Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: Click.GiftLoad not removed by spybot

  1. #11
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello pherron

    Thank you for the log.

    I can see some remnants of Symantec (Norton) products on your machine. Do you still use Norton? If not, let me know and I can provide you with a removal tool.

    Spybot is still showing me as infected with Click.GuestLoad
    Lets see if it can remove the threat from Safe Mode:


    1. Reboot Your System in Safe Mode


      • Restart your computer.
      • As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
      • Use the arrow keys to select the Safe mode menu item.
      • Press Enter.


      Once in Safe Mode, run SpyBot and allow it to attempt the removal of Click.GuestLoad if detected.

      When Spybot has completed its run please boot back into Normal Mode.

    2. Please update your Java


      • Click on "Windows Orb" (bottom left hand corner of your screen), then on "Computer" and then on the "Uninstall or Change a Program" tab.
      • Uninstall any previous versions of Java that you find.
      • Reboot your computer.
      • Next, download the latest version of Java by clicking here
      • Scroll down the page until you reach "Java Platform Standard Edition".
      • Beneath this and to the right, you will see a button marked "Download JRE".
      • Click the "Download JRE" button.
      • Select the platform (Windows, in your case), multi language.
      • Accept the license agreement and click on "Continue".
      • Scroll down and click on the file called jre-6u24-windows-i586-p.exe located under "Windows Offline Installation".
      • Save the file to your desktop.
      • Do not select Run.
      • Right click on the saved file (jre-6u24-windows-i586-p.exe) and select "Run as Administrator" to install the update.
      • Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.


    3. Please run the following scan


      • Note: You will need to use Internet Explorer for this scan.
      • Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
      • Please disable your real time security programs before performing the scan.



      • Scan your system with Eset Online Scanner
      • Place a check mark in the box YES, I accept the Terms Of Use.
      • Click the button.
      • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
      • Click on to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the icon on your desktop.



      • Check
      • Click the button.
      • Accept any security warnings from your browser.
      • Check
      • Make sure that the option to "Remove Found Threats" is UN checked.
      • Push the "Start" button.
      • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      • When the scan completes, push
      • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      • Push the button.
      • Push


      Please post the ESET log in your next reply.
    Proud Graduate of the WTT Classroom

  2. #12
    Junior Member
    Join Date
    Mar 2011
    Location
    UK
    Posts
    13

    Default

    JonTom
    I have completed steps 1 & 2.
    I am now running ESET. It will clearly take some time, so I will have to leave it running over night and post the results in the morning.

    The work so far has restored stability to my system. I am no longer getting blue screens and browsers load in normal time. However I still have an svchost.exe using quite a lot of CPU.

    I abandoned Norton sometime ago, when I realised that it was no better than AVG and seemed to hog a lot of system resources. I would be grateful for advice on removing remnants.

    Many thanks. Will post again when ESET is complete.

  3. #13
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello pherron

    Will post again when ESET is complete
    Proud Graduate of the WTT Classroom

  4. #14
    Junior Member
    Join Date
    Mar 2011
    Location
    UK
    Posts
    13

    Default

    Results of ESET scan below. I don't recall downloading a keygen, I know they're not a good idea to run and VSO is a free program anyway! I will uninstall that software as per forum guidelines. Sorry about that.

    We may be winning. I re-ran Spybot after ESET and it did not find Click.GiftLoad, but it did find 2 tracking cookies which I thought were related to it because it has always found them at the same time. Results pasted below ESET results.

    C:\Users\Peter Herron\Downloads\MsgPlusLive-484.exe a variant of Win32/MessengerPlus application
    C:\Users\Peter Herron\Downloads\Setup_FreeBurner.exe Win32/Adware.Toolbar.Dealio application
    C:\Users\Peter Herron\Downloads\Setup_FreeBurnerN.exe Win32/Adware.Toolbar.Dealio application
    C:\Users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen.rar a variant of Win32/Keygen.AS application
    C:\Users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO_Image_Resizer_4.0.2.5\Keygen\ImageResize_v4.exe a variant of Win32/Keygen.AS application



    SpyBot results in normal mode:


    Right Media: Tracking cookie (Internet Explorer: Peter Herron) (Cookie, nothing done)


    MediaPlex: Tracking cookie (Internet Explorer: Peter Herron) (Cookie, nothing done)



    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2011-03-13 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2011-02-24 Includes\Adware.sbi (*)
    2011-03-08 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2011-03-08 Includes\DialerC.sbi (*)
    2011-02-24 Includes\HeavyDuty.sbi (*)
    2010-11-30 Includes\Hijackers.sbi (*)
    2011-03-08 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-12-14 Includes\Keyloggers.sbi (*)
    2011-03-08 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2011-02-24 Includes\Malware.sbi (*)
    2011-03-08 Includes\MalwareC.sbi (*)
    2011-02-24 Includes\PUPS.sbi (*)
    2011-03-03 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2009-01-13 Includes\Security.sbi (*)
    2011-03-08 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2011-02-24 Includes\Spyware.sbi (*)
    2011-03-08 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2010-12-28 Includes\Trojans.sbi (*)
    2011-03-08 Includes\TrojansC-02.sbi (*)
    2011-03-03 Includes\TrojansC-03.sbi (*)
    2011-03-08 Includes\TrojansC-04.sbi (*)
    2011-03-08 Includes\TrojansC-05.sbi (*)
    2011-03-08 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

  5. #15
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello pherron

    I don't recall downloading a keygen, I know they're not a good idea to run
    Thats right. They are also illegal. In order to receive further assistance at this site you must remove these items.

    I will uninstall that software as per forum guidelines
    Please do the following:

    1. Please download OTM


      • Please download OTM by OldTimer by clicking here.
      • Save the file (called OTM.exe) to your desktop.
      • Double click on the OTM.exe icon to run the program. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
      • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



      Code:
      :Processes 
      explorer.exe
      
      :Files
      C:\Users\Peter Herron\Downloads\Setup_FreeBurner.exe	
      C:\Users\Peter Herron\Downloads\Setup_FreeBurnerN.exe	
      C:\Users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen
      
      :Commands
      [Purity]
      [EmptyTemp]
      [Emptyflash]
      [Start Explorer]
      [Reboot]



      • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
      • Click the Moveit! button.
      • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
      • Close OTM.
      • Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File -> Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
    Proud Graduate of the WTT Classroom

  6. #16
    Junior Member
    Join Date
    Mar 2011
    Location
    UK
    Posts
    13

    Default

    I downloaded OTM but I can't get it to run. I get a dialog box:

    "OTM has stopped working
    A problem caused the program to stop working correctly. Windows will close the prgram and notify you if a solution is available."

    I tried it in Safe Mode also, but no joy. Please advise.

    Thanks

  7. #17
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello pherron

    I can't get it to run
    Strange?

    1. Please work through the following steps


      • Hold down the Windows key (has the Windows symbol on it) and press the "R" key. A Run box will open. Type in Notepad then click on "OK").
      • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
      • Copy and Paste the text in the quotebox below into the open Notepad window:

        File::
        C:\Users\Peter Herron\Downloads\Setup_FreeBurner.exe
        C:\Users\Peter Herron\Downloads\Setup_FreeBurnerN.exe

        Folder::
        C:\Users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen

        SkipFix::
      • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
      • Close any open browsers.
      • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Refering to the picture below, drag CFScript.txt into ComboFix.exe




      • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    Proud Graduate of the WTT Classroom

  8. #18
    Junior Member
    Join Date
    Mar 2011
    Location
    UK
    Posts
    13

    Default

    That worked ok. Here is the log:


    ComboFix 11-03-16.01 - Peter Herron 16/03/2011 19:45:06.3.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1173 [GMT 0:00]
    Running from: c:\users\Peter Herron\Desktop\ComboFix.exe
    Command switches used :: c:\users\Peter Herron\Desktop\CFScript.txt
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    FILE ::
    "c:\users\Peter Herron\Downloads\Setup_FreeBurner.exe"
    "c:\users\Peter Herron\Downloads\Setup_FreeBurnerN.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Peter Herron\Downloads\Setup_FreeBurner.exe
    c:\users\Peter Herron\Downloads\Setup_FreeBurnerN.exe
    c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen
    c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\^ Enter Here.url
    c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\^Just one Click to Get More Stuff.url
    c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\Torrent downloaded from AhaShare.com.txt
    c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\Torrent downloaded from Demonoid.com.txt
    c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\tracked_by_h33t_com.txt
    c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen.rar
    c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO_Image_Resizer_4.0.2.5\^ Enter Here.url
    c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO_Image_Resizer_4.0.2.5\^Just one Click to Get More Stuff.url
    c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO_Image_Resizer_4.0.2.5\Keygen\ImageResize_v4.exe
    c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO_Image_Resizer_4.0.2.5\vso_image_resizer4_setup.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-16 19:46 . 2011-03-16 19:46 -------- d-----w- c:\users\Peter Herron\AppData\Local\temp
    2011-03-16 19:46 . 2011-03-16 19:46 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
    2011-03-16 19:46 . 2011-03-16 19:46 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-15 21:46 . 2011-03-15 21:46 -------- d-----w- c:\program files\ESET
    2011-03-15 21:34 . 2011-03-15 21:34 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-03-15 21:34 . 2011-03-15 21:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-15 19:58 . 2011-02-23 09:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F907CDB6-393A-4C13-B4C8-727E2F8BF2C5}\mpengine.dll
    2011-03-14 19:22 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-14 19:22 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
    2011-03-14 19:22 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
    2011-03-14 19:22 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-14 19:22 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-14 19:22 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-13 21:19 . 2011-03-13 21:20 -------- d-----w- c:\program files\ERUNT
    2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\users\Peter Herron\AppData\Roaming\SUPERAntiSpyware.com
    2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-03-13 14:57 . 2011-03-13 15:33 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-03-13 14:57 . 2011-03-13 15:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-02-24 09:50 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
    2011-02-24 09:49 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
    2011-02-24 09:49 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
    2011-02-24 09:49 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
    2011-02-24 09:49 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
    2011-02-24 09:49 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
    2011-02-22 16:12 . 2011-02-22 16:12 -------- d-----w- c:\users\Peter Herron\AppData\Roaming\FastStone
    2011-02-22 16:12 . 2011-02-22 16:12 -------- d-----w- c:\program files\FastStone Photo Resizer
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-15 08:46 . 2007-08-03 14:53 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe
    2011-02-02 17:11 . 2009-10-03 09:09 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-20 16:37 . 2011-02-09 20:28 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-01-20 16:08 . 2011-02-09 20:28 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08 . 2011-02-09 20:28 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08 . 2011-02-09 20:28 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08 . 2011-02-09 20:28 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08 . 2011-02-09 20:28 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07 . 2011-02-09 20:28 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07 . 2011-02-09 20:28 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07 . 2011-02-09 20:28 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06 . 2011-02-09 20:28 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06 . 2011-02-09 20:28 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04 . 2011-02-09 20:28 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 16:04 . 2011-02-09 20:28 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 14:28 . 2011-02-09 20:28 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27 . 2011-02-09 20:28 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26 . 2011-02-09 20:28 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25 . 2011-02-09 20:28 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24 . 2011-02-09 20:28 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-01-20 14:24 . 2011-02-09 20:28 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15 . 2011-02-09 20:28 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14 . 2011-02-09 20:28 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14 . 2011-02-09 20:28 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14 . 2011-02-09 20:28 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12 . 2011-02-09 20:28 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11 . 2011-02-09 20:28 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47 . 2011-02-09 20:28 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-20 13:44 . 2011-02-09 20:28 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-01-20 13:44 . 2011-02-09 20:28 797184 ----a-w- c:\windows\system32\FntCache.dll
    2011-01-08 08:47 . 2011-02-09 20:28 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28 . 2011-02-09 20:28 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57 . 2011-02-09 20:28 2039808 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 15:55 . 2011-01-12 08:30 413696 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-18 06:27 . 2011-02-09 20:27 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-18 06:22 . 2011-02-09 20:27 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-18 06:22 . 2011-02-09 20:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-18 06:22 . 2011-02-09 20:27 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-12-18 06:22 . 2011-02-09 20:27 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-12-18 05:25 . 2011-02-09 20:27 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-18 04:48 . 2011-02-09 20:27 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-12-18 04:47 . 2011-02-09 20:27 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "Google Update"="c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-01 133104]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 4468736]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
    "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
    backup=c:\windows\pss\Orbit.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-601883706-1770117181-183331753-1000]
    "EnableNotificationsRef"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 136176]
    R3 IAMT03;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamt03.sys [2006-10-18 40848]
    R3 IAMTV;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamtv.sys [2006-10-18 38280]
    R3 Media Jukebox 14 Service;Media Jukebox 14 Service;c:\program files\J River\Media Jukebox 14\JRService.exe [2010-07-15 379400]
    R3 Normandy;Normandy SR2; [x]
    R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamtxp.sys [2006-10-18 47496]
    R4 ioatdma;IOATDMA.SYS Intel(R) 5000 Series Chipsets Integrated Device - 1A38;c:\windows\system32\drivers\ioatdma.sys [2006-10-11 32136]
    R4 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-11-14 34176]
    R4 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-12-19 28800]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-07-09 20328]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648]
    S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:34]
    .
    2011-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:34]
    .
    2011-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601883706-1770117181-183331753-1000Core.job
    - c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 08:06]
    .
    2011-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601883706-1770117181-183331753-1000UA.job
    - c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 08:06]
    .
    2011-03-16 c:\windows\Tasks\User_Feed_Synchronization-{3B3713E4-0FE5-41F5-864D-900F8ABFEE9A}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    FF - ProfilePath - c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-16 19:46
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,67,e2,16,49,c9,3e,1d,48,82,12,c8,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,67,e2,16,49,c9,3e,1d,48,82,12,c8,\
    .
    [HKEY_USERS\S-1-5-21-601883706-1770117181-183331753-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*0*2*2**0ÿÊlÿåen0¢0Ö0Ê0¤0Åe
    0\OpenWithList]
    @Class="Shell"
    .
    [HKEY_USERS\S-1-5-21-601883706-1770117181-183331753-1000\Software\SecuROM\License information*]
    "datasecu"=hex:b8,0b,be,2b,d5,79,0a,da,fb,d5,94,ca,b6,20,6b,9f,04,e7,f0,86,70,
    09,e7,f4,62,3d,44,ef,ca,b5,d7,4e,6e,08,c8,cf,2c,76,41,b6,7f,9c,25,23,82,91,\
    "rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
    "OODEFRAG10.00.00.01WORKSTATION"="7BA2B984156DEBACF8DE2A795030EFB725C3D79A25699CAE27E652D28EDD7DEFED6325E29F5B8FCB23E5BBBB6A88D0680143916C2D4D133769A735A65FBE2B80D1CD134301A85F73864A19EA3E1ABA512CE6AA3DE8091EA2260EDB143907AC7C3F4081CDE00201D7A4A59631739838F934A26A561B79CBE61B06A02718D9B4EABC4180701AF26AB1F3B5197C611A25E91E8B2CC4B75EFB7EF71FF5AEAFBFCA59C8FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808C038D530D6EB3452BA7FD869164D6794DD36A2B39CE43F2A6FE0154F190DCA6E23441B435D3DAB364D0B29572871CD29B59EC8A49B07BF97FE66D553712CF7A420D951B6BA12AF43735F3CADB3F74580C87C08D6288234A89AD99397E3671AA53E8D3C6D34E1D149364277137CFD135009A4077AD930AFC5AAA13587D03C55A7FBFA222E137165EB5027A24E55AEDDC6877C2FEE2B3EC94A3D3BE4C27A7E50D20055907486D644BF9D92CAD4F4054C857A812FCBFA2F9C08FEB6921A8C54B7C392DF56F01D00CA4F229E42D5F3518F253EC079590ED746C1C6B8F19491393A8B20F48906CDAA5998027B1E31D23957AFD1DDC2948B62EAAE0B78F86CF97B8C30B98080CBF2EB540D8869B67B72B5D9255791072F7ECB2FFBE6C2E2919A3D662A1586588EC82B259423412A7B1A13D0F795A5039056663F4A9BF82FA5AB7502678999704C6F233886E36A59B07371798E787BB9CF67D8C8AD0D0EA17F4AEF9FC795646F39EEE5FDB200E3E8C80EC795448D8370BC671C7FABC28940A8754B0320D824B93D2FD46BDAD1C1C12A5B5CEA6989C6B25772FD1A43680A57E012F8F4B919A9FD73FC297835572912EC324DC3BF415FCC55089FD162CDBDF5196841BF5240DA2C2B0B6EA26B3253CADDCC0BECFEB07ED39F8CF766EE676A6DF9A63EB31A58AFF6E7EE05699B281020FC485AB7D077E51A5545D01ABECC6757DC5A5E24B615B65862219E53D6A3C08CFEAAD47AD556EC3C47DF46349FBAA18D4F7A65E74149110C84FEC4E725325C4CCC56E58F21B67F98F9E94CFD518F19AF965EE95C466FF3916F4AD3B3FE07EBE00118CE5338211DCF2958A7C787CF6120A6C0D4604623A82CF4A9F9C752F50F8FEE1D252817C657C93F8171636AA4A407AA4567D738A68B679E24BA38037978611A7851F3AC79D7AF61A1182715571D4E816E332903DD8F0BA528701E65B0ECA2BAA18E1FDCAED76F62D5DDED19DA9AA6BDA49FC10551382B7B08C31643DB4665BC707097FC0428BA4DA45896F940840226B4E6100F2F1F98C277B6C05CE2F47F41A4595059372B095EF37084AEC1511835CE9888644873EDD2901C4361CDF9889DE183BEB0AA5794098F659C243A8C64198716A1"
    .
    Completion time: 2011-03-16 19:49:59
    ComboFix-quarantined-files.txt 2011-03-16 19:49
    ComboFix2.txt 2011-03-15 18:21
    ComboFix3.txt 2011-03-14 21:05
    .
    Pre-Run: 85,777,432,576 bytes free
    Post-Run: 85,714,579,456 bytes free
    .
    Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
    - - End Of File - - 5C4FECBF1ADFE666394AF0FA40D3096A

  9. #19
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello pherron

    Thank you for the log.

    Please work your way through the following steps:

    1. Please download and run the Norton Removal Tool


      • The Norton removal tool will locate and remove all traces of Norton products from your computer.
      • To download the tool, click here.
      • Read throught the information on the page, and then select the Norton product that you have (this is the one that will be removed).
      • Follow the instructions to obtain the removal tool and to complete the removal process.


    2. Please Uninstall Combofix


      • Hold down the Windows key (has the Windows symbol on it) and press the "R" key.
      • A Run box will open.
      • Type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.


    3. AVG


      • Re-install your AVG, update it and run a full system scan.


      Please post a new set of DDS scan logs in your next reply and let me know how the machine is running now.
    Proud Graduate of the WTT Classroom

  10. #20
    Junior Member
    Join Date
    Mar 2011
    Location
    UK
    Posts
    13

    Default

    JonTom

    Once again, thanks for your help

    Norton and ComboFix are now uninstalled. AVG is re-installed.
    Running a full scan will take quite a while and I'm really tired now so I will post the DDS scan log tomorrow evening.

    The machine seems to be running very well now. The system appears stable and I have not seen any browser redirects tonight. Spybot only found tracking cookies.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •