System Slowdown! - Free Antivirus Forum

Free Antivirus Forum - Learn about antivirus, firewalls and personal security

System Slowdown!

BullGuard Antivirus Forum > Virus Removal > Removal Help > System Slowdown!

Forum Quick Jump

31 posts in this thread.
Viewing Page : 1 2

[ << Previous Thread | Next Thread >> ]

Erwiin
New Member

Date Joined Oct 2012
Total Posts : 14

Posted 10/20/2012 10:16 AM (GMT +3)

Hi all,

Hopefully somebody here can help me out with a problem which has been frustrating me to no end. Last Friday (12/10/12), my computer began to run very slow. This is most noticeable in computer games, but other applications are taking longer to load and tend to run out of memory quickly, de!!!!e Task Manager informing me otherwise. Then there's the constant browser redirects whenever I search for anything online (using Google). So I ran a few programs to try and identify the problem:

• Bullguard AV found no viruses, but did inform me of some software which required updating as they posed a potential security threat. This issue has been addressed.
• Spybot S&D found and fixed 3 or 4 minor issues.
• Malwarebytes identified and removed 3 issues (including a trojan, which Bullguard AV didn't find) during a Quick Scan.
• I ran Malwarebytes again yesterday, this time doing a Full Scan (which took just over 10 hours)

. It found 3 more problems and fixed them. I ran Malwarebytes again today (Quick) and found nothing. However...
• I've run Hijackthis and will post the log below.

My computer is STILL running slow and I still get redirected when I search online. Unfortunately I am not quick enough to copy the initial URL which appears in my browser, and clicking the back button on the browser does not show the URL which appeared when I was redirected.

Any help would be greatly appreciated.

The Hijackthis log:

----------------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:17:06 PM, on 20/10/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17114)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\SvcHost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\SvcHost.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe
C:\WINDOWS\System32\SvcHost.exe
C:\WINDOWS\System32\SvcHost.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Update\1.3.21.123\GoogleCrashHandler.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\erwin\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Documents and Settings\erwin\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\WINDOWS\system32\CNAC3RPK.EXE
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\erwin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\erwin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\erwin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\erwin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\erwin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\erwin\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\PHOTOI~1\USSSHREG.EXE
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe" -boot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS6ServiceManager] "C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\Run: [GEST] "C:\Program Files\GIGABYTE\GEST\run.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Documents and Settings\erwin\Local Settings\Application Data\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\erwin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Xvid] C:\Program Files\Xvid\CheckUpdate.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-861567501-838170752-725345543-1007\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: gest.lnk = C:\Program Files\GIGABYTE\GEST\gest.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: BullGuard - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - C:\Program Files\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225811092250
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: BgGamingMonitor.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BullGuard Behavioural Detection (BsBhvScan) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe
O23 - Service: BullGuard scanning service (BsScanner) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe
O23 - Service: BullGuard update service (BsUpdate) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: FLEXnet Licensing Service - Flexera Software, Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Sony Ericsson PCCompanion - Avanquest Software - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

--
End of file - 11711 bytes

Erwiin
New Member

Date Joined Oct 2012
Total Posts : 14

Posted 10/20/2012 10:20 AM (GMT +3)

Immediately after posting this, I was redirected to "http://gossipcenter.com/bar-refaeli/bar-refaeli%E2%80%99s-miraculous-photo-shoot-717330?utm_source=Miva&utm_medium=cpc&utm_campaign=76430-000322821421&utm_term=4E69F2F2-D2E6-4F05-9BD0-2E8951A9E54B"

I've also noticed a website loading in the bottom of my browser called "findallyouneed.org" - never seen that before.

Now I'm getting random music playing when I check my email! WTF?

Post Edited (Erwiin) : 10/20/2012 7:27:13 AM GMT

Goodguy69
New Member

Date Joined Oct 2010
Total Posts : 45

Posted 10/21/2012 3:39 AM (GMT +3)

Hi Erwiin,

I see you have Akamai running on your pc, this will be the cause of your slow down.

Run HJT again and check the following for removal;

C:\Documents and Settings\erwin\Local Settings\Application Data\Akamai\netsession_win.exe

C:\Documents and Settings\erwin\Local Settings\Application Data\Akamai\netsession_win.exe (Mark both for removal)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)

O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Documents and Settings\erwin\Local Settings\Application Data\Akamai\netsession_win.exe"

O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

The last one would have been due to a fake Adobe update, you may also have a rootkit installed which sometimes comes with the fake update.

So could you please download and run TDSSkiller.exe from this link: http://www.kaspersky.com/downloads/free-antivirus-tools

Erwiin
New Member

Date Joined Oct 2012
Total Posts : 14

Posted 10/21/2012 3:57 AM (GMT +3)

Thanks for your reply. Just before you posted, I ran TDSSKiller and it advised me to remove Akamai, which I have done. I also followed your steps in Hijackthis.

I always thought that Akamai seemed a bit suspect.

Goodguy69
New Member

Date Joined Oct 2010
Total Posts : 45

Posted 10/21/2012 3:58 AM (GMT +3)

Sorry forgot this one as well.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>

Erwiin
New Member

Date Joined Oct 2012
Total Posts : 14

Posted 10/21/2012 4:00 AM (GMT +3)

Goodguy69 said...
Sorry forgot this one as well.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>

Done!

Erwiin
New Member

Date Joined Oct 2012
Total Posts : 14

Posted 10/21/2012 4:05 AM (GMT +3)

Thanks for your help!

Goodguy69
New Member

Date Joined Oct 2010
Total Posts : 45

Posted 10/21/2012 4:07 AM (GMT +3)

Please download and run RougeKiller from this link: http://majorgeeks.com/RogueKiller_d6983.html

Then download ListParts by Farbar from this link: http://www.bleepingcomputer.com/download/listparts/

Please include the logs in your next reply.

Goodguy69
New Member

Date Joined Oct 2010
Total Posts : 45

Posted 10/21/2012 4:14 AM (GMT +3)

Akamai is a worry alright, Akamai.com has some real big name company's who use it's service's. Adobe who use Akamai software to update is just one of many, the trouble is the update can carry nasty viruses.
My beef with Akamai is it doesn't give you an option before installing itself on your pc, it has hidden files and allsorts? Not something I would trust.

Robert Mateescu
Forum Moderator

Date Joined Sep 2011
Total Posts : 212

Posted 10/21/2012 6:26 AM (GMT +3)

Hi there,

Please check this post (skip ATF and MBAM): forum.bullguard.com/forum/8/Help-when-try-to-use-internet-_94417.html.

Moreover, download and run Combofix as follows:

1. Reboot your computer in Safe Mode with Networking by pressing F8 (or F5 on some computers) before Windows starts (before the Windows logo appears) and choosing Safe Mode with Networking from the following screen.

2. Download the Combofix tool from here.
When finished, it will produce a log for you. The log is automatically saved on C:\ and is named Combofix.txt.

3. Restart in Normal Mode and post the log. Check if the redirects are gone.

As an additional workaround, uninstall SpyBot and disable MBAM's real time scanner(if active). Since you are using XP, run a Defrag and a check disk scan. This should increase your PC's speed slightly.

/cheers!

Robert Mateescu
Senior Support Technician EN
support@bullguard.com
www.bullguard.com

Download the Free Trial version of BullGuard Internet Security 12

You have a BullGuard related problem? Contact our Support team directly: www.bullguard.com/support.aspx!

Post Edited (Robert Mateescu) : 10/21/2012 11:10:41 AM GMT

Goodguy69
New Member

Date Joined Oct 2010
Total Posts : 45

Posted 10/21/2012 7:41 AM (GMT +3)

Having trouble with the first link Robert?

Robert Mateescu
Forum Moderator

Date Joined Sep 2011
Total Posts : 212

Posted 10/21/2012 2:11 PM (GMT +3)

The link should work now :)

Erwiin
New Member

Date Joined Oct 2012
Total Posts : 14

Posted 10/21/2012 2:39 PM (GMT +3)

Robert Mateescu said...
Hi there,
Please check this post (skip ATF and MBAM): forum.bullguard.com/forum/8/Help-when-try-to-use-internet-_94417.html.
Moreover, download and run Combofix as follows:
1. Reboot your computer in Safe Mode with Networking by pressing F8 (or F5 on some computers) before Windows starts (before the Windows logo appears) and choosing Safe Mode with Networking from the following screen.
2. Download the Combofix tool from here.
When finished, it will produce a log for you. The log is automatically saved on C:\ and is named Combofix.txt.
3. Restart in Normal Mode and post the log. Check if the redirects are gone.
As an additional workaround, uninstall SpyBot and disable MBAM's real time scanner(if active). Since you are using XP, run a Defrag and a check disk scan. This should increase your PC's speed slightly.
/cheers!

Okay...

I checked out that post and followed the directions. I then ran Combofix in Safe Mode - interestingly, Combofix asked me to disable Bullguard AV while in Safe Mode, yet I couldn't find any mention of BG in the Task Manager, so I ran it anyway, de!!!!e the warnings. SpyBot has now been uninstalled.

Here is the Combofix log:

-----------

ComboFix 12-10-21.01 - erwin 21/10/2012 21:09:58.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.3070.2669 [GMT 10.5:30]
Running from: c:\documents and settings\erwin\My Documents\Downloads\ComboFix.exe
AV: BullGuard Antivirus *Enabled/Updated* {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *Disabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\hpeE.dll
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\erwin\Application Data\inst.exe
c:\documents and settings\erwin\WINDOWS
C:\Install.exe
c:\windows\iun6002.exe
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Legacy_NVSVC
-------\Service_NVSvc
.
.
((((((((((((((((((((((((( Files Created from 2012-09-21 to 2012-10-21 )))))))))))))))))))))))))))))))
.
.
2012-10-21 10:26 . 2012-10-21 10:26 -------- d-----w- c:\documents and settings\Administrator
2012-10-21 00:30 . 2012-10-21 00:30 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-19 14:11 . 2012-10-19 14:16 -------- d-----w- c:\program files\SpywareBlaster
2012-10-18 05:49 . 2012-07-03 15:25 28008 ----a-w- c:\windows\system32\nvhdap32.dll
2012-10-18 05:49 . 2012-07-03 15:25 124264 ----a-w- c:\windows\system32\drivers\nvhda32.sys
2012-10-18 05:49 . 2012-07-03 07:37 884072 ----a-w- c:\windows\system32\nvhdagenco3220103.dll
2012-10-18 04:33 . 2012-10-18 04:33 -------- d-----w- C:\temp
2012-10-18 04:32 . 2012-09-23 14:28 888168 ----a-w- c:\windows\system32\nvdispgenco32.dll
2012-10-15 14:41 . 2012-10-15 14:41 -------- d-----w- c:\documents and settings\erwin\Application Data\Malwarebytes
2012-10-15 14:40 . 2012-10-15 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-10-15 14:40 . 2012-10-15 14:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-15 14:40 . 2012-09-07 06:34 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-13 11:28 . 2012-10-13 11:28 -------- d-----w- c:\documents and settings\erwin\Application Data\HD Tune Pro
2012-10-13 11:28 . 2012-10-13 11:28 -------- d-----w- c:\program files\HD Tune Pro
2012-10-13 02:05 . 2012-10-13 02:08 -------- d-----w- C:\Python27
2012-10-13 01:55 . 2012-10-13 01:55 -------- d-----w- c:\program files\MSXML 4.0
2012-10-11 07:43 . 2012-10-11 07:43 -------- d-----w- c:\program files\VideoLAN
2012-10-09 02:42 . 2012-10-09 10:56 -------- d-----w- c:\documents and settings\erwin\Application Data\Notepad++
2012-10-09 02:42 . 2012-10-09 02:42 -------- d-----w- c:\program files\Notepad++
2012-10-04 12:39 . 2011-05-30 13:42 240640 ----a-w- c:\windows\system32\xvidvfw.dll
2012-10-04 12:39 . 2011-05-23 09:52 153088 ----a-w- c:\windows\system32\xvid.ax
2012-10-04 12:39 . 2011-05-23 07:46 645632 ----a-w- c:\windows\system32\xvidcore.dll
2012-10-04 12:39 . 2012-10-04 12:40 -------- d-----w- c:\program files\Xvid
2012-09-28 14:20 . 2012-09-28 14:20 -------- d-----w- c:\documents and settings\erwin\Local Settings\Application Data\backburner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-21 10:59 . 2008-11-04 07:42 16608 ----a-w- c:\windows\gdrv.sys
2012-10-09 06:07 . 2012-04-30 03:50 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 06:07 . 2011-09-30 10:45 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-24 05:02 . 2012-06-16 06:35 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 05:02 . 2011-03-21 06:52 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-24 03:21 . 2009-01-18 16:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-23 14:28 . 2012-08-04 20:02 5947392 ----a-w- c:\windows\system32\nvopencl.dll
2012-09-23 14:28 . 2012-02-24 00:25 1009512 ----a-w- c:\windows\system32\nvdispco32.dll
2012-09-23 14:28 . 2012-02-24 00:25 2578792 ----a-w- c:\windows\system32\nvcuvid.dll
2012-09-23 14:28 . 2012-02-24 00:25 1866088 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-09-23 14:28 . 2012-02-24 00:25 17551360 ----a-w- c:\windows\system32\nvcompiler.dll
2012-09-23 14:28 . 2008-03-11 08:25 7446528 ----a-w- c:\windows\system32\nvcuda.dll
2012-09-23 14:28 . 2008-03-11 08:25 4494208 ----a-w- c:\windows\system32\nv4_disp.dll
2012-09-23 14:28 . 2008-03-11 08:25 2376704 ----a-w- c:\windows\system32\nvapi.dll
2012-09-23 14:28 . 2008-03-11 08:25 19103744 ----a-w- c:\windows\system32\nvoglnt.dll
2012-09-23 14:28 . 2008-03-11 08:25 12557728 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-09-23 13:04 . 2008-03-11 08:25 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-09-23 13:04 . 2008-03-11 08:25 15512424 ----a-w- c:\windows\system32\nvcpl.dll
2012-09-23 13:04 . 2008-03-11 08:25 164200 ----a-w- c:\windows\system32\nvsvc32.exe
2012-09-23 13:04 . 2008-03-11 08:25 143720 ----a-w- c:\windows\system32\nvcolor.exe
2012-09-23 13:04 . 2008-03-11 08:25 108392 ----a-w- c:\windows\system32\nvmctray.dll
2012-08-27 19:12 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2012-08-27 19:12 . 2004-08-04 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-27 19:12 . 2009-06-26 03:26 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-08-27 19:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2012-08-27 12:46 . 2010-03-18 16:03 100216 ----a-w- c:\windows\system32\BgGamingMonitor.dll
2012-08-24 13:52 . 2004-08-04 12:00 178176 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-08-03 22:59 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-12 01:15 . 2010-04-19 12:16 54624 ----a-w- c:\windows\system32\BGLsp.dll
2009-11-26 20:23 . 2009-11-26 20:24 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"USSShReg"="c:\progra~1\PHOTOI~1\USSSHREG.EXE" [1996-08-18 16896]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\BullGuard.exe" [2012-09-11 1756512]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-03 446392]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-09-23 15512424]
"NvMediaCenter"="NvMCTray.dll" [2012-09-23 108392]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-09-23 1634112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\erwin\Start Menu\Programs\Startup\
gest.lnk - c:\program files\GIGABYTE\GEST\gest.exe [2008-11-4 285192]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsMain]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsScanner]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\CNAC3RPK.EXE"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fallen earth f2p\\FEUpdater.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\skyrim\\SkyrimLauncher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\skyrim\\CreationKit.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\Borderlands 2\\Binaries\\Win32\\Launcher.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1064:TCP"= 1064:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [12/03/2010 8:04 PM 64608]
R1 NovaShieldFilterDriver;NovaShieldFilterDriver;c:\windows\system32\drivers\NSKernel.sys [27/01/2011 5:52 PM 789960]
R1 NovaShieldTDIDriver;NovaShieldTDIDriver;c:\windows\system32\drivers\NSNetmon.sys [27/01/2011 5:52 PM 19272]
R2 BsBackup;BullGuard backup service;c:\windows\System32\SvcHost.exe -k BullGuard_Backup [4/08/2004 10:30 PM 14336]
R2 BsBhvScan;BullGuard Behavioural Detection;c:\program files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe [27/01/2011 5:52 PM 321376]
R2 BsFileScan;BullGuard on-access service;c:\windows\System32\SvcHost.exe -k BullGuard [4/08/2004 10:30 PM 14336]
R2 BsFire;BullGuard firewall service;c:\windows\System32\SvcHost.exe -k BullGuard [4/08/2004 10:30 PM 14336]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\System32\SvcHost.exe -k BullGuard_Proxy [4/08/2004 10:30 PM 14336]
R2 BsMain;BullGuard main service;c:\windows\System32\SvcHost.exe -k BullGuard_Main [4/08/2004 10:30 PM 14336]
R2 BsScanner;BullGuard scanning service;c:\program files\BullGuard Ltd\BullGuard\BullGuardScanner.exe [4/03/2010 6:37 AM 178528]
R2 BsUpdate;BullGuard update service;c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [27/08/2012 11:12 PM 304480]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [24/02/2012 10:58 AM 1258856]
R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [21/04/2006 8:22 AM 70912]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [18/09/2008 7:47 PM 32512]
R3 AfwCore;Agnitum Firewall Core Driver;c:\windows\system32\drivers\AfwCore.sys [5/11/2008 12:40 AM 284928]
R3 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\GSvr.exe [4/11/2008 6:13 PM 47624]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [18/10/2012 4:19 PM 124264]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [31/01/2010 9:49 AM 27632]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/07/2009 6:39 PM 133104]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 2:28 PM 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [30/04/2012 2:20 PM 250808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/07/2009 6:39 PM 133104]
S3 oflpydin;oflpydin;\??\c:\docume~1\erwin\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\erwin\LOCALS~1\Temp\oflpydin.sys [?]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [17/01/2010 11:59 PM 47360]
S3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbser.sys --> c:\windows\system32\DRIVERS\qcusbser.sys [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [18/12/2009 9:54 PM 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [18/12/2009 9:54 PM 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [18/12/2009 9:54 PM 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [18/12/2009 9:54 PM 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [18/12/2009 9:54 PM 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [18/12/2009 9:54 PM 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [18/12/2009 9:54 PM 109864]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [12/04/2011 7:39 AM 155344]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 2:37 PM 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard_Main REG_MULTI_SZ BsMain
BullGuard REG_MULTI_SZ BsFileScan BsFire
BullGuard_LowPriv REG_MULTI_SZ BsBrowser
Akamai REG_MULTI_SZ Akamai
BullGuard_Backup REG_MULTI_SZ BsBackup
BullGuard_Proxy REG_MULTI_SZ BsMailProxy
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 06:07]
.
2012-10-19 c:\windows\Tasks\AdobeAAMUpdater-1.0-ERWIN01-erwin.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-08-13 20:39]
.
2012-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-02 08:08]
.
2012-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-02 08:08]
.
2012-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-838170752-725345543-1004Core.job
- c:\documents and settings\erwin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-09 12:36]
.
2012-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-838170752-725345543-1004UA.job
- c:\documents and settings\erwin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-09 12:36]
.
2012-10-21 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 01:55]
.
2012-10-02 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 01:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\BGLsp.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\erwin\Application Data\Mozilla\Firefox\Profiles\5ceh22dq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1561457&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - TorrentReactor.Net Customized Web Search
FF - prefs.js: browser.startup.homepage - mira.astroempires.com/empire.aspx
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1561457&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-GEST - c:\program files\GIGABYTE\GEST\run.exe
SafeBoot-37767017.sys
AddRemove-HeavyMetal_Aero - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-21 21:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-861567501-838170752-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-861567501-838170752-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:3d,4e,1c,b8,15,00,97,52,35,1b,1c,88,8a,ef,da,8a,c8,92,c4,95,ff,50,5f,
21,cb,8a,3f,a7,b2,84,83,89,7c,e3,21,ca,d5,0c,45,1a,65,3e,bb,20,e1,1a,08,b6,\
"??"=hex:ec,cd,11,3a,ce,18,98,ac,a2,5b,d2,3d,7d,67,18,6a
.
[HKEY_USERS\S-1-5-21-861567501-838170752-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:51,da,43,66,12,df,d8,4d,a5,a6,2d,3b,f4,1b,38,90,3f,47,ce,19,ac,
e9,b5,8a,b9,3b,03,24,70,91,50,0c,31,39,09,a0,90,ef,4e,df,d5,e9,40,14,d4,11,\
"rkeysecu"=hex:98,ea,b1,56,ee,3f,f0,1f,40,83,b4,67,ec,30,dd,9a
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(928)
c:\windows\system32\BGLsp.dll
.
- - - - - - - > 'explorer.exe'(2556)
c:\windows\system32\WININET.dll
c:\program files\BullGuard Ltd\BullGuard\spamfilter\LittleHook.dll
c:\program files\NVIDIA Corporation\nview\nview.dll
c:\program files\Microsoft Private Folder 1.0\ShellExt.dll
c:\windows\system32\PFLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft Private Folder 1.0\PrfldSvc.exe
c:\program files\Google\Update\1.3.21.123\GoogleCrashHandler.exe
c:\windows\system32\CNAC3RPK.EXE
c:\windows\system32\RunDLL32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2012-10-21 21:33:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-21 11:03
.
Pre-Run: 140,824,530,944 bytes free
Post-Run: 140,246,953,984 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 8C6933015060BB269E00CA81ED446A7C

Goodguy69
New Member

Date Joined Oct 2010
Total Posts : 45

Posted 10/21/2012 11:34 PM (GMT +3)

Please download and run RougeKiller from this link: http://majorgeeks.com/RogueKiller_d6983.html

•Please quit all programs
•Right-click the RogueKiller file and select "Run as Administrator'
•Press: SCAN
•On the RogueKiller console, click the Registry tab.
•Make sure the entries there are checked.
•Then, press the [Delete] button.

An RKreport Log (Mode: Delete) is created on the Desktop.
Please provide the RKreport Log in your reply.
Restart the computer.

To see if GMER in Combofix has missed any infected hidden partition's please download ListParts by Farbar from this link: http://www.bleepingcomputer.com/download/listparts/

Please include the logs in your next reply.

Post Edited (Goodguy69) : 10/21/2012 10:15:57 PM GMT

Erwiin
New Member

Date Joined Oct 2012
Total Posts : 14

Posted 10/22/2012 6:25 AM (GMT +3)

RKreport:

RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : erwin [Admin rights]
Mode : Remove -- Date : 10/22/2012 13:41:29

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[15] : NtAllocateUserPhysicalPages @ 0x805B5FBE -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA9193)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA2007)
SSDT[18] : NtAreMappedFilesTheSame @ 0x805B05D2 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA92A6)
SSDT[41] : NtCreateKey @ 0x806240F6 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA27DD)
SSDT[47] : NtCreateProcess @ 0x805D1250 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA2BB1)
SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA2D10)
SSDT[63] : NtDeleteKey @ 0x80624592 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA322E)
SSDT[65] : NtDeleteValueKey @ 0x80624762 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA331C)
SSDT[74] : NtExtendSection @ 0x805B3CDE -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA3731)
SSDT[106] : NtMapUserPhysicalPages @ 0x805B541E -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA9966)
SSDT[108] : NtMapViewOfSection @ 0x805B2042 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA420C)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA489C)
SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA49A5)
SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA4EED)
SSDT[167] : NtQuerySection @ 0x805B85E8 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA5C08)
SSDT[186] : NtReadVirtualMemory @ 0x805B42CA -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA6671)
SSDT[192] : NtRenameKey @ 0x80623B18 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FC51ED)
SSDT[193] : NtReplaceKey @ 0x806261CA -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA6913)
SSDT[226] : NtSetInformationKey @ 0x80622E10 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA730A)
SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA7426)
SSDT[247] : NtSetValueKey @ 0x80622668 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA7BF0)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA802A)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA8396)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FA889E)
S_SSDT[307] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FB21D1)
S_SSDT[383] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FB65D9)
S_SSDT[404] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FB721E)
S_SSDT[549] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FBAF3E)
S_SSDT[570] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\NSKernel.sys @ 0xB3FBB8E9)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320613AS +++++
--- User ---
[MBR] ce5180031f2539cd069d6e70b8f3c9a5
[BSP] 32e324bd380d812853e57caf6eef8e0a : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305234 Mo
User = LL1 ... OK!
User = LL2 ... OK!

----------

ListParts log:

ListParts by Farbar Version: 16-10-2012
Ran by erwin (administrator) on 22-10-2012 at 13:44:38
Windows XP (X86)
Running From: C:\Documents and Settings\erwin\My Documents\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 20%
Total physical RAM: 3070.42 MB
Available physical RAM: 2448.2 MB
Total Pagefile: 7910.07 MB
Available Pagefile: 7493.15 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.77 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:298.08 GB) (Free:130.55 GB) NTFS ==>[Drive with boot components (Windows XP)]
2 Drive d: (BBDK) (CDROM) (Total:4.02 GB) (Free:0 GB) UDF

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 32 KB
======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 298 GB Healthy System (partition with boot components)
======================================================================================================

****** End Of Log ******

Goodguy69
New Member

Date Joined Oct 2010
Total Posts : 45

Posted 10/22/2012 7:54 AM (GMT +3)

Great no hidden partitions and some registry fixes.
I don't like the fact that Rougekiller never included your Host file contents. To check your Host file, do the following:

Click Start, My Computer, Windows, System32, (Allow files to be seen), Drivers, Etc, Hosts (open with Notepad)
It should look like this one:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

If it looks like this great, we will finish off with a Malwarebytes scan from this link:
http://www.malwarebytes.org/products/malwarebytes_free/
Update and run a quick scan, include the log in your reply if anything is found?

Post Edited (Goodguy69) : 10/22/2012 4:55:40 AM GMT

Erwiin
New Member

Date Joined Oct 2012
Total Posts : 14

Posted 10/22/2012 8:42 AM (GMT +3)

Goodguy69 said...
Great no hidden partitions and some registry fixes.
I don't like the fact that Rougekiller never included your Host file contents. To check your Host file, do the following:

Click Start, My Computer, Windows, System32, (Allow files to be seen), Drivers, Etc, Hosts (open with Notepad)
It should look like this one:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

If it looks like this great, we will finish off with a Malwarebytes scan from this link:
http://www.malwarebytes.org/products/malwarebytes_free/
Update and run a quick scan, include the log in your reply if anything is found?

There is no Hosts file. Only lmhosts.sam; networks; protocol and services. The lmhosts.sam looks like an example (the same as your post).

Goodguy69
New Member

Date Joined Oct 2010
Total Posts : 45

Posted 10/22/2012 8:58 AM (GMT +3)

To reset the Hosts file back to the default, follow these steps:
Click Start, click Run, type %systemroot% \system32\drivers\etc, and then click OK.

Create a new default hosts file. To do this, follow these steps:
Right-click an open space in the %WinDir%\System32\Drivers\Etc folder, point to New, click Text Document, type hosts, and then press Enter.
Click Yes to confirm that the file name extension will not be .txt.
Open the new Hosts file in a text editor. For example, open the file in Notepad.
Copy the following text to the file:

For Windows XP or for Windows Server 2003

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Save and then close the file.

Post Edited (Goodguy69) : 10/22/2012 6:00:33 AM GMT

Robert Mateescu
Forum Moderator

Date Joined Sep 2011
Total Posts : 212

Posted 10/22/2012 8:54 PM (GMT +3)

The hosts file was deleted when following my post from above.

Goodguy69
New Member

Date Joined Oct 2010
Total Posts : 45

Posted 10/23/2012 3:37 AM (GMT +3)

Could you please Run AdwCleaner

http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml
http://www.softpedia.com/progScreenshots/AdwCleaner-Screenshot-212632.html
http://general-changelog-team.fr/en/tools/15-adwcleaner
http://www.raymond.cc/blog/adwcleaner-search-and-delete-adware-pup-toolbar-and-homepage-hijacker/

Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Erwiin
New Member

Date Joined Oct 2012
Total Posts : 14

Posted 10/23/2012 6:10 AM (GMT +3)

Here's the log for AdwCleaner. It's strange that Firefox has all the problems, yet I very rarely use Firefox. Google Chrome is the browser which is having issues.

# AdwCleaner v2.005 - Logfile created 10/23/2012 at 13:34:05
# Updated 14/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : erwin - ERWIN01
# Boot Mode : Normal
# Running from : C:\Documents and Settings\erwin\My Documents\Downloads\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\erwin\Application Data\Mozilla\Firefox\Profiles\5ceh22dq.default\searchplugins\Conduit.xml
File Deleted : C:\Program Files\Mozilla Firefox\.autoreg
Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess
Folder Deleted : C:\Documents and Settings\erwin\Application Data\Mozilla\Firefox\Profiles\5ceh22dq.default\Conduit
Folder Deleted : C:\Documents and Settings\erwin\Local Settings\Application Data\vghd

***** [Registry] *****

Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Layers
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Layers.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.5730.13

[OK] Registry is clean.

-\\ Mozilla Firefox v3.6.3 (en-GB)

Profile name : default
File : C:\Documents and Settings\erwin\Application Data\Mozilla\Firefox\Profiles\5ceh22dq.default\prefs.js

C:\Documents and Settings\erwin\Application Data\Mozilla\Firefox\Profiles\5ceh22dq.default\user.js ... Deleted !

Deleted : user_pref("CT1561457.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Deleted : user_pref("CT1561457.AllowNonPrivacy", false);
Deleted : user_pref("CT1561457.CTID", "CT1561457");
Deleted : user_pref("CT1561457.CommunityChanged", false);
Deleted : user_pref("CT1561457.DialogsAlignMode", "LTR");
Deleted : user_pref("CT1561457.FeedLastCount128535021974456377", 50);
Deleted : user_pref("CT1561457.FeedLastCount128675091812725890", 80);
Deleted : user_pref("CT1561457.FeedPollDate128535021483831769", "Wed May 06 2009 03:00:46 GMT+0930");
Deleted : user_pref("CT1561457.FeedPollDate128535021743050541", "Wed May 06 2009 03:00:46 GMT+0930");
Deleted : user_pref("CT1561457.FeedPollDate128535021917738200", "Wed May 06 2009 03:00:46 GMT+0930");
Deleted : user_pref("CT1561457.FeedPollDate128535022200862830", "Wed May 06 2009 03:00:46 GMT+0930");
Deleted : user_pref("CT1561457.FeedPollDate128535022347737910", "Wed May 06 2009 03:00:46 GMT+0930");
Deleted : user_pref("CT1561457.FeedPollDate128535022500706661", "Wed May 06 2009 03:00:46 GMT+0930");
Deleted : user_pref("CT1561457.FeedPollDate128535022774144229", "Wed May 06 2009 03:00:46 GMT+0930");
Deleted : user_pref("CT1561457.FeedPollDate128675082057881332", "Wed May 06 2009 03:00:46 GMT+0930");
Deleted : user_pref("CT1561457.FeedPollDate128675089219131457", "Wed May 06 2009 03:00:46 GMT+0930");
Deleted : user_pref("CT1561457.FeedPollDate128675091162569603", "Wed May 06 2009 03:00:46 GMT+0930");
Deleted : user_pref("CT1561457.FeedPollDate128675091780850786", "Wed May 06 2009 03:00:46 GMT+0930");
Deleted : user_pref("CT1561457.FirstTime", true);
Deleted : user_pref("CT1561457.FirstTimeFF3", true);
Deleted : user_pref("CT1561457.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Deleted : user_pref("CT1561457.Initialize", true);
Deleted : user_pref("CT1561457.InitializeCommonPrefs", true);
Deleted : user_pref("CT1561457.IsGrouping", false);
Deleted : user_pref("CT1561457.IsMulticommunity", false);
Deleted : user_pref("CT1561457.IsOpenThankYouPage", true);
Deleted : user_pref("CT1561457.IsOpenUninstallPage", true);
Deleted : user_pref("CT1561457.LanguagePackLastCheckTime", "Tue May 05 2009 18:01:25 GMT+0930");
Deleted : user_pref("CT1561457.LanguagePackReloadIntervalMM", 1440);
Deleted : user_pref("CT1561457.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
Deleted : user_pref("CT1561457.LastLogin", "Wed May 06 2009 00:50:32 GMT+0930");
Deleted : user_pref("CT1561457.Locale", "en-us");
Deleted : user_pref("CT1561457.LoginCache", "4");
Deleted : user_pref("CT1561457.MCDetectTooltipHeight", "83");
Deleted : user_pref("CT1561457.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Deleted : user_pref("CT1561457.MCDetectTooltipWidth", "295");
Deleted : user_pref("CT1561457.MyGadgetsServerUrl", "hxxp://services.MyStuff.u-page.com/MyStuffService.asmx/Le[...]
Deleted : user_pref("CT1561457.MyGadgetsTrustedDomains", "u-page.com");
Deleted : user_pref("CT1561457.SHRINK_TOOLBAR", 1);
Deleted : user_pref("CT1561457.SearchFromAddressBarIsInit", true);
Deleted : user_pref("CT1561457.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT156[...]
Deleted : user_pref("CT1561457.Server", "hxxp://users.conduit.com");
Deleted : user_pref("CT1561457.SettingsInvalidateCache", false);
Deleted : user_pref("CT1561457.SettingsLastUpdate", "1237710990");
Deleted : user_pref("CT1561457.ThirdPartyComponentsInterval", "72");
Deleted : user_pref("CT1561457.ThirdPartyComponentsLastCheck", "Mon May 04 2009 15:20:44 GMT+0930");
Deleted : user_pref("CT1561457.ThirdPartyComponentsLastUpdate", "1234008881");
Deleted : user_pref("CT1561457.ToolbarAlignMode", "SYSTEM");
Deleted : user_pref("CT1561457.ToolbarName", "TorrentReactor.Net");
Deleted : user_pref("CT1561457.UserID", "UN38984748861689514");
Deleted : user_pref("CT1561457.VusualLastUpdateTime", "1230486717");
Deleted : user_pref("CT1561457.WeatherNetwork", "");
Deleted : user_pref("CT1561457.WeatherPollDate", "Wed May 06 2009 02:41:19 GMT+0930");
Deleted : user_pref("CT1561457.WeatherUnit", "C");
Deleted : user_pref("CT1561457.clientLogIsEnabled", false);
Deleted : user_pref("CT1561457.clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asm[...]
Deleted : user_pref("CT1561457.components.1000034", false);
Deleted : user_pref("CT1561457.components.1000082", false);
Deleted : user_pref("CT1561457.uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Reg[...]
Deleted : user_pref("CommunityToolbar.MyGadgetsIntervalMM", 1440);
Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "chrome://browser-region/locale/region.pr[...]
Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT1561457");
Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT1561457");
Deleted : user_pref("CommunityToolbar.alert.alertInfoInterval", 60);
Deleted : user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Wed May 06 2009 02:50:47 GMT+0930");
Deleted : user_pref("CommunityToolbar.alert.clientsServerUrl", "hxxp://alert.client.conduit.com");
Deleted : user_pref("CommunityToolbar.alert.locale", "en");
Deleted : user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);
Deleted : user_pref("CommunityToolbar.alert.loginLastCheckTime", "Tue May 05 2009 18:01:22 GMT+0930");
Deleted : user_pref("CommunityToolbar.alert.loginLastUpdateTime", "1234796400");
Deleted : user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);
Deleted : user_pref("CommunityToolbar.alert.servicesServerUrl", "hxxp://alert.services.conduit.com");
Deleted : user_pref("CommunityToolbar.alert.showTrayIcon", false);
Deleted : user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);
Deleted : user_pref("CommunityToolbar.alert.userId", "{c9950131-f8c1-40c1-a8d7-9141094ea744}");
Deleted : user_pref("browser.search.defaultthis.engineName", "TorrentReactor.Net Customized Web Search");
Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1561457&Sea[...]
Deleted : user_pref("browser.search.selectedEngine", "TorrentReactor.Net Customized Web Search");
Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1561457&SearchSource=2&q=[...]

-\\ Google Chrome v22.0.1229.94

File : C:\Documents and Settings\erwin\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [8739 octets] - [23/10/2012 13:34:05]

########## EOF - C:\AdwCleaner[S1].txt - [8799 octets] ##########

Goodguy69
New Member

Date Joined Oct 2010
Total Posts : 45

Posted 10/23/2012 6:28 AM (GMT +3)

I'm still waiting to see a Malwarebytes log, any luck with that?
How is your Host file now?

Erwiin
New Member

Date Joined Oct 2012
Total Posts : 14

Posted 10/23/2012 7:39 PM (GMT +3)

The latest Malwarebytes log is below. It claims that there are "no malicious items detected", which is crap, because my browser was redirected twice today and I've had random music playing. Two of the sites I was redirected are "player.indymusic.tv" and "clicks.webnug.com".

-------

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.23.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
erwin :: ERWIN01 [administrator]

24/10/2012 2:49:34 AM
mbam-log-2012-10-24 (02-49-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 264955
Time elapsed: 15 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Goodguy69
New Member

Date Joined Oct 2010
Total Posts : 45

Posted 10/23/2012 11:25 PM (GMT +3)

Don't feel disheartened, virus removal can take a lot of work. Running many fixes.
The latest viruses and malware are getting more advanced, that's how the bad guys make money.

1: Download & run Unhide
http://download.bleepingcomputer.com/grinler/unhide.exe
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives.
(Note: If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run)

2: Reboot

3: Uninstall Combofix & download the latest version. Important, Save and RUN from the DESKTOP.
Use Safe mode if it doesn't run in Normal mode.

How to uninstall ComboFix instructions:

To uninstall ComboFix from Windows XP please perform the following steps:

Click on the Start button and then select Run from the menu. (This will open up the Run dialog box)

In the Windows XP Run Dialog box copy and paste the following:

combofix /uninstall

Click on the OK button. A Open File security warning will appear asking if you are sure you want to run ComboFix. Please click on the Run button to start the program.

ComboFix will now uninstall itself from your computer and remove any backups and quarantined files. When it has finished you will be greeted by a dialog box stating that ComboFix has been uninstalled. You can now delete the ComboFix.exe program from your computer. ComboFix has now been uninstalled from your Windows XP computer.

Post Edited (Goodguy69) : 10/23/2012 8:28:40 PM GMT

Erwiin
New Member

Date Joined Oct 2012
Total Posts : 14

Posted 10/24/2012 6:53 PM (GMT +3)

I downloaded and ran Unhide & uninstalled combofix. Now what?

Unhide log:

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 10/25/2012 01:32:16 AM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 493118 files processed.

The C:\DOCUME~1\erwin\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Restarting Explorer.exe in order to apply changes.

Program finished at: 10/25/2012 02:07:39 AM
Execution time: 0 hours(s), 35 minute(s), and 23 seconds(s)

31 posts in this thread.
Viewing Page : 1 2

Forum Information

Currently it is Friday, May 24, 2013 2:03 AM (GMT +3)
There are a total of 59,533 posts in 13,142 threads.
In the last 3 days there were 3 new threads and 12 reply posts. View Active Threads