« previous next »
Pages: [1]   Go Down

Author Topic: [Inact]Redirected browser and anti virus disabled  (Read 849 times)

0 Members and 1 Guest are viewing this topic.

Offline william143

  • Bronze Member
  • Posts: 4
[Inact]Redirected browser and anti virus disabled
« on: April 16, 2010, 12:31:15 PM »
I'm not sure of the name or location of the virus. What it is doing is causing problems logging on to the internet. Once I do manage to log on several things happen. When logging onto Ebay I get redirected to a page wanting personal info. This page has tons of spelling and grammar errors, so I know it's not real. I'll also on occasion get a program trying to run a virus scan. This mostly happens when logged into Myspace. Today I had a pop up window ask me for my credit card info to continue my transaction even though I wasn't making one at the time. This virus has also disabled my Norton AV program on several occasions along with disableing my Control Pannel. I re-installed the AV and ran the program, but it said it didn't find anything. The computer ran fine for about a week, then back to all of this. Now when I run my AV it makes it about halfway and locks up. I've also ran my Malwarebyte's program and it found a trojan, but unfortunately I didn't write the name down or save the file.

Here are my results from Hijack This:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:17 AM, on 4/16/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPHipm09.exe
D:\Programs\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://browser.netscape.com/");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
user_pref("intl.charsetmenu.browser.cache", "UTF-8, ISO-8859-1");
user_pref("prefs.converted-to-utf8", true);
user_pref("timebomb.first_launch_time", "1205468271812000");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
 (C:\Documents and Settings\JERRY LOVETT\Application Data\Mozilla\Profiles\default\rxoh4j69.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [EPSON PictureMate] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Jerry Lovett"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Jerry Lovett"
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cincinnatibell.com/
O15 - Trusted Zone: *.line6.net
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O18 - Filter hijack: text/html - {1aa9fbab-7191-4823-a22c-29b27f3dd40c} - C:\WINDOWS\default32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 12313 bytes
« Last Edit: April 17, 2010, 09:40:02 AM by Rorschach112 »
Logged


Offline Rorschach112

  • Malware Removal Staff
  • Bronze Member
  • Posts: 313
Re: Redirected browser and anti virus disabled
« Reply #1 on: April 17, 2010, 09:39:45 AM »
hi

Download GMER Rootkit Scanner from  here or  here.
  • Extract the contents of the zipped file to your desktop
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please agree to do so
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All <--don't miss this one
  • Then click the Scan button & wait for it to finish
  • Once the scan completes, click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save it where you can easily find it, such as your desktop
**Caution**
Rootkit scans often produce false positives.
Do NOT take any action on any of these "<--- ROOKIT" entries without proper guidance from an expert user.
Logged
I gotta hold on to my angst. I preserve it because I need it. It keeps me sharp, on the edge, where I gotta be.


~Scratch~

Offline william143

  • Bronze Member
  • Posts: 4
Re: [In ProgRRess]Redirected browser and anti virus disabled
« Reply #2 on: April 20, 2010, 11:17:50 AM »
I downloaded GMER and attempted to run it multiple times the last several days. It runs for about an hour then gives me the blue screen telling me the computer is starting a physical memory dump, so my computer is not going to let it finish. What now?
Logged

Offline Rorschach112

  • Malware Removal Staff
  • Bronze Member
  • Posts: 313
Re: [In ProgRRess]Redirected browser and anti virus disabled
« Reply #3 on: April 20, 2010, 12:22:58 PM »
Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Logged
I gotta hold on to my angst. I preserve it because I need it. It keeps me sharp, on the edge, where I gotta be.


~Scratch~

Offline william143

  • Bronze Member
  • Posts: 4
Re: [In ProgRRess]Redirected browser and anti virus disabled
« Reply #4 on: April 23, 2010, 12:31:26 PM »
I downloaded Combofix and here are my results:


ComboFix 10-04-21.01 - Jerry Lovett 04/23/2010  13:45:06.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.511.220 [GMT -4:00]
Running from: c:\documents and settings\Jerry Lovett\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
c:\recycler\S-1-5-21-1129104598-3505460007-2405350716-500
c:\recycler\S-1-5-21-1605829985-1657561120-3951090371-500
c:\recycler\S-1-5-21-1844237615-1801674531-725345543-500
c:\recycler\S-1-5-21-2530520543-3370927767-832300917-500
c:\recycler\S-1-5-21-3050832978-363202024-3319799698-500
c:\recycler\S-1-5-21-4272853618-324874107-898760114-500
c:\windows\system32\Data

.
(((((((((((((((((((((((((   Files Created from 2010-03-23 to 2010-04-23  )))))))))))))))))))))))))))))))
.

2010-04-07 01:48 . 2010-02-04 01:40   362032   ----a-w-   c:\windows\system32\drivers\symtdi.sys
2010-04-07 01:48 . 2010-02-27 02:23   43696   ----a-w-   c:\windows\system32\drivers\srtspx.sys
2010-04-07 01:48 . 2010-02-04 01:40   172592   ----a-w-   c:\windows\system32\drivers\symefa.sys
2010-04-07 01:48 . 2009-08-30 00:17   328752   ----a-r-   c:\windows\system32\drivers\symds.sys
2010-04-07 01:48 . 2010-02-27 02:23   116784   ----a-w-   c:\windows\system32\drivers\ironx86.sys
2010-04-07 01:48 . 2010-02-25 23:22   501888   ----a-w-   c:\windows\system32\drivers\cchpx86.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 17:08 . 2010-03-09 20:55   439816   ----a-w-   c:\documents and settings\Jerry Lovett\Application Data\Real\Update\setup3.10\setup.exe
2010-04-13 16:57 . 2009-09-10 16:26   5918776   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 04:46 . 2009-03-09 14:23   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-03-09 14:24   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-25 23:29 . 2010-03-01 02:02   786800   ----a-r-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
2010-03-25 00:19 . 2010-03-01 01:55   968560   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\OCS\hsplayer.dll
2010-03-25 00:19 . 2003-12-03 18:37   36584   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 20:38 . 2010-03-24 20:38   536112   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38   201616   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38   1407888   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38   678960   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38   611216   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\bbRGen.dll
2010-03-11 12:38 . 2003-12-03 17:23   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2003-12-03 17:23   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2003-12-03 17:23   430080   ----a-w-   c:\windows\system32\vbscript.dll
2010-03-08 01:16 . 2005-01-04 23:41   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-03-08 01:12 . 2003-12-03 18:45   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-03-08 01:11 . 2003-12-04 19:07   --------   d-----w-   c:\program files\Quicken
2010-03-08 01:06 . 2005-01-04 23:41   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-01 02:43 . 2010-04-23 14:17   1647984   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100422.040\NAVEX32A.DLL
2010-03-01 02:43 . 2010-04-23 14:17   1324720   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100422.040\NAVEX15.SYS
2010-03-01 02:43 . 2010-04-23 14:17   177520   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100422.040\NAVENG32.DLL
2010-03-01 02:43 . 2010-04-23 14:17   84912   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100422.040\NAVENG.SYS
2010-03-01 02:43 . 2010-04-23 14:17   371248   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100422.040\EECTRL.SYS
2010-03-01 02:43 . 2010-04-23 14:17   102448   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100422.040\ERASER.SYS
2010-03-01 02:43 . 2010-04-23 14:17   259440   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100422.040\ECMSVR32.DLL
2010-03-01 02:43 . 2010-04-23 14:17   2747440   ----a-w-   c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100422.040\CCERASER.DLL
2010-03-01 02:31 . 2010-03-01 02:31   --------   d-----w-   c:\documents and settings\Jerry Lovett\Application Data\Tific
2010-03-01 02:22 . 2010-03-01 01:30   --------   d-----w-   c:\program files\NortonInstaller
2010-03-01 02:01 . 2004-01-20 23:27   --------   d-----w-   c:\program files\Symantec
2010-03-01 02:01 . 2004-01-20 23:27   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-03-01 02:01 . 2010-03-01 02:01   805   ----a-w-   c:\windows\system32\drivers\SYMEVENT.INF
2010-03-01 02:01 . 2010-03-01 02:01   7443   ----a-w-   c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-01 02:01 . 2010-03-01 02:01   60808   ----a-w-   c:\windows\system32\S32EVNT1.DLL
2010-03-01 02:01 . 2010-03-01 02:01   124976   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-01 01:54 . 2010-03-01 01:54   --------   d-----w-   c:\program files\Norton Internet Security
2010-03-01 01:31 . 2009-10-28 19:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-24 12:31 . 2003-12-03 17:23   454016   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:17 . 2002-08-29 01:04   2137088   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2002-08-29 01:04   2016768   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2003-12-03 17:23   100864   ----a-w-   c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2003-12-03 17:23   226880   ----a-w-   c:\windows\system32\drivers\tcpip6.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Index Washer"="c:\program files\Webroot\Washer\WashIdx.exe" [2003-11-24 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-04 50176]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472]
"sHotKey"="c:\program files\SONY\sHotKey\sHotKey.exe" [2003-08-22 45056]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 1409024]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 88363]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-30 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"EPSON PictureMate"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE" [2003-09-19 99840]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-21 278528]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-30 149280]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2008-02-09 152952]

c:\documents and settings\Jerry Lovett\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-8-15 225280]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ      msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\HP\\Image Zone Express\\HP_IZE.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"9214:TCP"= 9214:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"7464:TCP"= 7464:TCP:Services
"7465:TCP"= 7465:TCP:Services

R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [1/20/2004 7:32 PM 4736]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1106000.020\symds.sys [4/6/2010 9:48 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1106000.020\symefa.sys [4/6/2010 9:48 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [3/24/2010 4:38 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1106000.020\cchpx86.sys [4/6/2010 9:48 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1106000.020\ironx86.sys [4/6/2010 9:48 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.6.0.32\ccsvchst.exe [4/6/2010 9:48 PM 126392]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [1/30/2003 6:55 PM 18864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2/28/2010 10:43 PM 102448]
R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [10/25/2004 5:09 PM 331776]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100415.001\IDSXpx86.sys [4/16/2010 6:15 PM 329592]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [7/15/2002 11:39 PM 26496]
.
Contents of the 'Scheduled Tasks' folder

2010-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: line6.net
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-23 14:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x82BB15A8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86dafc3
\Driver\ACPI -> ACPI.sys @ 0xf862dcb8
\Driver\atapi -> atapi.sys @ 0xf85bf7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e22a
 ParseProcedure -> ntoskrnl.exe @ 0x80579c89
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e22a
 ParseProcedure -> ntoskrnl.exe @ 0x80579c89
NDIS: Intel(R) PRO/1000 CT Network Connection -> SendCompleteHandler -> 0xfec178f0
 PacketIndicateHandler -> NDIS.sys @ 0xf8455b21
 SendHandler -> NDIS.sys @ 0xf843387b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2010-04-23  14:17:36
ComboFix-quarantined-files.txt  2010-04-23 18:17

Pre-Run: 649,125,888 bytes free
Post-Run: 1,592,918,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 4C136E79474A717FEAF63CBFA33CC4D7
Logged

Offline Rorschach112

  • Malware Removal Staff
  • Bronze Member
  • Posts: 313
Re: [In ProgRRess]Redirected browser and anti virus disabled
« Reply #5 on: April 26, 2010, 09:56:13 AM »
do you only have 1.5 Gigs free on your main drive ? If so, you need to increase this, otherwise it will cause a lot of issues.



Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
Logged
I gotta hold on to my angst. I preserve it because I need it. It keeps me sharp, on the edge, where I gotta be.


~Scratch~

Offline william143

  • Bronze Member
  • Posts: 4
Re: [In ProgRRess]Redirected browser and anti virus disabled
« Reply #6 on: April 28, 2010, 12:28:31 PM »
Yes I do have only 1.5 Gigs free on my main drive and realize it's causing some of my issues with slowness, BSOD, etc. The good people of Sony partitioned my drive to have 13.9 gigs on C and 168 gigs on D, so my C drive filled up fast. A friend gave me a cd called Partion Magic to fix this, but I wanted to clear up my infection problems first. Is this ok?

I ran the Helpasst program. It ran, said it had completed and shut down. I then followed the instructions for what to do if it doesn't detect an mbr infection and here is my log:


C:\Documents and Settings\Jerry Lovett\Desktop\HelpAsst_mebroot_fix.exe
Wed 04/28/2010 at 13:38:50.28

HelpAssistant account is Active ~ attempting to de-activate

Account active               Yes
Local Group Memberships      *Administrators       

HelpAssistant successfully set Inactive

 ~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

 ~~ Checking firewall ports ~~

  backing up DomainProfile\GloballyOpenPorts\List registry key
  closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
80:TCP=-
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"9214:TCP"=-
"3389:TCP"=-
"7464:TCP"=-
"7465:TCP"=-
"4688:TCP"=-
"7876:TCP"=-

  backing up StandardProfile\GloballyOpenPorts\List registry key
  closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"9214:TCP"=-
"3389:TCP"=-
"7464:TCP"=-
"7465:TCP"=-
"4688:TCP"=-
"7876:TCP"=-

 ~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing

S-1-5-21-3942251623-1925554124-609893406-1003
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to

remove
 ~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

 ~~ Checking mbr ~~

user & kernel MBR OK

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Wed 04/28/2010 at 14:11:04.03

Account active               Yes
Local Group Memberships      *Administrators       

 ~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82C76D88]<<
kernel: MBR read successfully
user & kernel MBR OK

 ~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
   ServiceDll   REG_EXPAND_SZ     %systemroot%\System32\termsrv.dll

 ~~ Checking profile list ~~

S-1-5-21-3942251623-1925554124-609893406-1003
     %SystemDrive%\Documents and Settings\HelpAssistant

 ~~ Checking for HelpAssistant directories ~~

HelpAssistant

 ~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
   80:TCP=80:TCP:*:Enabled:Services
   "65533:TCP"=65533:TCP:*:Enabled:Services
   "52344:TCP"=52344:TCP:*:Enabled:Services
   "7876:TCP"=7876:TCP:*:Enabled:Services
   "4688:TCP"=4688:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
   "65533:TCP"=65533:TCP:*:Enabled:Services
   "52344:TCP"=52344:TCP:*:Enabled:Services
   "7876:TCP"=7876:TCP:*:Enabled:Services
   "4688:TCP"=4688:TCP:*:Enabled:Services


 ~~ EOF ~~


Logged

Offline Rorschach112

  • Malware Removal Staff
  • Bronze Member
  • Posts: 313
Re: [In ProgRRess]Redirected browser and anti virus disabled
« Reply #7 on: April 28, 2010, 12:36:45 PM »
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    MBAM will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
    On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    Back at the main Scanner screen:
    • Click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
    • Exit MBAM when done.
    Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.




    Run an online virus scan called Kaspersky from HERE.
      1. At the main page. Press on "
    Accept". After reading the contents.
    2. At the next window Select  Update. Allow the Database to update.
    Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
    3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
    4. Select Scan Report.
    5. If any threats were found they will appear in the report
    6. Select "Save error report as"
    Then in the file name just type in kaspersky
    Under "save as type" select text .txt
    Save it to your Desktop.

    Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.[/list]
    Logged
    I gotta hold on to my angst. I preserve it because I need it. It keeps me sharp, on the edge, where I gotta be.


    ~Scratch~
    Pages: [1]   Go Up
    « previous next »