Jump to content


Photo

Browser Redirect


  • This topic is locked This topic is locked
21 replies to this topic

#1 Weezie12

Weezie12

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 03 December 2009 - 03:08 PM

Every time I click on a link from Yahoo search engine I get directed to a completely different page. A lot of times I get directed to a virus/spyware scan page. Could someone please check this. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:52 PM, on 12/3/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Cyberlink\Power2Go\Power2GoExpress.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files\Sunbelt Software\VIPRE\SBRC.exe
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....r_installer.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

--
End of file - 3363 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 06 December 2009 - 05:54 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#3 lance_yien

lance_yien

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 2,442 posts

Posted 06 December 2009 - 07:02 AM

Hello Weezie12 and welcome to SWI.

We are currently studying your log and will be back to you as soon as possible. Thank you for your patience.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#4 lance_yien

lance_yien

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 2,442 posts

Posted 06 December 2009 - 12:29 PM

Hello Weezie12.

Please, print out these instructions or copy them to a Notepad file for an easer reading and download, to your Desktop:

  • Malwarebytes Anti-Malware from here or here
  • OTL ( by OldTimer) from here.

Now, please make sure you are connected to the Internet and:

  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:

    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If you encounter any problems while downloading the updates, please manually download them from here and just double-click on mbam-rules.exe to install.[/b]
  • On the Scanner tab:

    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer (see Note below).
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware, please see here

Then, please close all windows and double-click OTL.exe (on your Desktop) to run OTL.
Click Run Scan and let the program run uninterrupted.
It will produce two logs for you, one (OTL.txt) will pop up, the other (Extras.txt) will be saved on your Desktop.

Please post the contents of OTL.txt, Extras.txt and the Malwarebytes Anti-Malware log with a fresh HijackThis log and let me know how your computer is functioning now.

Note: You may need to use two posts to get it all in.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#5 Weezie12

Weezie12

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 07 December 2009 - 05:56 PM

OTL logfile created on: 12/7/2009 4:36:53 PM - Run 1
OTL by OldTimer - Version 3.1.11.9 Folder = C:\Users\Louise\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.49 Mb Total Physical Memory | 348.23 Mb Available Physical Memory | 38.93% Memory free
1.87 Gb Paging File | 1.03 Gb Available in Paging File | 55.07% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.19 Gb Total Space | 160.30 Gb Free Space | 72.15% Space Free | Partition Type: NTFS
Drive D: | 10.69 Gb Total Space | 4.49 Gb Free Space | 41.95% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LOUISE-PC
Current User Name: Louise
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/07 16:26:52 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\Louise\Desktop\OTL.exe
PRC - [2009/12/06 16:45:04 | 00,530,432 | ---- | M] (Tiger grp (www.dimonius.ru)) -- C:\Program Files\USD\USDownloader.exe
PRC - [2009/10/27 14:33:18 | 00,959,824 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
PRC - [2009/10/27 14:31:06 | 01,012,080 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
PRC - [2009/08/02 23:35:50 | 02,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/13 19:17:29 | 00,673,048 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/07/13 19:14:42 | 00,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 19:14:17 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dinotify.exe
PRC - [2009/03/27 22:10:56 | 00,014,336 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2007/10/05 14:07:52 | 02,680,104 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Cyberlink\Power2Go\Power2GoExpress.exe
PRC - [2005/02/24 14:37:11 | 00,018,208 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\ssvagent.exe


========== Modules (SafeList) ==========

MOD - [2009/12/07 16:26:52 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\Louise\Desktop\OTL.exe
MOD - [2009/07/13 19:16:15 | 00,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 19:16:13 | 00,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 19:16:13 | 00,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 19:16:12 | 00,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 19:16:03 | 00,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 19:15:35 | 00,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 19:15:13 | 00,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 19:15:11 | 00,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 19:15:07 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 19:15:02 | 00,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 19:03:50 | 01,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
MOD - [2007/11/06 18:08:30 | 00,106,496 | ---- | M] (Nektra S.A.) -- C:\Program Files\Sunbelt Software\VIPRE\oehook.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/27 14:31:06 | 01,012,080 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe -- (SBAMSvc)
SRV - [2009/07/13 19:16:21 | 00,185,856 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 19:16:17 | 00,151,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 19:16:17 | 00,119,808 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 19:16:16 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 19:16:15 | 00,053,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 19:16:13 | 00,043,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 19:16:13 | 00,025,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 19:16:12 | 01,004,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 19:16:12 | 00,269,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 19:16:12 | 00,269,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 19:16:12 | 00,165,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 19:16:12 | 00,020,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 19:15:41 | 00,680,960 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 19:15:36 | 00,194,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 19:15:21 | 00,797,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 19:15:11 | 00,253,440 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 19:15:10 | 00,218,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 19:14:59 | 00,076,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 19:14:58 | 00,088,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 19:14:53 | 00,027,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 19:14:29 | 03,179,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/03/27 22:10:56 | 00,014,336 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4E E1 70 71 99 1A C5 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: (824 bytes) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [CLJ] Reg Error: Invalid data type. File not found
O4 - HKLM..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe (Sunbelt Software)
O4 - HKCU..\Run: [Power2GoExpress] C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe (CyberLink Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://3dlifeplayer....r_installer.exe (Virtools WebPlayer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 15:42:20 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2009/12/07 16:26:44 | 00,536,576 | ---- | C] (OldTimer Tools) -- C:\Users\Louise\Desktop\OTL.exe
[2009/12/07 09:09:04 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Local\Microsoft Games
[2009/12/06 17:12:01 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Roaming\Malwarebytes
[2009/12/06 17:11:51 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/06 17:11:49 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/06 17:11:49 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/06 17:11:49 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/12/03 17:08:54 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Roaming\FreeFixer
[2009/12/03 17:08:54 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Local\FreeFixer
[2009/12/01 20:52:16 | 00,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2009/12/01 20:52:16 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/12/01 20:47:57 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/11/30 17:53:02 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Roaming\PlayFirst
[2009/11/30 17:53:02 | 00,000,000 | ---D | C] -- C:\ProgramData\PlayFirst
[2009/11/30 15:35:58 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Roaming\Jane s Hotel
[2009/11/29 19:33:28 | 00,000,000 | ---D | C] -- C:\Users\Louise\Jane's Hotel
[2009/11/28 21:51:44 | 00,000,000 | ---D | C] -- C:\Windows\Minidump
[2009/11/27 20:45:26 | 00,000,000 | ---D | C] -- C:\Windows\Sun
[2009/11/27 19:15:05 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Roaming\Google
[2009/11/27 19:15:05 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Local\Google
[2009/11/27 18:32:24 | 00,000,000 | ---D | C] -- C:\Windows\System32\Adobe
[2009/11/27 13:08:05 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Local\3DVIA
[2009/11/27 13:07:54 | 00,000,000 | ---D | C] -- C:\ProgramData\3DVIA
[2009/11/27 13:07:34 | 00,000,000 | ---D | C] -- C:\Program Files\Virtools
[2009/11/27 10:48:21 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Local\ElevatedDiagnostics
[2009/11/26 17:10:00 | 00,000,000 | ---D | C] -- C:\Program Files\LSI SoftModem
[2009/11/26 16:59:54 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Roaming\Apple Computer
[2009/11/26 16:59:54 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Local\Apple Computer
[2009/11/26 16:59:26 | 00,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2009/11/26 16:58:47 | 00,000,000 | ---D | C] -- C:\ProgramData\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/11/26 16:54:13 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Local\Apple
[2009/11/26 16:53:09 | 00,000,000 | ---D | C] -- C:\ProgramData\Apple
[2009/11/26 16:07:23 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Roaming\Uniblue
[2009/11/26 11:45:24 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Local\Yahoo
[2009/11/26 11:17:38 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Local\Yahoo!
[2009/11/26 11:17:07 | 00,000,000 | ---D | C] -- C:\ProgramData\Yahoo!
[2009/11/26 11:16:57 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Roaming\Yahoo!
[2009/11/26 10:59:59 | 00,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2009/11/25 11:24:51 | 00,000,000 | ---D | C] -- C:\Program Files\Dora Saves The Snow Princess
[2009/11/24 13:32:51 | 00,000,000 | ---D | C] -- C:\Users\Louise\AppData\Roaming\FlashGet

========== Files - Modified Within 14 Days ==========

[2009/12/07 16:39:15 | 01,310,720 | -HS- | M] () -- C:\Users\Louise\ntuser.dat
[2009/12/07 16:26:52 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\Louise\Desktop\OTL.exe
[2009/12/07 12:40:47 | 00,016,944 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2009/12/07 12:40:47 | 00,016,944 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2009/12/07 12:37:58 | 00,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/12/07 12:37:58 | 00,615,122 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/12/07 12:37:58 | 00,103,496 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/12/07 12:33:38 | 00,001,063 | ---- | M] () -- C:\Users\Louise\Desktop\CyberLink Power2Go.lnk
[2009/12/07 12:33:33 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/12/07 12:33:23 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/12/07 12:33:18 | 70,345,5232 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/07 12:29:37 | 01,623,722 | -H-- | M] () -- C:\Users\Louise\AppData\Local\IconCache.db
[2009/12/07 09:44:58 | 00,000,667 | ---- | M] () -- C:\Users\Louise\Documents\Louise - Shortcut.lnk
[2009/12/06 17:11:55 | 00,000,939 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/04 18:50:27 | 12,770,8369 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/12/03 17:39:43 | 00,000,036 | ---- | M] () -- C:\Users\Louise\AppData\Local\housecall.guid.cache
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/11/27 10:45:31 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2009/11/26 15:21:00 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_EhStorPwdDrv_01_09_00.Wdf
[2009/11/26 11:44:14 | 00,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2009/11/25 12:30:21 | 00,001,930 | ---- | M] () -- C:\Users\Public\Desktop\Please Read.lnk
[2009/11/25 09:50:30 | 00,001,213 | ---- | M] () -- C:\Users\Louise\Desktop\Dora the Explorer 3D Pyramid Adventure.lnk
[2009/11/25 09:49:39 | 00,002,584 | ---- | M] () -- C:\Users\Louise\Desktop\Play Dora's Carnival 2 - At The Boardwalk.lnk

========== Files Created - No Company Name ==========

[2009/12/07 09:44:58 | 00,000,667 | ---- | C] () -- C:\Users\Louise\Documents\Louise - Shortcut.lnk
[2009/12/07 07:41:46 | 62,565,7184 | ---- | C] () -- C:\Users\Louise\Desktop\Dora's Christmas Carol Adventure (2009) DVDRip.avi
[2009/12/06 17:11:55 | 00,000,939 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/03 17:39:43 | 00,000,036 | ---- | C] () -- C:\Users\Louise\AppData\Local\housecall.guid.cache
[2009/11/28 21:51:33 | 12,770,8369 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2009/11/27 10:45:31 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2009/11/26 15:21:00 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_EhStorPwdDrv_01_09_00.Wdf
[2009/11/26 11:44:14 | 00,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2009/11/25 15:27:53 | 00,001,063 | ---- | C] () -- C:\Users\Louise\Desktop\CyberLink Power2Go.lnk
[2009/11/25 11:25:06 | 00,001,930 | ---- | C] () -- C:\Users\Public\Desktop\Please Read.lnk
[2009/11/25 09:50:30 | 00,001,213 | ---- | C] () -- C:\Users\Louise\Desktop\Dora the Explorer 3D Pyramid Adventure.lnk
[2009/11/25 09:49:39 | 00,002,584 | ---- | C] () -- C:\Users\Louise\Desktop\Play Dora's Carnival 2 - At The Boardwalk.lnk
[2009/07/13 17:51:43 | 00,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 17:42:10 | 00,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2005/02/24 13:27:41 | 00,691,696 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys

========== LOP Check ==========

[2005/02/25 08:04:20 | 00,000,000 | ---D | M] -- C:\Users\Louise\AppData\Roaming\DAEMON Tools Lite
[2009/11/24 13:32:51 | 00,000,000 | ---D | M] -- C:\Users\Louise\AppData\Roaming\FlashGet
[2009/12/03 17:22:30 | 00,000,000 | ---D | M] -- C:\Users\Louise\AppData\Roaming\FreeFixer
[2009/12/03 12:10:33 | 00,000,000 | ---D | M] -- C:\Users\Louise\AppData\Roaming\FrostWire
[2005/02/25 07:59:15 | 00,000,000 | ---D | M] -- C:\Users\Louise\AppData\Roaming\ImgBurn
[2009/11/30 15:35:58 | 00,000,000 | ---D | M] -- C:\Users\Louise\AppData\Roaming\Jane s Hotel
[2009/11/30 17:53:02 | 00,000,000 | ---D | M] -- C:\Users\Louise\AppData\Roaming\PlayFirst
[2009/11/26 16:52:55 | 00,000,000 | ---D | M] -- C:\Users\Louise\AppData\Roaming\Uniblue
[2005/02/24 13:46:33 | 00,000,000 | ---D | M] -- C:\Users\Louise\AppData\Roaming\uTorrent
[2009/07/13 22:53:46 | 00,013,434 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report




OTL Extras logfile created on: 12/7/2009 4:36:53 PM - Run 1
OTL by OldTimer - Version 3.1.11.9 Folder = C:\Users\Louise\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.49 Mb Total Physical Memory | 348.23 Mb Available Physical Memory | 38.93% Memory free
1.87 Gb Paging File | 1.03 Gb Available in Paging File | 55.07% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.19 Gb Total Space | 160.30 Gb Free Space | 72.15% Space Free | Partition Type: NTFS
Drive D: | 10.69 Gb Total Space | 4.49 Gb Free Space | 41.95% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LOUISE-PC
Current User Name: Louise
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SystemRoot%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{244C63A8-035D-4D17-80B8-3E344DA306BD}" = VIPRE Antivirus + Antispyware
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 15
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{4E868D3D-6EEB-4273-926C-2287236B5B79}" = 3DVIA player 5.0
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Dora Saves The Snow Princess1.0" = Dora Saves The Snow Princess
"Dora the Explorer 3D Pyramid Adventure" = Dora the Explorer 3D Pyramid Adventure (remove only)
"FrostWire" = FrostWire 4.18.4
"HijackThis" = HijackThis 2.0.2
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"Joboshare DVD Creator" = Joboshare DVD Creator
"LSI Soft Modem" = LSI PCI-SV92PP Soft Modem
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Play Dora's Carnival 2 - At The Boardwalk1.0" = Play Dora's Carnival 2 - At The Boardwalk
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/7/2009 2:31:09 AM | Computer Name = Louise-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
- search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
in element "assemblyIdentity" is invalid.

Error - 12/7/2009 11:00:27 AM | Computer Name = Louise-PC | Source = Application Error | ID = 1000
Description = Faulting application name: DoraPyramid4.exe, version: 1.0.0.0, time
stamp: 0x38b51e94 Faulting module name: ntdll.dll, version: 6.1.7600.16385, time
stamp: 0x4a5bdadb Exception code: 0xc0000005 Fault offset: 0x00052bf8 Faulting process
id: 0x2a0 Faulting application start time: 0x01ca774e00bbf625 Faulting application
path: C:\Program Files\Dora the Explorer 3D Pyramid Adventure\DoraPyramid4.exe Faulting
module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: 4061f487-e341-11de-8e34-001e9082fe15

Error - 12/7/2009 11:01:37 AM | Computer Name = Louise-PC | Source = Application Error | ID = 1000
Description = Faulting application name: DoraPyramid4.exe, version: 1.0.0.0, time
stamp: 0x38b51e94 Faulting module name: ntdll.dll, version: 6.1.7600.16385, time
stamp: 0x4a5bdadb Exception code: 0xc0000005 Fault offset: 0x00055fbd Faulting process
id: 0xf24 Faulting application start time: 0x01ca774e2b941c36 Faulting application
path: C:\Program Files\Dora the Explorer 3D Pyramid Adventure\DoraPyramid4.exe Faulting
module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: 6a1b1b87-e341-11de-8e34-001e9082fe15

Error - 12/7/2009 11:02:46 AM | Computer Name = Louise-PC | Source = Application Error | ID = 1000
Description = Faulting application name: infocard.exe, version: 3.0.4506.4926, time
stamp: 0x4a174e0d Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x0001102e Faulting process id: 0x858 Faulting application
start time: 0x01ca774e553b6193 Faulting application path: C:\Windows\Microsoft.NET\Framework\v3.0\Windows
Communication Foundation\infocard.exe Faulting module path: unknown Report Id: 934e728b-e341-11de-8e34-001e9082fe15

Error - 12/7/2009 11:30:56 AM | Computer Name = Louise-PC | Source = Application Hang | ID = 1002
Description = The program mbam.exe version 1.42.0.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 9f4 Start Time:
01ca7748b8395337 Termination Time: 313 Application Path: C:\Program Files\Malwarebytes'
Anti-Malware\mbam.exe Report Id: 7a3aefe9-e345-11de-8e34-001e9082fe15

Error - 12/7/2009 12:34:14 PM | Computer Name = Louise-PC | Source = Application Hang | ID = 1002
Description = The program PurblePlace.exe version 6.1.7600.16385 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: b0c Start
Time: 01ca7754953fb130 Termination Time: 239 Application Path: C:\Program Files\Microsoft
Games\Purble Place\PurblePlace.exe Report Id: 51383225-e34e-11de-8e34-001e9082fe15


Error - 12/7/2009 12:41:54 PM | Computer Name = Louise-PC | Source = Application Error | ID = 1000
Description = Faulting application name: mcupdate.EXE, version: 6.1.7600.16385,
time stamp: 0x4a5bccd6 Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x0001102e Faulting process id:
0xdf8 Faulting application start time: 0x01ca775c2e58f0f4 Faulting application path:
C:\Windows\ehome\mcupdate.EXE Faulting module path: unknown Report Id: 6cf8d2d0-e34f-11de-8e34-001e9082fe15

Error - 12/7/2009 2:10:00 PM | Computer Name = Louise-PC | Source = .NET Runtime | ID = 1023
Description =

Error - 12/7/2009 2:27:03 PM | Computer Name = Louise-PC | Source = Application Error | ID = 1000
Description = Faulting application name: wmplayer.exe, version: 12.0.7600.16415,
time stamp: 0x4a98ae4b Faulting module name: nvd3dum.dll, version: 8.15.11.8593,
time stamp: 0x4a5bdaec Exception code: 0xc0000005 Fault offset: 0x0036e9f4 Faulting
process id: 0x43cc Faulting application start time: 0x01ca77699e1e6138 Faulting application
path: C:\Program Files\Windows Media Player\wmplayer.exe Faulting module path: C:\Windows\system32\nvd3dum.dll
Report
Id: 1d3e7093-e35e-11de-8e34-001e9082fe15

Error - 12/7/2009 2:28:25 PM | Computer Name = Louise-PC | Source = Desktop Window Manager | ID = 9020
Description = The Desktop Window Manager has encountered a fatal error (0x8007000e)

[ System Events ]
Error - 12/7/2009 2:10:04 PM | Computer Name = Louise-PC | Source = Service Control Manager | ID = 7034
Description = The VIPRE Antivirus + Antispyware service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/7/2009 2:10:31 PM | Computer Name = Louise-PC | Source = DCOM | ID = 10010
Description =

Error - 12/7/2009 2:17:53 PM | Computer Name = Louise-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Windows
Error Reporting Service service to connect.

Error - 12/7/2009 2:27:03 PM | Computer Name = Louise-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Windows
Error Reporting Service service to connect.

Error - 12/7/2009 2:27:19 PM | Computer Name = Louise-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Windows
Error Reporting Service service to connect.

Error - 12/7/2009 2:27:52 PM | Computer Name = Louise-PC | Source = DCOM | ID = 10010
Description =

Error - 12/7/2009 2:33:27 PM | Computer Name = Louise-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 12:31:33 PM on ?12/?7/?2009 was unexpected.

Error - 12/7/2009 2:33:37 PM | Computer Name = Louise-PC | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%126

Error - 12/7/2009 2:33:57 PM | Computer Name = Louise-PC | Source = Microsoft-Windows-EnhancedStorage-EhStorCertDrv | ID = 80
Description = Password device is not compatible with Windows.

Error - 12/7/2009 2:34:09 PM | Computer Name = Louise-PC | Source = Microsoft-Windows-EnhancedStorage-EhStorCertDrv | ID = 80
Description = Password device is not compatible with Windows.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:42 PM, on 12/7/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Cyberlink\Power2Go\Power2GoExpress.exe
C:\Windows\System32\dinotify.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\USD\USDownloader.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....r_installer.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

--
End of file - 3278 bytes

#6 Weezie12

Weezie12

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 07 December 2009 - 05:57 PM

Malaware did not save the log to my desktop. But it did find 17 trojans which were quarantined. Thanks.

Edited by Weezie12, 07 December 2009 - 05:59 PM.


#7 lance_yien

lance_yien

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 2,442 posts

Posted 08 December 2009 - 03:20 AM

Hello Weezie12.

Malaware did not save the log to my desktop. But it did find 17 trojans which were quarantined. Thanks.


The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Please post its contents.

Every time I click on a link from Yahoo search engine I get directed to a completely different page


Any changes?
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#8 Weezie12

Weezie12

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 December 2009 - 10:05 AM

No same results.

#9 Weezie12

Weezie12

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 December 2009 - 06:24 PM

Malwarebytes' Anti-Malware 1.42
Database version: 3305
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/6/2009 5:46:46 PM
mbam-log-2009-12-06 (17-46-46).txt

Scan type: Quick Scan
Objects scanned: 90053
Time elapsed: 20 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Windows\System32\BtwSrv.dll (Trojan.Koblu) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Koblu) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\BtwSrv.dll (Trojan.Koblu) -> Delete on reboot.
C:\$Recycle.Bin\S-1-5-21-76112908-3465715052-1869544849-1002\$RWWLLIS\Play Dora's Carnival 2 - At The Boardwalk.exe (Trojan.MultiDropper) -> Quarantined and deleted successfully.
C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\mslfxawr.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Windows\System32\opeia.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\Temp\nnqb.tmp\svchost.exe (Spyware.Amber) -> Quarantined and deleted successfully.
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

#10 lance_yien

lance_yien

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 2,442 posts

Posted 09 December 2009 - 05:43 AM

Hello Weezie12.

No same results.


Lets try this other tool.

Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

You will need to enter some information in order to access the download page.

Once you have downloaded the file, double click sar_15_sfx.exe and follow the instructions to install the program. It will install to C:\Pogram Files\.

Please allow the program to scan your computer and be patient as it may take some time
Once the scan has completed a window will pop-up with the results of the scan - click OK to this
In the main window, you will see each of the entries found by the scan (if any)

If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review.

If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
To clean up these entries click on the Clean up checked items button (if you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up).

Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so

When you have re-booted, please report how the scanner went (are there some "bad" entries?) and post a fresh HijackThis log.

Also, please let me know how your computer is functioning now.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#11 Weezie12

Weezie12

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 09 December 2009 - 04:46 PM

[Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:55 PM, on 12/9/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Cyberlink\Power2Go\Power2GoExpress.exe
C:\Windows\System32\dinotify.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....r_installer.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

--
End of file - 3185 bytes

#12 lance_yien

lance_yien

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 2,442 posts

Posted 10 December 2009 - 10:43 AM

Hello Weezie12


In my last post I asked:

When you have re-booted, please report how the scanner went (are there some "bad" entries?) and post a fresh HijackThis log.

Also, please let me know how your computer is functioning now.


You have only posted the HiJackThis log, can you please tell me how the scanner ran, and how your PC is running now?
Thank you.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#13 Weezie12

Weezie12

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 10 December 2009 - 04:23 PM

There were some hidden file entries. But nothing was checked with a green check mark. The entries that were listed had the warning message about not deleting them. The computer is working better, but I still have some occassional re directs.

#14 lance_yien

lance_yien

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 2,442 posts

Posted 11 December 2009 - 02:55 PM

Hello Weezie12

but I still have some occassional re directs.


Please use the Internet Explorer and run a ESET Online Scanner from here

:excl: IMPORTANT: Administrator privileges are required to run ESET Online Scanner!

  • Please click the green ESET Online Scanner button.
  • Please check YES, I accept the Terms of Use and click Start
  • You will need to allow an Active X install for the scan to run. OPTION 1
  • Leave the scanning options at default and click Start. OPTION 2
  • Please check Scan archives and click Start

Eset will now download virus signature database and start to scan your computer.

Note! Please check Uninstall application on close if you want to remove ESET Online Scanner from your computer and click the Finish button.

Please post the results in your next reply and let me know how running now.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#15 Weezie12

Weezie12

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 11 December 2009 - 10:37 PM

Don't know how to save the results of scan so I can post it.

#16 Weezie12

Weezie12

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 11 December 2009 - 10:44 PM

C:\CnSXj.exe a variant of Win32/Injector.AIB trojan cleaned by deleting - quarantined
C:\BACKUP\09-11-15 0810PM\Windows\System32\3870595.exe a variant of Win32/Kryptik.AMH trojan cleaned by deleting - quarantined
C:\BACKUP\09-11-15 0810PM\Windows\System32\BtwSrv.dll a variant of Win32/Refpron.CF trojan cleaned by deleting - quarantined
C:\BACKUP\09-11-15 0810PM\Windows\System32\FastNetSrv.exe a variant of Win32/Refpron.CM trojan cleaned by deleting - quarantined
C:\BACKUP\09-11-15 0810PM\Windows\System32\lsm32.sys a variant of Win32/TrojanClicker.VB.NLI trojan cleaned by deleting - quarantined
C:\BACKUP\09-11-15 0810PM\Windows\System32\opeia.exe Win32/Refpron.CE trojan cleaned by deleting - quarantined
C:\BACKUP\09-11-15 0810PM\Windows\System32\wmdtc.exe Win32/Refpron.CE trojan cleaned by deleting - quarantined
C:\BACKUP\09-11-15 0810PM\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S0YYW7QI\w[3].bin Win32/Refpron.CE trojan cleaned by deleting - quarantined
C:\BACKUP\09-11-15 0810PM\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U0OWFKFE\w[1].bin Win32/Refpron.CE trojan cleaned by deleting - quarantined
C:\BACKUP\09-11-15 0810PM\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U0OWFKFE\w[5].bin Win32/Refpron.CE trojan cleaned by deleting - quarantined
C:\BACKUP\09-11-15 0810PM\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U0OWFKFE\w[6].bin Win32/Refpron.CE trojan cleaned by deleting - quarantined
C:\BACKUP\09-11-15 0810PM\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN9VEA36\w[1].bin Win32/Refpron.CE trojan cleaned by deleting - quarantined
C:\BACKUP\09-11-15 0810PM\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN9VEA36\w[3].bin Win32/Refpron.CE trojan cleaned by deleting - quarantined
C:\Program Files\Sunbelt Software\VIPRE\Patch.exe a variant of MSIL/TrojanDropper.Agent.E trojan cleaned by deleting - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\Virtumondedll.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Users\Louise\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\1697a940-2d40b6bc probably a variant of Win32/Agent trojan deleted - quarantined
C:\Users\Louise\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\6c6aee60-392766f3 probably a variant of Win32/Agent trojan deleted - quarantined
C:\Users\Louise\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\5defe4e2-4552b697 probably a variant of Win32/Agent trojan deleted - quarantined
C:\Users\Louise\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3efada6c-41fdfaf2 probably a variant of Win32/Agent trojan deleted - quarantined
C:\Users\Louise\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\21ababf3-2ad8f9e7 probably a variant of Win32/Agent trojan deleted - quarantined
C:\Users\Louise\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\380d01c7-2c26c4bc probably a variant of Win32/Agent trojan deleted - quarantined
C:\Windows\Temp\a.exe a variant of Win32/Kryptik.BKE trojan cleaned by deleting (after the next restart) - quarantined
C:\Windows\Temp\b.exe a variant of Win32/Kryptik.BKE trojan cleaned by deleting (after the next restart) - quarantined
C:\Windows\Temp\qxnr.tmp\svchost.exe a variant of Win32/Kryptik.BEO trojan cleaned by deleting - quarantined





no change. yahoo search still re direc to trash pages

#17 lance_yien

lance_yien

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 2,442 posts

Posted 12 December 2009 - 11:48 AM

Hello Weezie12.

Well done :thumbup:

Eset has detected and fixed some infections and the most important one is by Trojan.Refpron.
This trojan may open a door for large amounts of adware and spyware and allow hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge. This program opens up a large security hole on your computer and is a very dangerous threat to the security of your personal and financial data.

I strongly suggest you contact any financial institution that you have contacted through this computer or that you may have information stored on this computer and apprise them of the situation. Contact them by phone or a known good computer and DO NOT use this computer to contact them until it is reasonably certain that it is clean. You will probably need to change passwords and possibly account numbers.
--

Now, lets try ComboFix:

Please print out these instructions or copy them to a Notepad file for an easer reading and download, to your Desktop, ComboFix© by sUBs from here or here

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Please familiarize yourself with ComboFix here before running it.
I recommend you print out the information from this page or copy them to a Notepad file as well.

When you are ready, please ensure you have disabled all anti virus and anti malware programs and run ComboFix.

Notes:

- It is very important that you have the Windows Recovery Console installed because without it, ComboFix shall not attempt the fixing of some serious infections.
It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

- Please, DO NOT click ComboFix's window while it is running. This may cause it to hang.

Please include the contents of the log (saved at C:\ComboFix.txt) with a fresh HijackThis log in your next reply and let me know if there are any changes.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#18 Weezie12

Weezie12

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 12 December 2009 - 08:19 PM

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.894.449 [GMT -6:00]
Running from: c:\users\Louise\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ErrLog.txt
c:\windows\Downloaded Program Files\3DVIA_player_installer.exe
c:\windows\system32\Install.txt
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

Infected copy of c:\windows\system32\DRIVERS\nvstor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 )))))))))))))))))))))))))))))))
.

2009-12-12 01:49 . 2009-12-12 16:00 -------- d-----w- c:\users\Louise\AppData\Roaming\DVD Flick
2009-12-12 01:49 . 2003-01-26 19:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2009-12-12 01:49 . 2009-12-12 01:49 -------- d-----w- c:\program files\DVD Flick
2009-12-12 00:03 . 2009-12-12 00:03 -------- d-----w- c:\program files\ESET
2009-12-12 00:01 . 2009-12-12 00:02 -------- d-----w- c:\program files\Super_DVD_Creator_9.8
2009-12-09 16:57 . 2009-12-09 16:57 -------- d-----w- c:\program files\Sophos
2009-12-07 22:55 . 2009-12-07 22:55 -------- d-----w- c:\program files\Trend Micro
2009-12-07 15:09 . 2009-12-07 20:12 -------- d-----w- c:\users\Louise\AppData\Local\Microsoft Games
2009-12-06 23:12 . 2009-12-06 23:12 -------- d-----w- c:\users\Louise\AppData\Roaming\Malwarebytes
2009-12-06 23:11 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-06 23:11 . 2009-12-06 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-06 23:11 . 2009-12-06 23:11 -------- d-----w- c:\programdata\Malwarebytes
2009-12-06 23:11 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 23:08 . 2009-12-03 23:22 -------- d-----w- c:\users\Louise\AppData\Roaming\FreeFixer
2009-12-03 23:08 . 2009-12-03 23:08 -------- d-----w- c:\users\Louise\AppData\Local\FreeFixer
2009-12-02 02:52 . 2009-12-02 15:28 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-02 02:52 . 2009-12-02 02:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-30 23:53 . 2009-11-30 23:53 -------- d-----w- c:\programdata\PlayFirst
2009-11-30 23:53 . 2009-11-30 23:53 -------- d-----w- c:\users\Louise\AppData\Roaming\PlayFirst
2009-11-30 21:35 . 2009-11-30 21:35 -------- d-----w- c:\users\Louise\AppData\Roaming\Jane s Hotel
2009-11-30 01:33 . 2009-11-30 18:07 -------- d-----w- c:\users\Louise\Jane's Hotel
2009-11-28 02:45 . 2009-11-28 02:45 -------- d-----w- c:\windows\Sun
2009-11-28 01:15 . 2009-11-28 13:33 -------- d-----w- c:\users\Louise\AppData\Local\Google
2009-11-28 00:32 . 2009-11-30 02:26 -------- d-----w- c:\windows\system32\Adobe
2009-11-27 19:08 . 2009-11-27 19:08 -------- d-----w- c:\users\Louise\AppData\Local\3DVIA
2009-11-27 19:07 . 2009-12-10 17:59 -------- d-----w- c:\programdata\3DVIA
2009-11-27 19:07 . 2007-07-20 00:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-11-27 19:07 . 2006-09-28 22:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-11-27 19:07 . 2009-11-27 19:07 -------- d-----w- c:\program files\Virtools
2009-11-27 16:48 . 2009-11-27 16:48 -------- d-----w- c:\users\Louise\AppData\Local\ElevatedDiagnostics
2009-11-26 23:10 . 2009-11-26 23:10 -------- d-----w- c:\program files\LSI SoftModem
2009-11-26 22:59 . 2009-11-26 23:18 -------- d-----w- c:\users\Louise\AppData\Local\Apple Computer
2009-11-26 22:59 . 2009-11-26 23:18 -------- d-----w- c:\users\Louise\AppData\Roaming\Apple Computer
2009-11-26 22:59 . 2009-12-02 02:44 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-26 22:58 . 2009-11-26 22:59 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-26 22:54 . 2009-11-26 22:54 -------- d-----w- c:\users\Louise\AppData\Local\Apple
2009-11-26 22:53 . 2009-11-26 22:53 -------- d-----w- c:\programdata\Apple
2009-11-26 22:07 . 2009-11-26 22:52 -------- d-----w- c:\users\Louise\AppData\Roaming\Uniblue
2009-11-26 17:45 . 2009-11-26 17:45 -------- d-----w- c:\users\Louise\AppData\Local\Yahoo
2009-11-26 17:17 . 2009-11-26 22:02 -------- d-----w- c:\users\Louise\AppData\Local\Yahoo!
2009-11-26 17:17 . 2009-11-26 22:03 -------- d-----w- c:\programdata\Yahoo!
2009-11-26 17:16 . 2009-11-26 22:03 -------- d-----w- c:\users\Louise\AppData\Roaming\Yahoo!
2009-11-26 16:59 . 2009-11-26 23:03 -------- d-----w- c:\program files\Yahoo!
2009-11-26 01:28 . 2009-07-14 01:15 90624 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPWN7.DLL
2009-11-25 17:24 . 2009-11-25 17:25 -------- d-----w- c:\program files\Dora Saves The Snow Princess
2009-11-25 16:35 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 19:32 . 2009-11-24 19:32 -------- d-----w- c:\users\Louise\AppData\Roaming\FlashGet
2009-11-21 03:36 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-21 03:35 . 2009-11-21 03:35 -------- d-----w- c:\program files\MSXML 4.0
2009-11-21 02:12 . 2009-08-29 06:57 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-11-21 02:07 . 2009-10-02 04:06 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-11-21 02:07 . 2009-09-03 07:04 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-11-21 02:07 . 2009-08-19 07:20 507568 ----a-w- c:\windows\system32\winload.exe
2009-11-21 02:07 . 2009-08-03 05:35 2613248 ----a-w- c:\windows\explorer.exe
2009-11-21 02:07 . 2009-07-30 16:29 108544 ----a-w- c:\windows\system32\t2embed.dll
2009-11-21 02:07 . 2009-07-30 16:27 71168 ----a-w- c:\windows\system32\fontsub.dll
2009-11-21 02:07 . 2009-08-19 07:20 442920 ----a-w- c:\windows\system32\winresume.exe
2009-11-21 02:07 . 2009-07-30 04:44 293888 ----a-w- c:\windows\system32\atmfd.dll
2009-11-21 02:07 . 2009-08-29 06:54 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-21 02:04 . 2009-11-21 02:04 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-21 02:04 . 2009-11-21 02:10 -------- d-----w- c:\program files\MSECACHE
2009-11-16 04:33 . 2005-02-24 19:38 -------- d-----w- C:\Boot
2009-11-16 02:49 . 2005-02-24 17:50 -------- d-----w- C:\Recovery

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-13 00:33 . 2005-02-25 13:57 -------- d-----w- c:\program files\USD
2009-12-12 15:17 . 2005-02-25 14:30 -------- d-----w- c:\program files\Dora the Explorer 3D Pyramid Adventure
2009-12-08 16:50 . 2005-02-25 22:52 -------- d-----w- c:\users\Louise\AppData\Roaming\FrostWire
2009-12-07 23:57 . 2009-06-10 21:19 142416 ----a-w- c:\windows\system32\drivers\nvstor.sys
2009-11-27 16:45 . 2009-11-27 16:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-27 06:25 . 2005-02-24 20:47 -------- d-----w- c:\program files\FrostWire
2009-11-26 21:21 . 2009-11-26 21:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_EhStorPwdDrv_01_09_00.Wdf
2009-11-21 15:50 . 2005-02-25 23:09 -------- d-----w- c:\program files\Cyberlink
2009-11-21 15:47 . 2007-02-07 10:27 1066544 ----a-w- c:\windows\system32\mfc71.dll
2009-11-21 02:04 . 2009-11-21 02:04 3584 ----a-r- c:\users\Louise\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-10-27 20:31 . 2009-10-27 20:31 27984 ----a-w- c:\windows\system32\sbbd.exe
2009-10-13 15:22 . 2009-10-13 15:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"
[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
2009-12-10 17:59 57856 ----a-w- c:\programdata\3DVIA\sp.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-10-05 2680104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CLJ"="0 (0x0)" [X]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-10-27 959824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKLM\~\startupfolder\C:^Users^Louise^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
path=c:\users\Louise\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FrostWire On Startup.lnk
backup=c:\windows\pss\FrostWire On Startup.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2007-09-28 05:10 122880 ------w- c:\program files\Cyberlink\Power2Go\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2007-10-05 20:07 2680104 ------w- c:\program files\Cyberlink\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-02-24 20:37 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

R1 SBRE;SBRE;c:\windows\System32\drivers\SBREDrv.sys [10/13/2009 9:22 AM 95024]
R1 sbtis;sbtis;c:\windows\System32\drivers\sbtis.sys [2/24/2005 1:52 PM 203056]
R2 sbapifs;sbapifs;c:\windows\System32\drivers\sbapifs.sys [8/10/2009 8:06 PM 69936]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [2/24/2005 1:27 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc REG_MULTI_SZ SPService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
SRService
Tapisrv
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
wercplsupport
EapHost
ProfSvc
schedule
hkmsvc
SessionEnv
winmgmt
browser
Themes
AppMgmt
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ntlgjr - c:\windows\system32\mslfxawr.dll
AddRemove-LSI Soft Modem - c:\windows\agrsmdel



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6122.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,6f,5d,52,36,01,cd,48,ba,8c,e0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,6f,5d,52,36,01,cd,48,ba,8c,e0,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2009-12-12 18:57:39
ComboFix-quarantined-files.txt 2009-12-13 00:57

Pre-Run: 167,326,273,536 bytes free
Post-Run: 167,522,541,568 bytes free

- - End Of File - - BEE2732FDD758D9809846959E1E2C1B7



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:32 PM, on 12/12/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\dinotify.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....r_installer.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

--
End of file - 2676 bytes



So far pc is working good. Thank you so much for all your help

#19 lance_yien

lance_yien

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 2,442 posts

Posted 14 December 2009 - 03:28 AM

Hello Weezie12.

...
So far pc is working good. Thank you so much for all your help


Good to know that your problem appears to have been fixed :)

Your logs appear clean.

  • Please go to Start => Run => type notepad in the Open field and click OK.
  • Copy and paste the text present inside the quote box below:

    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]


    Save this as "delsvc.reg" and change the "Save as type" to "All Files" and place it on your Desktop.
  • Then, please close all opened windows and double click "delsvc.reg". Click OK and restart your computer.

- Very Important!

You appear to be running a cracked version of VIPRE from Sunbelt Software. These types of programs, downloaded from P2P/ Warez sites, tend to be filled with malware and the chances of you becoming infected again are very high... This obviously can result in disabling your computer and could even lead to someone stealing from you... Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the Internet, so you become part of the problem...

I strongly urge you you install one of the following antivirus programs. They are either free or have free versions of commercial programs: AVG or another antivirus such as Avast or AntiVir.

  • Please download, to your Desktop, ONLY ONE program of your choice.
  • Then, please uninstall VIPRE and install the new antivirus programm.

    Now, please download CCleaner (freeware) from here.
    Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).

    Once installed, run CCleaner.

    The following should be selected by default, if not, please select:
    Posted Image

    Then please click Posted Image and choose Posted Image

    Please uncheck Posted Image

    Then go back to Posted Image and click Posted Image to run it.

    - To remove OTL and ComboFix, please run OTL and click on the CleanUp! button. Wait a while, and click Yes to reboot.

    - System Restore maintains a backup of your system files and may also backup infections, so please reset it and make a clean Restore Point:
    http://www.nirmaltv....e-in-windows-7/
    On the Desktop, please right-click My Computer and click Properties. Then click the System protection tab.
    Under "Protection Settings" select the driver (C:) and click the "Configure" button.
    Click the "Delete button and click the "Apply" button.
    A window will pop up, click Yes and wait a few moments to let it clear.

    Now, please make sure that the "Restore system settings and previous versions of files" is selected and click OK to close the System Restore window.

    A new Restore Point will be created automatically.

    - Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:

    [list]
  • Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. You can download Firefox from here

    Opera is another good option. It is available here
  • Please, note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here: http://www.spywarewa...nti-spyware.htm

- For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully this should take care of your problems!

Safe surfing! :)
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#20 Weezie12

Weezie12

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 December 2009 - 09:27 AM

Thank you so much for all your help

#21 lance_yien

lance_yien

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 2,442 posts

Posted 15 December 2009 - 02:14 PM

You're welcome :)

Regards!
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#22 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 22 December 2009 - 03:19 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button