionscreensaver.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\2\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\poultryicons.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\3\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\IE7\IE7.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\4\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\vpnicons.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\5\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58091\Scripts\Logon\6\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\Enablefiles.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58621\Scripts\Logon\0\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\vpnicons.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58621\Scripts\Logon\1\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58621\Scripts\Logon\2\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\Enablefiles.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58673\Scripts\Logon\0\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\vpnicons.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58673\Scripts\Logon\1\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-58673\Scripts\Logon\2\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\disablefiles.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61081\Scripts\Logon\0\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\0\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\Flash\Flash10.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\1\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\Logon.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\1\1]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\vionscreensaver.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\2\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\GPO\new\poultryicons.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\3\0]
"Script"=\\GRANET.COM\sysvol\GRANET.COM\scripts\IE7\IE7.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\4\0]
"Script"=computername.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1303643608-682003330-61295\Scripts\Logon\5\0]
"Script"=\\GRANET.COM\SysVol\GRANET.COM\scripts\GPO\new\disablefiles.vbs
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [06/03/2009 06:36 24064]
R1 NEOFLTR_550_11965;Juniper Networks TDI Filter Driver (NEOFLTR_550_11965);c:\windows\system32\drivers\NEOFLTR_550_11965.sys [16/07/2007 23:27 63008]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [19/04/2007 06:56 133968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [06/03/2009 06:36 144480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://movieint.com/one/?pid=2170
uInternet Settings,ProxyServer = ftp=10.10.10.46:8080;http=10.10.10.46:8080;https=10.10.10.46:8080;socks=10.10.10.46:1080
uInternet Settings,ProxyOverride = 10.*;*.granet.com;172.*;vionline*;192.*;
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: granet.com
TCP: DhcpNameServer = 10.10.10.58 10.85.10.31 10.50.11.5
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-29 11:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'lsass.exe'(764)
c:\program files\Juniper Networks\Secure Application Manager\samnsp.dll
c:\windows\System32\TdmNetworkProvider.dll
.
Completion time: 2011-07-29 11:47:26
ComboFix-quarantined-files.txt 2011-07-29 10:47
ComboFix2.txt 2011-07-28 16:07
.
Pre-Run: 22,994,530,304 bytes free
Post-Run: 23,128,743,936 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - B15ADC3BB5895D5A1516F0BBBB8B6F97
ESET
C:\Documents and Settings\jlangham-service\Application Data\Sun\Java\Deployment\cache\6.0\19\33c7d6d3-30a35859 Win32/Spy.Zbot.YW trojan
C:\Qoobox\Quarantine\C\Documents and Settings\jlangham-service\Application Data\Anaxca\fuopu.exe.vir a variant of Win32/Kryptik.OUR trojan
C:\Qoobox\Quarantine\C\Documents and Settings\jlangham-service\Application Data\Avulyx\miigy.exe.vir a variant of Win32/Kryptik.QIJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\jlangham-service\Application Data\Epad\igero.exe.vir a variant of Win32/Kryptik.PWJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\jlangham-service\Application Data\Kyxoon\izde.exe.vir a variant of Win32/Kryptik.OOK trojan
C:\Qoobox\Quarantine\C\Documents and Settings\jlangham-service\Application Data\Ofgiuc\ehoq.exe.vir a variant of Win32/Kryptik.OUR trojan
C:\Qoobox\Quarantine\C\Documents and Settings\jlangham-service\Application Data\Qoes\ilupr.exe.vir a variant of Win32/Kryptik.QNC trojan
C:\Qoobox\Quarantine\C\Documents and Settings\jlangham-service\Application Data\Upfo\awuzx.exe.vir a variant of Win32/Kryptik.QLW trojan
C:\Qoobox\Quarantine\C\Documents and Settings\jlangham-service\Local Settings\Application Data\asafijocifalut.dll.vir a variant of Win32/Cimag.GQ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\jlangham-service\Local Settings\Application Data\mst5DOM2.dll.vir a variant of Win32/Kryptik.NTD trojan
C:\Qoobox\Quarantine\C\hdwe2y7.bin\02126517933.exe.vir a variant of Win32/Kryptik.QBB trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP504\A0124120.exe Win32/Spy.Zbot.YW trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP504\A0124121.dll a variant of Win32/Kryptik.MMU trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP506\A0125258.exe a variant of Win32/Kryptik.NUC trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP525\A0131229.exe a variant of Win32/Kryptik.PEM trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP526\A0131486.exe a variant of Win32/Kryptik.PEM trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP527\A0131546.exe a variant of Win32/Kryptik.PEM trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP528\A0131757.exe a variant of Win32/Kryptik.PEM trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP530\A0131785.exe a variant of Win32/Kryptik.OCT trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP532\A0133335.exe a variant of Win32/Kryptik.PRL trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP534\A0134783.exe a variant of Win32/Kryptik.PRL trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP537\A0136729.exe a variant of Win32/Kryptik.PPA trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP537\A0136734.exe Win32/Spy.SpyEye.CA trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP555\A0147912.exe a variant of Win32/Kryptik.OXG trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP555\A0147945.exe a variant of Win32/Kryptik.PWJ trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP555\A0147946.exe a variant of Win32/Kryptik.OOK trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP555\A0148048.exe a variant of Win32/Kryptik.OUR trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP555\A0148049.exe a variant of Win32/Kryptik.QIJ trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP555\A0148050.exe a variant of Win32/Kryptik.OUR trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP555\A0148051.exe a variant of Win32/Kryptik.QNC trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP555\A0148052.exe a variant of Win32/Kryptik.QLW trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP555\A0148054.dll a variant of Win32/Cimag.GQ trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP555\A0148055.dll a variant of Win32/Kryptik.NTD trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP555\A0148058.exe a variant of Win32/Kryptik.QBB trojan
kevinf80_1d0ac6
1.1K Posts
0
July 29th, 2011 14:00
Please download OTM by OldTimer.
Alternative Mirror 1
Alternative Mirror 2
Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
-------------------------------------------------------------------
:Files
ipconfig /flushdns /c
:Commands
[ResetHosts]
[ClearAllRestorePoints]
[EmptyTemp]
[ReBoot]
---------------------------------------------------------------------
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
Post the log from OTM in your reply, also give update on issues/concerns...
Kevin
Hokin
12 Posts
0
August 1st, 2011 06:00
Only query is Combofix appeared to find several trojans but I followed instructions to "Leave the tick out of remove found threats" and am wondering if they are still present or if another step will remove them.
All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\jlangham-service\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\jlangham-service\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore points cleared and new OTM Restore Point set!
[EMPTYTEMP]
User: admin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: arrow_a
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: ddeath
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: fenw_j
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 405 bytes
User: isted_n
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: jlangham-service
->Temp folder emptied: 4441545 bytes
->Temporary Internet Files folder emptied: 303334352 bytes
->Java cache emptied: 16529634 bytes
->Flash cache emptied: 134423 bytes
User: jsmith1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: naghra_k
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 40420 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: rmarcon
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1025293 bytes
->Java cache emptied: 2585041 bytes
->Flash cache emptied: 41409 bytes
User: sa-hdo-sched
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: saine_j
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: svc-bkup-acc
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: tday
->Temp folder emptied: 18395143 bytes
->Temporary Internet Files folder emptied: 308207705 bytes
->Java cache emptied: 4446475 bytes
->Flash cache emptied: 47310 bytes
User: umple_c
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 67836 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 53742370 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 680.00 mb
OTM by OldTimer - Version 3.1.18.0 log created on 08012011_133030
Files moved on Reboot...
Registry entries deleted on Reboot...
kevinf80_1d0ac6
1.1K Posts
0
August 1st, 2011 12:00
Combofix quarantine folder "Qoobox" will be cleared when we uninstall CF later
System restore cache, those were cleared when we ran OTM with the command "ClearAllRestorePoints" OTM also created a new clean restore point.
Java cache, that cache was emptied when we ran OTM as above, all found infections will be removed from "held folders" when we clean up at the end.
Run the following :-
Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Let me see the log from Security Checks, also tell me how your system is responding and if any remaining issues or concerns...
Kevin
Hokin
12 Posts
0
August 3rd, 2011 06:00
Haven't had a google redirect in some time homepage is staying as it should and pc seems a little faster but that may just be me.
regards
John
Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
ESET Online Scanner v3
McAfee VirusScan Enterprise
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 11
Out of date Java installed!
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee VirusScan Enterprise VsTskMgr.exe
``````````End of Log````````````
kevinf80_1d0ac6
1.1K Posts
0
August 3rd, 2011 15:00
Continue as follows please :-
Step 1
Remove Combofix now that we're done with it
The above procedure will delete the following:
It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.
Step 2
Step 3
1. Click Start, click Run, type control appwiz.cpl in the Open box, and then press ENTER.
2. Click to select ESET Online Scanner from the application list, and then click Remove to uninstall ESET Online Scanner. Only re-boot if prompted
Step 4
You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.
If you update Java or Adobe ensure any old versions are uninstalled from Add/Remove Programs list<---Very important
Let me know if the above steps complete OK, also any remaining issues/concerns...
Kevin
Hokin
12 Posts
0
August 4th, 2011 07:00
All steps above completed ok no issues found still no redirects and homepage is stable thank you very much for your help and time :)
kevinf80_1d0ac6
1.1K Posts
0
August 4th, 2011 10:00
Here are some tips to reduce the potential for malware infection in the future; I strongly recommend that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.
Make proper use of your antivirus and firewall
Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.
You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.
Install and use WinPatrol This will inform you of any attempted unauthorized changes to your system.
WinPatrol features explained Here
You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.
Use a safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:
Firefox,
Opera, and
Chrome.
All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.
These browser add-ons will help to make your browser safer:
Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:
Available for Firefox and Internet Explorer.
Green to go,
Yellow for caution, and
Red to stop.
Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.
These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.
Here a couple of links by two security experts that will give some excellent tips and advice.
So how did I get infected in the first place by Tony Klein
How to prevent Malware by Miekiemoes
Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.
Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.
If no remaining issues we`ll close this one out, let me know if that is OK..
Cheers,
Kevin :emotion-21:
Hokin
12 Posts
0
August 4th, 2011 23:00
OK to close and once more thanks for your help
kevinf80_1d0ac6
1.1K Posts
0
August 5th, 2011 11:00
Since this issue appears to be resolved the topic has been closed. Glad we could help. :emotion-21:
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.