Articles

google links hijacked

December 19, 2009 at 11:26:29
Specs: Windows XP SP3

Hello,
I'm currently having a problem with Google because all the results are redirected to websites that aren't related in any way! I don't know if it's related but my computer browsers (firefox and IE) have gotten slower. When I restart the computer, the process is also slow. I've updated adaware and scanned the computer. I found 76critical objects. I cleaned everything. I also unchecked the 3rd party cookies option on firefox. Nothing has changed.

I really hope you can help me. Thanks in advance



See More: google links hijacked

Report •


#1
December 19, 2009 at 14:06:14

for anyone out there thinking about helping me, I'm already running Kaspersky Virus Removal Tool (it's actually running right now, if you think I'm crazy because I'm using the internet while I'm running the scan, I'm actually using the second computer at my place). The scan already found a trojan but I couldn't really read what kind or where because it's still running and I don't have the log...
again, please HELP!

Report •

#2
December 19, 2009 at 16:00:38

It sounds like a typical rootkit attack. They latch on to the browser and attempt to redirect you through to third party sites. Sometimes these can disable your anti virus so it might not allow you to fix the problem directly.

Are you getting the redirect on all browsers?

It can be quite tricky to remove. Have you tried using Malwarebytes? From what I've heard, Malwarebytes is capable of removing it at the source

http://www.malwarebytes.org/

Check that out and see if it fixes it.

The Definitive Guide to Registry Cleaners &
PC Optimization


Report •

#3
December 19, 2009 at 19:20:59

If malwarebytes does not help run the following scans and post their results.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply. It may take 3 to 4 post to get the entire log to us.

Download Gmer.exe from the following link.

Link1

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.


Report •

Related Solutions

#4
December 20, 2009 at 01:22:57

Thanks for the help!! I ran malwarebyte and it detected 9 things (i can post that log if you want). I removed everything. Google worked for about 10 minutes without problem, then it started to redirect me to other websites again. I downloaded the 2 other scans (rsit.exe and gmer). Rsit opens and a window that reads "running hijack this" pops up but I think it gets stuck when it hits 3 green bars. I've tried downloading again and it keeps doing the same (should I try a different link for the software?). Gmer is running right now and it seems to be working. Once it's finished, I will post the logs for gmer results. Any suggestion about Rsit.exe? Thanks again!

Report •

#5
December 20, 2009 at 04:41:12

You may need to download the to a usb drive or cd and run it on the infected computer but first try to run it from the infected computer.

Please download Rkill from the following link.

Rkill

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. This link will help you disable them:

Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)

A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.

If nothing happens or if the tool does not run, please let me know in your next reply.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Report •

#6
December 20, 2009 at 09:44:40

Dear Jabuck:

I'm posting here the logs from the malwarebytes scan. I ran it twice, first a full scan (computer worked fine for about 10minutes) and then a quick scan. (Read at the bottom for what happened when I ran gmer).


Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/20/2009 3:01:04 AM
mbam-log-2009-12-20 (03-00-43).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 449643
Time elapsed: 2 hour(s), 29 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> No action taken.

Files Infected:
C:\Documents and Settings\Pedro Javier\Local Settings\Temp\rngehq.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1416\A0198652.dll (Malware.Packer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1417\A0200449.dll (Malware.Packer) -> No action taken.

THIS IS THE LOG FROM THE QUICK SCAN On malwarebytes (2nd time)

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/20/2009 3:51:31 AM
mbam-log-2009-12-20 (03-51-26).txt

Scan type: Quick Scan
Objects scanned: 172988
Time elapsed: 26 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> No action taken.

Files Infected:
C:\Documents and Settings\Pedro Javier\Local Settings\Temp\rngehq.dll (Malware.Packer) -> No action taken.

After all of that DID NOT work (I removed everything as recommended by malwarebytes), I proceeded to run RSIT.exe and GMER (as I said in my prior posting, RSIT could NOT run). GMER started to scan just fine but after 20minutes or so, I started to get popups saying that "windows writing delayed" or windows of the sort with an "OK" button to click on. After a few of those, the computer went BLUE. I restarted the computer and ran GMER again, it happened again. This is the message that I get on the blue screen (or at least the most important part of the message)

IRQL_NOT_LESS_OR_EQUAL

technical information:
STOP: 0x0000000A (0xFFFFFF94, 0x00000002, 0x00000000x, 0x804FD672)


What should I do now? Try to run the two scans from your last posting? Thanks again


Report •

#7
December 20, 2009 at 09:47:00

By the way, I only get the system screens/windows (even the blue screen) if I'm running the GMER. Right now the computer has been restarted and on without any of those windows for about 30minutes already.

Report •

#8
December 20, 2009 at 10:06:59

Since you had to restart thr computer please run Rkill again and if you have to restart the computer run Rkill after the restart as the baddies reinstall on restart.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#9
December 20, 2009 at 10:39:32

this is the log from exehelper. I can NOT locate the log from Rkill. The first time it ran, I could see processes being scanned in the DOS window. After that, the whole program disappear. I tried to "search" my Cdrive for the folder but could only find the original folder with the program on the desktop. This is the log from exehelper

exeHelper by Raktor
Build 20091220
Run at 13:09:06 on 12/20/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


I'm going to do the hijack this now!!
thanks again


Report •

#10
December 20, 2009 at 10:40:44

Every single time I tried to re-run rkill, the dos window starts and the programs says "to be patient" then it disappears. :(

Report •

#11
December 20, 2009 at 10:44:05

That is all it should do.

A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.


Report •

#12
December 20, 2009 at 10:45:57

hi again!! thanks for helping me this much! This is the log from hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:13 PM, on 12/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\Bandoo\Bandoo.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Pedro Javier\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srch...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=mi...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=mi...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=mi...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Bandoo IE Plugin - {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - C:\Program Files\Bandoo\Plugins\IE\ieplugin.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=032605 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.exe" -r "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.ini"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HornetMonitor] C:\Program Files\Common Files\Hornet\MntrHrnt.exe
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Messenger (Yahoo!)] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\progra~1\bandoo\bndhook.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bandoo Coordinator - Discordia Limited - C:\PROGRA~1\Bandoo\Bandoo.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13960 bytes


Report •

#13
December 20, 2009 at 11:13:19

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 17 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.

Please download ComboFix from your internet explorer browser rather than Firefox if possible

Remember..your McAfee antivirus or ever what Av you have and any anti spyware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.


Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#14
December 20, 2009 at 11:35:35

hi again!! I'm removing the Java software using add/remove programs. There are two that do NOT have the coffee-cup icon next to them (they the computer monitor and the little cd icon). the names are Jave 2 Runtime Environment, SE v1.4.2_03 and Java 2 Runtime Environment, SE v1.4.2_06

should I erase these 2 as well? Sorry for asking so many questions... thanks again


Report •

#15
December 20, 2009 at 11:58:42

I figured that if I am going to install new java software, I probably have to get rid of all the older ones. I removed those 2 as well... I hope I didn't make a mistake

Report •

#16
December 20, 2009 at 12:16:26

hello again, it's been 20minutes since I started to execute the new java installation. A window popped up and I clicked "run", then the window dissapeared. How or when will I know if Java was installed properly? thanks again

Report •

#17
December 20, 2009 at 12:32:43

I tried opening an IE window to continue with the other steps and I only got a Runtime Error, that makes me think that Java did NOT install correctly. What should I do to make sure that the installation worked right? I then proceeded to try javatester.org on Firefox (the browswer that seems to be working) and I got this message:
Browswer has Java Disabled
Click here to download plugin.

any idea how to proceed from here? thank you again for your time and help


Report •

#18
December 20, 2009 at 12:41:40

You might try navigating to and renaming the following file. Rename it to MISEXEC.old

Navigate to:

C:\Windows\System32\msiexec.exe

Rename it, do not delete it. Then try executing the downloaded java you have on your desktop.


Report •

#19
December 20, 2009 at 13:03:37

thanks again! I just did that. I renamed the file and then doubleclicked on the downloaded java. Just like before, the window popped up and I clicked on "run". The window disappeared.

:(

any other suggestion? and I can not begin to thank you for your time and knowledge!!


Report •

#20
December 20, 2009 at 13:22:21

I tried the javatester.org again and I got the same result I did before. Should I restart the computer and download java again?

Report •

#21
December 20, 2009 at 13:35:47

I believe you have to have java 6 update 7 or earlier for the updater to work now that you deleted your other java versions first. Go to the following site and download java's jre 6 update 7:

Java Updates

See if you can install it.


Report •

#22
December 20, 2009 at 13:39:31

quick question, should I undo what I did here first?
Rename MISEXEC.old to msiexec.exe?


Report •

#23
December 20, 2009 at 13:47:14

I used the link and it took me exactly where I had been before downloading the first java. I made the same selection (Windows, multilanguage was selected by default) and then I chose "windows offline installation". Once downloaded, I doubleclicked, the window with the "run" button popped up and I clicked it. The same thing, it disappeared. Should I try the "Windows Online Installation" instead?
thanks again!!!

Report •

#24
December 20, 2009 at 13:59:50

Yes try that, it may work. Delete those java downloads on your desktop.

Report •

#25
December 20, 2009 at 14:10:47

when I try to delete the downloaded java files, I get a message that says
"Error deleting file or folder"
Cannot delete jre-6u17-windows-i586: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use


-- should I restart the computer??


Report •

#26
December 20, 2009 at 14:13:05

by the way, the online installation did NOT work either...

:( :(

I thought it would be easier to get rid of the whatever is hijacking google links... I'm sorry it's taking so much time.... thanks again...

should I restore the system to get back the java software I had installed before removing all the versions?


Report •

#27
December 20, 2009 at 14:41:10

Before doing that go to C:\windows\system32\msiexec.old and rename it msiexec.exe and try the on line install again.

Report •

#28
December 20, 2009 at 14:43:24

sorry.. been waiting and the second your message was posted is when I had hit restart in my computer... I feel I'm making every single mistake along the way


Report •

#29
December 20, 2009 at 14:44:40

I have not restored anything yet though!

Report •

#30
December 20, 2009 at 14:50:30

I restarted, I was able to delete the downloaded java files. I went to msiexec on C and I found two of them. One has the extension .old the other is an executable. What should I do with them? Delete them and try the whole dowload process again from the very beginning as in "response number 13"?
thanks again

Report •

#31
December 20, 2009 at 15:10:11

Did java install? Do not rename the file if you were able to download java. Go to start> control panel and and see if java has an icon there.

Report •

#32
December 20, 2009 at 15:12:42

thanks again.. it does NOT have an icon on control panel!!
do you think I could try the installation again? my question is whether I should get rid of those msiexec files before I attempt to install again

Report •

#33
December 20, 2009 at 15:26:06

Try the install again without renaming the files. One of the downloads replaced the installer file as it should.

What you need is a installer file for java 6 update7. The Java Updates link in response #21 takes me to the jre 6 update 7 download site as it should. Once you install that version of java the newest version should install.

If you are seeing java 6 update 17 (newest version) at the link I posted then do a google search for the java jre 6 update 7 download and install it then try to install the new version.


Report •

#34
December 20, 2009 at 15:48:13

It did NOT work. The same thing happened. I searched for other downloads. It didn't work either. Should I try to restore the computer to the point when I had the java software? will it be restored through system restore? I'm sorry this is becoming a headache!!

Report •

#35
December 20, 2009 at 16:09:44

Can't hurt to try, does not look like we are getting anywhere.

Report •

#36
December 20, 2009 at 16:45:24

It seems to be installing FINE now! I'm going to continue with the steps listed in response 13, right?
thanks again

Report •

#37
December 20, 2009 at 16:59:42

Java Version: 1.6.0_17 from Mycrosystems Inc is installed and working in my computer. I will proceed with the other steps listed on response 13
thanks again

Report •

#38
December 20, 2009 at 17:54:11

Ok, ready when you are.

Report •

#39
December 20, 2009 at 20:18:09

hi again!! I ran combo-fix. After that, the program said that there was activity in my rootkit and that combofix was going to restart. It restarted. It scanned the whole thing and it said it was going to reboot by itself. It did. The computer is restarted and combo-fix window popped up once again. This time I read "Preparing Log Report - Do not start any program until combofix has finished". Then, all of a sudden, a window error popped up. It says: Internal Error occurred in the initialization stage. The application could not be loaded. Please contact application vendor. Error N502" But it doesn't say what application the error is referring to. Anyway, it's been like 15 minutes with the blue combo-fix screen in the back with the same legend (preparing log report) and the other window in the front (Internal Error bla bla). Not sure if combo-fix is preparing the log or it's just hanging there waiting for me to click the ok button on the Internal Error Window. What should I do?? Just when I thought we were getting somewhere... HELP, auxilio, socorro!!
and thanks again!

Report •

#40
December 20, 2009 at 20:24:32

The internal error window is linked to Yahoo messenger it seems. Now this is the LOG Finally (from combo-fix)
ComboFix 09-12-20.03 - Pedro Javier 12/20/2009 22:46:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.520 [GMT -5:00]
Running from: c:\documents and settings\Pedro Javier\Desktop\Combo-Fix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~VM507.tmp
C:\~VM508.tmp
C:\~VM509.tmp
C:\~VM50A.tmp
C:\~VM50B.tmp
C:\~VM50C.tmp
C:\~VM50D.tmp
C:\~VM50E.tmp
C:\~VM50F.tmp

.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-21 02:39 . 2009-12-21 02:39 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\WINDOWS
2009-12-21 02:39 . 2009-12-21 02:39 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\viewone
2009-12-21 02:39 . 2009-12-21 02:39 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\UserData
2009-12-21 02:39 . 2009-12-21 02:39 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Tracing
2009-12-21 02:39 . 2009-12-21 02:39 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Shared
2009-12-21 02:39 . 2009-12-21 02:39 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\removing virus
2009-12-21 01:58 . 2009-12-21 01:58 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Local Settings\Application Data\Yahoo
2009-12-21 01:58 . 2009-12-21 01:58 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Local Settings\Application Data\PowerDVD
2009-12-21 01:58 . 2009-12-21 01:58 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Local Settings\Application Data\Mozilla
2009-12-21 01:56 . 2009-12-21 01:56 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Local Settings\Application Data\Identities
2009-12-21 01:56 . 2009-12-21 01:56 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Local Settings\Application Data\Help
2009-12-21 01:56 . 2009-12-06 10:52 92960 ----a-w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 01:56 . 2009-12-21 01:56 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Local Settings\Application Data\Citrix
2009-12-21 01:56 . 2009-12-21 01:56 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Local Settings\Application Data\Apple Computer
2009-12-21 01:56 . 2009-12-21 01:56 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Local Settings\Application Data\Apple
2009-12-21 01:56 . 2009-12-21 01:56 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Local Settings\Application Data\Adobe
2009-12-21 01:56 . 2009-12-21 01:56 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Incomplete
2009-12-21 01:56 . 2009-12-21 01:56 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\IETldCache
2009-12-21 01:56 . 2008-11-09 23:20 61224 ----a-w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\GoToAssistDownloadHelper.exe
2009-12-21 01:52 . 2009-12-21 01:52 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\Contacts
2009-12-21 00:52 . 2009-12-21 00:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-21 00:47 . 2009-12-21 00:47 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.001\.limewire
2009-12-21 00:27 . 2009-12-21 00:27 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-21 00:26 . 2009-12-21 00:26 -------- d-----w- c:\program files\Common Files\Java
2009-12-20 21:32 . 2009-12-21 00:25 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.000\viewone
2009-12-20 21:32 . 2009-12-21 00:25 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.000\Tracing
2009-12-20 21:32 . 2009-12-20 21:32 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.000\UserData
2009-12-20 21:32 . 2009-12-21 00:25 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.000\Shared
2009-12-20 21:32 . 2009-12-20 21:32 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.000\removing virus
2009-12-20 20:53 . 2009-12-20 20:53 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.000\Incomplete
2009-12-20 20:53 . 2009-12-20 20:53 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.000\IETldCache
2009-12-20 20:52 . 2009-12-21 00:25 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.000\Contacts
2009-12-20 20:08 . 2009-12-20 20:09 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER.000\.limewire
2009-12-20 20:07 . 2009-12-21 00:26 -------- d-s---w- c:\documents and settings\HelpAssistant.PEDROJAVIER.000
2009-12-20 08:58 . 2009-12-20 08:58 -------- d-----w- c:\program files\trend micro
2009-12-20 08:58 . 2009-12-20 08:58 -------- d-----w- C:\rsit
2009-12-20 04:54 . 2009-12-20 04:54 -------- d-----w- c:\documents and settings\Pedro Javier\Application Data\Malwarebytes
2009-12-20 04:54 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 04:54 . 2009-12-20 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 04:54 . 2009-12-20 04:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 04:54 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 04:41 . 2009-12-20 18:09 -------- d-----w- c:\documents and settings\Pedro Javier\removing virus
2009-12-19 18:38 . 2009-12-19 18:38 -------- d-----w- c:\program files\Microsoft
2009-12-19 18:30 . 2009-12-19 18:30 -------- d-----w- c:\program files\SweetIM
2009-12-19 18:30 . 2009-12-19 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SweetIM
2009-12-19 08:44 . 2009-12-19 08:44 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER\IETldCache
2009-12-19 06:07 . 2009-12-19 06:07 -------- d-----w- c:\documents and settings\Pedro Javier\IETldCache
2009-12-19 03:21 . 2009-12-19 18:30 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER\viewone
2009-12-19 03:21 . 2009-12-19 18:30 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER\Tracing
2009-12-19 03:21 . 2009-12-19 03:21 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER\UserData
2009-12-19 03:21 . 2009-12-19 18:30 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER\Shared
2009-12-19 02:04 . 2009-12-19 02:19 -------- d-----w- c:\windows\ie8updates
2009-12-19 02:03 . 2009-12-19 02:03 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER\Incomplete
2009-12-19 01:56 . 2009-12-19 18:32 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER\Contacts
2009-12-19 01:33 . 2009-12-19 18:32 -------- dc----w- c:\windows\ie8
2009-12-18 23:02 . 2009-12-18 23:02 -------- d-----w- c:\documents and settings\HelpAssistant.PEDROJAVIER\.limewire
2009-12-18 23:01 . 2009-12-19 18:34 -------- d-s---w- c:\documents and settings\HelpAssistant.PEDROJAVIER
2009-12-18 21:41 . 2009-12-18 21:42 -------- d-----w- c:\documents and settings\HelpAssistant\.limewire
2009-12-18 21:41 . 2009-12-19 18:37 -------- d-s---w- c:\documents and settings\HelpAssistant
2009-12-17 01:38 . 2009-12-19 18:37 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-17 01:31 . 2009-12-17 01:31 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-12-17 01:30 . 2009-12-17 01:30 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-12-04 19:53 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-04 19:52 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-12-04 19:52 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-12-04 19:52 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-12-04 19:52 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-12-04 19:52 . 2009-02-06 10:39 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-12-04 19:52 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-04 19:52 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-12-04 19:52 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-12-04 19:52 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-04 19:47 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-12-04 19:39 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-12-04 19:39 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 00:50 . 2004-12-28 05:40 -------- d-----w- c:\program files\Java
2009-12-20 17:37 . 2007-07-30 16:17 -------- d-----w- c:\documents and settings\Pedro Javier\Application Data\U3
2009-12-19 00:54 . 2009-09-02 23:42 -------- d-----w- c:\program files\Bandoo
2009-12-17 01:37 . 2009-07-26 17:12 -------- d-----w- c:\program files\Windows Live
2009-12-06 10:52 . 2005-01-07 17:45 92960 ----a-w- c:\documents and settings\Pedro Javier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-06 08:16 . 2007-03-02 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-06 08:10 . 2004-12-28 05:43 -------- d-----w- c:\program files\Microsoft Works
2009-12-01 23:21 . 2005-01-09 06:30 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-06 06:27 . 2006-02-27 19:15 -------- d-----w- c:\documents and settings\Pedro Javier\Application Data\Skype
2009-10-27 04:08 . 2006-09-10 22:52 2714 ----a-w- c:\documents and settings\Pedro Javier\Application Data\SAS7_000.DAT
2007-04-10 22:44 . 2007-04-10 22:44 3771952 ----a-w- c:\program files\SFTPMSI.exe
2005-11-21 04:50 . 2005-11-21 04:50 353381 ----a-w- c:\program files\LimeWireWin.exe
2005-08-11 17:30 . 2005-08-11 17:30 10958640 ----a-w- c:\program files\GoogleEarth.exe
2005-04-27 02:42 . 2005-04-27 02:42 513648 ----a-w- c:\program files\msgr6suite.exe
2005-04-11 21:07 . 2005-04-11 21:07 8495160 ----a-w- c:\program files\ta04stdw.exe
2005-04-03 04:53 . 2005-04-03 04:52 25166259 ----a-w- c:\program files\NV11ESD.exe
2005-02-19 20:19 . 2005-02-19 20:18 190255240 ----a-w- c:\program files\CorelDRAWGraphicsSuite12.exe
2005-01-16 07:23 . 2005-01-16 07:23 692224 ----a-w- c:\program files\vkaraoke.exe
2005-01-09 07:35 . 2005-01-09 07:35 4354084 ----a-w- c:\program files\spybotsd13.exe
2005-01-07 16:49 . 2005-01-07 16:49 6540440 ----a-w- c:\program files\MicrosoftAntiSpywareInstall.exe
2005-01-04 20:38 . 2005-01-04 20:38 2636408 ----a-w- c:\program files\aawsepersonal.exe
2005-03-20 22:06 . 2005-02-19 20:24 56 --sh--r- c:\windows\SYSTEM32\E349EF0F50.sys
2005-03-30 04:16 . 2005-02-19 20:24 1890 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-03-27 173368]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}]
2009-08-13 07:40 1862592 ----a-w- c:\program files\Bandoo\Plugins\IE\ieplugin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-03-27 18:12 1164600 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-03-27 1164600]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-03-27 1164600]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-08 180269]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Program\ereg.exe" [2006-07-13 1404928]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2008-06-15 111928]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-21 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-12-28 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-28 24576]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-5-18 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-12-09 22:30 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Bandoo\BndHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"1554:TCP"= 1554:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 fanio;FanIO driver;c:\windows\SYSTEM32\DRIVERS\fanio.sys [8/22/2009 5:37 PM 14464]
R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [6/17/2005 11:11 AM 24064]
R3 VBus;Virtual Bus;c:\windows\SYSTEM32\DRIVERS\NkVBus.sys [6/17/2005 11:11 AM 17664]
S2 Ca504av;Mega Camera, WDM Video Capture;c:\windows\system32\Drivers\Ca504av.sys --> c:\windows\system32\Drivers\Ca504av.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Pedro Javier\Application Data\Mozilla\Firefox\Profiles\zejlxgou.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&q=
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DellSupport - c:\program files\Dell Support\DSAgnt.exe
HKCU-Run-Messenger (Yahoo!) - ~c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKLM-Run-CorelDRAW Graphics Suite 11b - c:\program files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe
HKLM-Run-HornetMonitor - c:\program files\Common Files\Hornet\MntrHrnt.exe
Notify-WgaLogon - (no file)
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 23:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1252)
c:\windows\System32\BCMLogon.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2348)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\progra~1\Bandoo\Bandoo.exe
c:\windows\system32\wscntfy.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-20 23:18:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 04:17

Pre-Run: 3,689,025,536 bytes free
Post-Run: 6,222,663,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 2EF399EB32D3BE0CF710CCAD061FB43B


Report •

#41
December 20, 2009 at 20:24:56

Just restart the computer.

Then navigate to C:\ComboFix.txt and post the log if found.


Report •

#42
December 20, 2009 at 20:28:26

I just posted the log above!! :O)

Report •

#43
December 20, 2009 at 20:30:03

by the way, I enabled the mcafee again.. that's fine, right?

Report •

#44
December 20, 2009 at 20:30:06

And are you still being redirected?

Report •

#45
December 20, 2009 at 20:34:56

I canNOT believe it! I was afraid to try!! lol))) I'm not being redirected anymore. Should I restart the computer and doublecheck????

thank YOU so much!!!

by the way, is there any way to donate $$ to this website to keep this kind of assistance available to those who need it?


Report •

#46
December 20, 2009 at 20:43:23

Good job pedrito.

You can restart the computer.

And we currently do not accept donations but we sure do appreciate the kind offer.

A little clean-up to do.

Delete RSIT, GNER.exe, TDSSKiller, Rkill, and exeHelper from your desktop

Next go to add/remove programs and uninstall Hijack This.

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#47
December 20, 2009 at 22:42:41

I followed all the steps and tips.. everything seems to be working fine!! thank YOU thank YOU thank YOU!!!
amaZing!
P

Report •


Ask Question