Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

browser redirects and win upd blocked

This is a discussion on browser redirects and win upd blocked within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi amateur, I disabled MS Security Essentials. I left the ESET scanner running. It had been running for approx 2


 
 
Thread Tools Search this Thread
Old 04-24-2011, 08:40 AM   #21
Registered Member
 
Join Date: Apr 2011
Posts: 24
OS: XP sp3



Hi amateur,

I disabled MS Security Essentials.

I left the ESET scanner running. It had been running for approx 2 hours. I noticed it had found 12 threats - they appeared to be in 'restore' areas of the file system - but I cannot be sure. Anyway the final time I checked on the progress I noticed that the computer had rebooted.

I will await your instruction.

I performed the MalwareBytes AntiMalware run, here is the log:-

Malwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes

Database version: 6433

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

24/04/2011 14:00:12
mbam-log-2011-04-24 (14-00-12).txt

Scan type: Quick scan
Objects scanned: 168564
Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
JCTJennings is offline  
Sponsored Links
Advertisement
 
Old 04-24-2011, 08:48 AM   #22
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Malwarebyte's log look good.


Quote:
I left the ESET scanner running. It had been running for approx 2 hours. I noticed it had found 12 threats - they appeared to be in 'restore' areas of the file system - but I cannot be sure. Anyway the final time I checked on the progress I noticed that the computer had rebooted.
I am not sure if I understand you correctly here. Has the scan been completed?
If so, there should be a logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt Please post the contents of that file.
__________________

amateur is offline  
Old 04-24-2011, 08:59 AM   #23
Registered Member
 
Join Date: Apr 2011
Posts: 24
OS: XP sp3



I suspect the scan was incomplete. I suspect the reboot occurred towards the end of the scan.

Here is the log:-

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
JCTJennings is offline  
Sponsored Links
Advertisement
 
Old 04-24-2011, 09:07 AM   #24
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Well, that's not the log I was expecting. Is that all there was in there? Please run ESET again following the earlier posted instructions. Sorry for putting you through a lengthy process again, but it's important.
__________________

amateur is offline  
Old 04-24-2011, 09:09 AM   #25
Registered Member
 
Join Date: Apr 2011
Posts: 24
OS: XP sp3



No probs, I will restart the ESET run.
JCTJennings is offline  
Old 04-24-2011, 09:10 AM   #26
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



OK, thanks.
__________________

amateur is offline  
Old 04-24-2011, 10:50 AM   #27
Registered Member
 
Join Date: Apr 2011
Posts: 24
OS: XP sp3



Same thing happened, Amateur. :(

It is getting close to the end of the scanning process (stage 3), then rebooting. Unfortunately I was away from the keyboard when it rebooted, so I can't say exactly which point it goes pop.

What should I do?
JCTJennings is offline  
Old 04-24-2011, 11:02 AM   #28
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



That's very odd. Let's leave the online scan for now. How is the computer running otherwise?

Steam was deleted by Combofix. We can de-quarantine it, but I am not quite sure yet if it's a false positive or not. So, it might be better to re-install Steam if you're using it. It doesn't need to be done right away. I just want you to be aware of it.

========================

I see uTorrent, which is a p2p file sharing program, installed. This practice can make you vulnerable to data and identity theft. Please read this sticky:

Perils of P2P File Sharing

I would strongly urge you to remove it via Add or Remove Programs in Control Panel as suggested in our
NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help page.

Quote:
  • p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues. See this link
=========================

Your Adobe Reader is out of date and can be exploited. Please download the latest version, here.

Uncheck Google Toolbar or Free McAfee® Security Scan Plus,, or any other offers they may have. during the installation, unless you want it.

=========================

Please run Combofix again with the following script.
  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:
File::
c:\windows\system32\35.tmp 

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\patches]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"arg70techsdk.exe"=-
"Dnubetogum"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Ccelumafuxuj"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=-


RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

driver::
MEMSWEEP2
Save this as CFScript.txt on your Desktop.



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • ComboFix may request an update; please allow it.
  • When finished, please post the log it produced in your next reply.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.
__________________

amateur is offline  
Old 04-24-2011, 11:11 AM   #29
Registered Member
 
Join Date: Apr 2011
Posts: 24
OS: XP sp3



Amateur - just a quickie...I need to use steam tonight. I am in a CounterStrike match in a team. It is the main thing I use my PC for - is there any way we can restore it?

Obviously the computer problems are the priority, but if we could accommodate both it would be great.
JCTJennings is offline  
Old 04-24-2011, 11:39 AM   #30
Registered Member
 
Join Date: Apr 2011
Posts: 24
OS: XP sp3



I have updated Adobe abd rerun combofix with the script. The results are shown below.

I am guessing that it is just the steam platform file which has been quarantined? Will it be faster to simply install it again from the web or have I lost all the game files too?

ComboFix 11-04-23.02 - Ian 24/04/2011 18:22:38.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3063.2486 [GMT 1:00]
Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ian\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\35.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2
.
.
((((((((((((((((((((((((( Files Created from 2011-03-24 to 2011-04-24 )))))))))))))))))))))))))))))))
.
.
2011-04-24 13:06 . 2011-04-24 13:06 -------- d-----w- c:\program files\ESET
2011-04-24 12:49 . 2011-04-10 23:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8635F347-4641-4012-A163-F1C162059F16}\mpengine.dll
2011-04-24 12:49 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-24 12:47 . 2011-04-24 12:47 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-22 09:51 . 2010-09-16 07:51 421888 ----a-w- C:\WUInstall.exe
2011-04-22 08:12 . 2011-02-08 13:33 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-04-22 07:40 . 2011-04-22 07:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-21 16:14 . 2011-04-21 16:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-04-21 16:14 . 2011-04-21 16:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-04-21 16:06 . 2011-04-24 06:53 -------- d-----w- c:\documents and settings\Administrator
2011-04-21 15:01 . 2011-04-21 15:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-21 14:53 . 2011-04-21 14:53 -------- d-----w- c:\program files\Sophos
2011-04-21 14:44 . 2011-04-21 14:44 -------- d-----w- c:\program files\Safari
2011-04-21 14:23 . 2011-03-10 11:27 1377112 ----a-w- C:\TDSSKiller.exe
2011-04-21 12:30 . 2011-04-21 12:30 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-21 12:30 . 2011-04-21 12:30 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-21 12:30 . 2011-04-21 12:30 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-21 12:30 . 2011-04-21 12:30 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-21 12:30 . 2011-04-21 12:30 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-21 12:30 . 2011-04-21 12:30 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-21 12:30 . 2011-04-21 12:30 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-21 12:30 . 2011-04-21 12:30 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-21 12:15 . 2011-04-21 12:15 -------- d-----w- c:\program files\Common Files\Java
2011-04-21 12:14 . 2011-02-02 20:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-21 12:14 . 2011-02-02 20:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-21 09:05 . 2011-04-21 09:05 -------- d-----w- c:\documents and settings\Ian\Application Data\Malwarebytes
2011-04-21 09:05 . 2011-04-21 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-21 09:05 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 09:05 . 2011-04-21 09:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-21 09:05 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 08:58 . 2011-04-21 09:30 -------- d-----w- C:\f46f6218389c5b5ea07c40cf9d
2011-04-20 17:53 . 2011-04-20 17:53 -------- d-----w- c:\documents and settings\Ian\Application Data\SUPERAntiSpyware.com
2011-04-20 17:53 . 2011-04-20 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-20 17:53 . 2011-04-20 17:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-20 17:46 . 2011-04-20 17:46 -------- d-----w- c:\program files\Windows Defender
2011-04-20 15:21 . 2011-04-20 15:21 0 ----a-w- c:\windows\Rheruzitohapuveb.bin
2011-04-20 14:59 . 2011-04-21 11:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-20 14:59 . 2011-04-20 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-24 07:42 . 2011-04-24 07:42 6560 ----a-w- C:\ComboFix.zip
2011-04-23 18:34 . 2011-04-23 18:34 608 ----a-w- C:\TDSSKiller.2.4.21.0_22.04.2011_20.08.24_log.zip
2011-02-08 18:03 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-02 18:19 . 2010-03-30 19:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-21 12:30 . 2011-04-21 12:30 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( [email protected]_07.31.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-10 11:49 . 2010-11-10 11:49 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\ViewerPS.dll
+ 2010-11-10 11:49 . 2010-11-10 11:49 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\reader_sl.exe
+ 2010-11-10 11:49 . 2010-11-10 11:49 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlr.dll
+ 2010-11-10 11:49 . 2010-11-10 11:49 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\eula.exe
+ 2010-11-10 11:49 . 2010-11-10 11:49 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrotextextractor.exe
+ 2010-11-10 11:49 . 2010-11-10 11:49 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32Info.exe
+ 2010-11-10 11:49 . 2010-11-10 11:49 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acroiehelpershim.dll
+ 2010-11-10 11:49 . 2010-11-10 11:49 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroIEHelper.dll
+ 2010-11-10 11:49 . 2010-11-10 11:49 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\Acrofx32.dll
+ 2004-08-04 12:00 . 2008-04-13 19:20 361344 c:\windows\system32\drivers\tcpip.sys
- 2004-08-04 12:00 . 2009-12-29 10:45 361344 c:\windows\system32\drivers\tcpip.sys
+ 2010-10-24 20:25 . 2010-10-24 20:25 165264 c:\windows\system32\drivers\MpFilter.sys
+ 2004-08-04 12:00 . 2008-04-13 19:20 361344 c:\windows\system32\dllcache\tcpip.sys
+ 2011-04-24 12:47 . 2011-04-24 12:47 786432 c:\windows\Installer\24bfe6.msi
+ 2011-04-24 12:47 . 2011-04-24 12:47 479744 c:\windows\Installer\24bfe0.msi
+ 2011-04-24 12:47 . 2011-04-24 12:47 301056 c:\windows\Installer\24bfdb.msi
+ 2010-11-10 11:49 . 2010-11-10 11:49 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\pdfshell.dll
+ 2010-11-10 11:49 . 2010-11-10 11:49 101288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlrShim.exe
+ 2010-11-10 11:49 . 2010-11-10 11:49 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\nppdf32.dll
+ 2010-11-10 11:49 . 2010-11-10 11:49 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\JP2KLib.dll
+ 2010-11-10 11:49 . 2010-11-10 11:49 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AiodLite.dll
+ 2010-11-10 11:49 . 2010-11-10 11:49 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroPDF.dll
+ 2010-11-10 11:49 . 2010-11-10 11:49 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrobroker.exe
+ 2010-11-10 11:49 . 2010-11-10 11:49 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\a3dutils.dll
+ 2011-04-24 17:15 . 2011-04-24 17:15 2283008 c:\windows\Installer\1b60c3.msi
+ 2010-11-10 11:49 . 2010-11-10 11:49 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\rt3d.dll
+ 2010-11-10 11:49 . 2010-11-10 11:49 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\authplay.dll
+ 2010-11-10 11:49 . 2010-11-10 11:49 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AGM.dll
+ 2010-11-10 11:49 . 2010-11-10 11:49 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AdobeCollabSync.exe
+ 2010-11-10 11:49 . 2010-11-10 11:49 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.exe
+ 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\1b60c4.msp
+ 2010-11-10 11:49 . 2010-11-10 11:49 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ian\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ian\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ian\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-02 18665472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\Ian\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Ian\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-01-07 19:58 13880424 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-01-07 19:58 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-11-04 08:51 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 18:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\THQ\\Relic Entertainment\\Company of Heroes Online\\Game\\RelicCoHOWW.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Ian\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\IceChat7\\IceChat7.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty black ops\\BlackOps.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty black ops\\BlackOpsMP.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]iandoyle.plus.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
S1 MpKsl8800c7cc;MpKsl8800c7cc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8635F347-4641-4012-A163-F1C162059F16}\MpKsl8800c7cc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8635F347-4641-4012-A163-F1C162059F16}\MpKsl8800c7cc.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [05/12/2009 10:00 1684736]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
S3 USBFVNETA;Compaq 11 Mbps Wireless USB Adapter;c:\windows\system32\drivers\vnetusba.sys [14/07/2010 17:34 67072]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/04/2010 18:48 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-28 17:48]
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-28 17:48]
.
2011-04-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 11:26]
.
2011-04-24 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 11:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: line6.net
Trusted Zone: windowsupdate.com\www
FF - ProfilePath - c:\documents and settings\Ian\Application Data\Mozilla\Firefox\Profiles\kad7nvla.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-24 18:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4020)
c:\windows\system32\WININET.dll
c:\documents and settings\Ian\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2011-04-24 18:36:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-24 17:36
ComboFix2.txt 2011-04-24 12:19
ComboFix3.txt 2011-04-24 11:23
ComboFix4.txt 2011-04-24 07:36
.
Pre-Run: 319,562,448,896 bytes free
Post-Run: 319,474,262,016 bytes free
.
- - End Of File - - EE9744EB9F1C41B1AC2199042354393B
JCTJennings is offline  
Old 04-24-2011, 11:55 AM   #31
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.
__________________

amateur is offline  
Old 04-24-2011, 12:07 PM   #32
Registered Member
 
Join Date: Apr 2011
Posts: 24
OS: XP sp3



2011-04-24 17:29:38 . 2011-04-24 17:29:38 2,434 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_MEMSWEEP2.reg.dat
2011-04-24 17:29:38 . 2011-04-24 17:29:38 1,232 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_MEMSWEEP2.reg.dat
2011-04-24 17:22:37 . 2011-04-24 17:22:37 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-04-24 12:05:46 . 2011-04-24 12:05:46 0 ----a-w- C:\Qoobox\Quarantine\Replicators\Replicator_2.txt
2011-04-24 12:04:54 . 2011-04-24 12:04:54 2,492 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_mnixl.reg.dat
2011-04-24 12:04:54 . 2011-04-24 12:04:54 1,056 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_MNIXL.reg.dat
2011-04-24 12:03:37 . 2011-04-24 12:18:29 57,598 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2011-04-24_13.03.33.zip
2011-04-24 07:36:31 . 2011-04-24 07:36:31 2,040 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{33691AFF-9ABF-4278-BDB6-902EE07D9237}.reg.dat
2011-04-24 07:36:31 . 2011-04-24 07:36:31 2,052 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{0B8565BA-BAD5-4732-B122-5FD78EFC50A9}.reg.dat
2011-04-24 07:36:31 . 2011-04-24 07:36:31 1,268 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam App 42710.reg.dat
2011-04-24 07:36:30 . 2011-04-24 07:36:30 1,240 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam App 42700.reg.dat
2011-04-24 07:36:30 . 2011-04-24 07:36:30 1,228 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam App 240.reg.dat
2011-04-24 07:36:30 . 2011-04-24 07:36:30 1,308 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam App 10190.reg.dat
2011-04-24 07:36:30 . 2011-04-24 07:36:30 1,280 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam App 10180.reg.dat
2011-04-24 07:36:30 . 2011-04-24 07:36:30 1,854 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Native Instruments Service Center.reg.dat
2011-04-24 07:36:30 . 2011-04-24 07:36:30 1,830 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Native Instruments Guitar Rig 3.reg.dat
2011-04-24 07:35:58 . 2011-04-24 07:35:58 540 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-mshost.reg.dat
2011-04-24 07:35:57 . 2011-04-24 07:35:57 580 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Microsoft Driver Setup.reg.dat
2011-04-24 07:35:57 . 2011-04-24 07:35:57 604 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Dnubetogum.reg.dat
2011-04-24 07:35:57 . 2011-04-24 07:35:57 610 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Ccelumafuxuj.reg.dat
2011-04-24 07:35:22 . 2011-04-24 07:35:22 138 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Steam.reg.dat
2011-04-24 07:21:46 . 2011-04-24 17:29:20 8,167 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-04-24 07:05:05 . 2011-04-24 17:21:52 255 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-04-23 07:17:25 . 2011-04-23 07:17:25 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\oregen.exe.vir
2011-04-23 07:13:42 . 2011-04-23 07:13:42 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jcodj.exe.vir
2011-04-23 07:02:04 . 2011-04-23 07:02:04 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\nservn.exe.vir
2011-04-23 06:11:02 . 2011-04-23 06:11:02 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\xteryg.exe.vir
2011-04-23 06:11:01 . 2011-04-23 06:11:01 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\pteryp.exe.vir
2011-04-23 06:10:59 . 2011-04-23 06:10:59 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\awina.exe.vir
2011-04-23 06:10:59 . 2011-04-23 06:10:59 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\pteryo.exe.vir
2011-04-23 06:10:56 . 2011-04-23 06:10:56 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\uolmt.exe.vir
2011-04-23 06:10:53 . 2011-04-23 06:10:53 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\lnixk.exe.vir
2011-04-23 05:00:42 . 2011-04-23 05:00:42 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dnixs.exe.vir
2011-04-23 05:00:40 . 2011-04-23 05:00:40 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wregef.exe.vir
2011-04-23 05:00:39 . 2011-04-23 05:00:39 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\rwina.exe.vir
2011-04-23 05:00:38 . 2011-04-23 05:00:38 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\nservm.exe.vir
2011-04-23 04:35:43 . 2011-04-23 04:35:43 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wservv.exe.vir
2011-04-23 03:54:24 . 2011-04-23 03:54:24 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\yteryx.exe.vir
2011-04-23 03:54:17 . 2011-04-23 07:33:24 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\uolme.exe.vir
2011-04-23 03:54:16 . 2011-04-23 03:54:16 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\bcodb.exe.vir
2011-04-23 03:53:02 . 2011-04-23 04:25:45 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wregev.exe.vir
2011-04-23 03:50:35 . 2011-04-23 03:50:35 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gteryg.exe.vir
2011-04-22 09:38:28 . 2011-04-22 09:38:28 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mnixl.exe.vir
2011-04-21 20:21:11 . 2011-04-21 20:21:11 11,264 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\lonerty.dll.vir
2011-04-20 15:21:34 . 2011-04-20 15:21:34 5,954 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Ian\Local Settings\Application Data\{DCE9F7E0-3E5C-4F7C-8FDA-23BC00F6A8C4}\chrome\content\overlay.xul.vir
2011-04-20 15:21:34 . 2011-04-20 15:21:34 2,130 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Ian\Local Settings\Application Data\{DCE9F7E0-3E5C-4F7C-8FDA-23BC00F6A8C4}\chrome\content\_cfg.js.vir
2011-04-20 15:21:34 . 2011-04-20 15:21:34 764 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Ian\Local Settings\Application Data\{DCE9F7E0-3E5C-4F7C-8FDA-23BC00F6A8C4}\install.rdf.vir
2011-04-20 15:21:33 . 2011-04-20 15:21:33 122 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Ian\Local Settings\Application Data\{DCE9F7E0-3E5C-4F7C-8FDA-23BC00F6A8C4}\chrome.manifest.vir
2011-01-05 18:58:20 . 2011-01-05 18:58:20 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Ian\Application Data\Ekom\idaxa.tmp.vir
2011-01-04 14:00:51 . 2011-01-04 14:00:51 176,128 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Ian\Application Data\Laur\ypax.exe.vir
2010-04-30 17:38:56 . 2010-04-30 17:38:56 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Ian\Application Data\Pugeo\qaihu.luw.vir
2009-09-14 11:57:44 . 2011-04-23 13:59:22 1,242,448 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Steam\steam.exe.vir
2004-08-04 12:00:00 . 2009-12-29 10:45:48 361,344 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\tcpip.sys.vir
JCTJennings is offline  
Old 04-24-2011, 12:40 PM   #33
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Click on Start>Run and copy paste the following line and press Enter

Regedit "C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam App 42710.reg.dat"

Repeat the same for each of the following lines, one at a time:


Regedit "C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam App 42700.reg.dat"
Regedit "C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam App 240.reg.dat"
Regedit "C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam App 10190.reg.dat"
Regedit "C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam App 10180.reg.dat"
Regedit "C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Steam.reg.dat"


========================

Then run Combofix again with the following Script:
  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.
Code:
FCOPY::
C:\Qoobox\Quarantine\C\Program Files\Steam\steam.exe.vir | C:\Program Files\Steam\Steam.exe

Ignore::
C:\Program Files\Steam\steam.exe

DirLook::
C:\f46f6218389c5b5ea07c40cf9d
File::
c:\windows\Rheruzitohapuveb.bin
Reboot::
Save this as CFScript.txt on your Desktop.



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • ComboFix may request an update; please allow it.
  • When finished, please post the log it produced in your next reply.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.
__________________

amateur is offline  
Old 04-24-2011, 12:43 PM   #34
Registered Member
 
Join Date: Apr 2011
Posts: 24
OS: XP sp3



Amateur - is this to restore steam? If so, I re-downloaded and installed it.

I re-enabled MS Security essentials beforehand. I hope I haven't done wrong.
JCTJennings is offline  
Old 04-24-2011, 12:56 PM   #35
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Yes, it mostly was. You can ignore that post then. Is Steam working fine now? How is the computer running?

You can just navigate to and delete this file:
c:\windows\Rheruzitohapuveb.bin

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@ECHO OFF
PEV -tf "C:\f46f6218389c5b5ea07c40cf9d" >Logit.txt
START Logit.txt
DEL %0
Save this Notepad file as look.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on look.bat to run it. It will produce a text file. Please post the content of the text file.

=====================

I am still trying to get an online scan though. Let's see if this works for you:

FREE ANTIVIRUS online: ActiveScan 2.0 - PANDA SECURITY

Follow the prompts. When completed, click on Export (upper right corner) to save the log.

Post the contents of the activescan.txt
__________________

amateur is offline  
Old 04-24-2011, 01:04 PM   #36
Registered Member
 
Join Date: Apr 2011
Posts: 24
OS: XP sp3



Hi Amateur,

The computer is running OK.

I executed look.bat. It produced a notepad window titled Logit.txt, it was completely empty.

I'll do the Panda scan later on if that's OK, so I can play my CSS matches.
JCTJennings is offline  
Old 04-24-2011, 01:10 PM   #37
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Quote:
I executed look.bat. It produced a notepad window titled Logit.txt, it was completely empty.
It's an empty folder then. You can delete that too.

C:\f46f6218389c5b5ea07c40cf9d

Quote:
I'll do the Panda scan later on if that's OK, so I can play my CSS matches.
I guess I'll have to wait.
__________________

amateur is offline  
Old 04-24-2011, 01:14 PM   #38
Registered Member
 
Join Date: Apr 2011
Posts: 24
OS: XP sp3



Quote:
Originally Posted by amateur View Post

I guess I'll have to wait.
Aww...I feel bad now!
I'll donate ten dollars to TSF - if you clear my virus - as an olive branch. :)
JCTJennings is offline  
Old 04-24-2011, 01:26 PM   #39
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



OK...... ten dollars for each bad file! ....... just kidding!
__________________

amateur is offline  
Old 04-24-2011, 11:58 PM   #40
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Hi,

Also, please do me a favor. It will help the author of Combofix why Steam was targeted on your machine, as Combofix doesn't normally target this application.

Open notepad and copy/paste the text in the quotebox below into it:

Code:
@echo off

For %%g in (
"C:\Qoobox\Quarantine\C\Program Files\Steam\steam.exe.vir"
) do zip SubmitThis %%g
pause
del %0

Save this as Submit.bat Choose to "Save type as - All Files"

It should look like this:

Double click on Submit.bat & allow it to run

This will generate a zipped file on your desktop called "SubmitThis". Please go to this page:

Bleeping Computer - Computer Help and Discussion

Click the browse button and browse to the "SubmitThis" file on your desktop and upload it.

Kindly include the link below in the message and let me know when it's successfully uploaded:

https://www.techsupportforum.com/forums/f50/browser-redirects-and-win-upd-blocked-568060.html#post3234938
__________________

amateur is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 09:41 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts