Windows, Operating System, Security, Networking, Malware, Support, Forum, Help Site Check Our Facebook Page!
Notices

Register your FREE account to unlock additional features at WindowsBBS.com
 
 
LinkBack Thread Tools
Old 28th March 2010   #61
Inactive
THREAD STARTER
 
Profile:
Join Date: Sep 2006
Location: Blue Mountains, Australia
Posts: 196
Computer Experience:
Intermediate
quirkymac Reputation Level

Originally Posted by broni View Post
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
[B]ipconfig /flushdns
ipconfig /registerdns

Restart computer.
the ipconfig /registerdns came back saying it requires elevation

quirkymac is offline  
Old 28th March 2010   #62
Inactive
THREAD STARTER
 
Profile:
Join Date: Sep 2006
Location: Blue Mountains, Australia
Posts: 196
Computer Experience:
Intermediate
quirkymac Reputation Level

just ran the cmd prompt as administrator and that did the trick....have restarted

quirkymac is offline  
Old 28th March 2010   #63
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 20,105
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
No redirections anymore?

broni is offline  
Old 28th March 2010   #64
Inactive
THREAD STARTER
 
Profile:
Join Date: Sep 2006
Location: Blue Mountains, Australia
Posts: 196
Computer Experience:
Intermediate
quirkymac Reputation Level

Unfortunately the redirection is still happening.
I just did a search for great moments
the first in the list was www.greatmomentsinc.com but I got taken to
http://au.yahoo.com/?p=us instead

quirkymac is offline  
Old 28th March 2010   #65
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 20,105
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

broni is offline  
Old 28th March 2010   #66
Inactive
THREAD STARTER
 
Profile:
Join Date: Sep 2006
Location: Blue Mountains, Australia
Posts: 196
Computer Experience:
Intermediate
quirkymac Reputation Level

Sorry I had got so frustrated last night I tried two scans - Microsoft One Care Scanner and AVG antivirus scanner (neither found anything).

Combofix report
ComboFix 10-03-28.01 - Milne Clan 29/03/2010 7:12.6.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.61.1033.18.2006.1200 [GMT 11:00]
Running from: c:\users\Milne Clan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-28 20:16 . 2010-03-28 20:16 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-28 20:16 . 2010-03-28 20:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-28 20:11 . 2010-03-28 20:12 -------- d-----w- C:\32788R22FWJFW
2010-03-27 23:15 . 2010-03-27 23:15 -------- d-----w- c:\program files\AVG
2010-03-27 04:30 . 2010-03-27 05:12 -------- d-----w- c:\users\Milne Clan\DoctorWeb
2010-03-27 04:16 . 2010-03-27 20:10 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\GetRight
2010-03-26 09:46 . 2010-03-26 09:46 -------- d-----w- c:\users\Milne Clan\AppData\Local\Mozilla
2010-03-26 04:38 . 2010-03-26 04:38 -------- d-----w- c:\windows\Sun
2010-03-26 02:23 . 2010-03-26 02:23 -------- d-----w- C:\_OTL
2010-03-25 23:13 . 2010-03-25 23:13 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Malwarebytes
2010-03-25 23:13 . 2010-01-07 05:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-25 23:13 . 2010-03-25 23:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-25 23:13 . 2010-03-25 23:13 -------- d-----w- c:\programdata\Malwarebytes
2010-03-25 23:13 . 2010-01-07 05:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 19:36 . 2010-03-28 20:17 -------- d-----w- c:\users\Milne Clan\AppData\Local\temp
2010-03-25 01:32 . 2010-03-25 01:32 -------- d-----w- c:\program files\Trend Micro
2010-03-24 20:48 . 2010-03-24 20:48 388096 ----a-r- c:\users\Milne Clan\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-24 20:48 . 2010-03-24 20:48 -------- d-----w- c:\program files\TrendMicro
2010-03-23 19:27 . 2010-03-23 19:27 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-23 19:27 . 2010-03-23 19:27 -------- d-----w- c:\programdata\Hitman Pro
2010-03-23 19:27 . 2010-03-23 19:27 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-03-18 12:18 . 2010-03-20 09:38 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\vlc
2010-03-18 12:18 . 2010-03-18 12:18 -------- d-----w- c:\program files\VideoLAN
2010-03-11 17:17 . 2010-03-11 17:17 -------- d-----w- c:\windows\system32\Wat
2010-03-11 17:16 . 2009-12-13 09:30 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-03-11 17:16 . 2009-12-13 09:30 465408 ----a-w- c:\windows\system32\psisdecd.dll
2010-03-11 17:16 . 2009-12-13 09:29 417792 ----a-w- c:\windows\system32\msdri.dll
2010-03-11 17:16 . 2010-01-18 23:29 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-03-11 17:16 . 2010-01-18 23:29 369152 ----a-w- c:\windows\system32\secproc.dll
2010-03-11 17:16 . 2010-01-18 23:28 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-03-11 17:16 . 2010-01-18 23:28 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-03-11 17:16 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-03-11 17:16 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-03-11 17:16 . 2010-01-18 23:28 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-03-11 17:16 . 2010-01-18 23:28 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-03-09 06:48 . 2010-03-09 06:48 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\LEAPS
2010-03-09 06:46 . 2010-03-09 06:46 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Pegasys Inc
2010-03-09 06:43 . 2010-03-09 06:43 -------- d-----w- c:\program files\Pegasys Inc
2010-03-04 19:03 . 2010-03-04 19:03 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup .dll
2010-03-04 19:03 . 2010-03-04 19:03 336192 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\Spotlight Resources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 06:10 . 2010-02-09 11:54 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-28 02:28 . 2010-02-14 14:54 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Skype
2010-03-27 21:02 . 2010-02-14 19:05 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\skypePM
2010-03-26 02:31 . 2010-03-26 02:31 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-03-24 19:08 . 2010-02-05 20:47 -------- d-----w- c:\programdata\Lavasoft
2010-03-24 19:08 . 2010-01-06 07:12 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\uTorrent
2010-03-18 00:08 . 2010-01-07 09:01 1 ----a-w- c:\users\Milne Clan\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-11 16:02 . 2010-01-04 06:29 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-23 23:16 . 2010-01-04 06:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 20:46 . 2010-02-20 20:46 -------- d-----w- c:\program files\SPCA1528
2010-02-20 20:46 . 2010-01-04 06:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-19 20:53 . 2010-02-19 20:53 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-14 14:53 . 2010-02-14 14:53 -------- d-----w- c:\program files\Common Files\Skype
2010-02-14 14:53 . 2010-02-14 14:53 -------- d-----r- c:\program files\Skype
2010-02-14 14:53 . 2010-01-28 22:27 -------- d-----w- c:\programdata\Skype
2010-02-05 06:27 . 2010-01-04 05:54 61736 ----a-w- c:\users\Milne Clan\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-05 06:27 . 2010-02-05 06:25 -------- d-----w- c:\programdata\Microsoft Help
2010-02-02 11:04 . 2010-02-02 03:03 -------- d-----w- c:\program files\FMS
2010-02-02 07:45 . 2010-02-24 08:52 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-02 02:47 . 2010-02-02 02:47 -------- d-----w- c:\program files\HeliSim
2010-02-01 04:11 . 2010-02-01 04:11 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Leawo
2010-01-31 01:54 . 2010-01-24 21:01 539 ----a-w- c:\users\Milne Clan\AppData\Local\CastleLinkProps.dat
2010-01-28 22:28 . 2010-01-28 22:28 -------- d-----w- c:\program files\Common Files\logishrd
2010-01-08 03:18 . 2010-02-10 05:19 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-01-08 03:17 . 2010-02-10 05:19 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2009-07-08 337184]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-08 714016]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-19 62752]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-06 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-06 150552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-18 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSv c]
@="Service"

R2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\Drivers\Ca1528av.sys [2008-12-16 516480]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]
R3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\Drivers\Bulk1528.sys [2008-06-27 11648]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-08 75040]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-11 1343400]
R4 Vhdmhervm;Vhdmhervm;c:\windows\system32\diskraid.exe [2009-07-14 276480]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-14 62320]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000009

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4448)
c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
.
Completion time: 2010-03-29 07:18:19
ComboFix-quarantined-files.txt 2010-03-28 20:18
ComboFix2.txt 2010-03-25 19:36

Pre-Run: 52,728,786,944 bytes free
Post-Run: 52,834,594,816 bytes free

- - End Of File - - EE8092E3ABFE6A624284483154039405

quirkymac is offline  
Old 28th March 2010   #67
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 20,105
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\programdata\ezsidmv.dat


Folder::
C:\32788R22FWJFW


Driver::
Vhdmhervm


Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

broni is offline  
Old 28th March 2010   #68
Inactive
THREAD STARTER
 
Profile:
Join Date: Sep 2006
Location: Blue Mountains, Australia
Posts: 196
Computer Experience:
Intermediate
quirkymac Reputation Level

ComboFix 10-03-28.01 - Milne Clan 29/03/2010 8:00.7.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.61.1033.18.2006.1265 [GMT 11:00]
Running from: c:\users\Milne Clan\Desktop\ComboFix.exe
Command switches used :: c:\users\Milne Clan\Desktop\cfscript.txt

FILE ::
"c:\programdata\ezsidmv.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\32788R22FWJFW
c:\32788r22fwjfw\EN-US\cmd.cfxxe.mui
c:\programdata\ezsidmv.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Vhdmhervm


((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-28 21:03 . 2010-03-28 21:05 -------- d-----w- c:\users\Milne Clan\AppData\Local\temp
2010-03-28 21:03 . 2010-03-28 21:03 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-28 21:03 . 2010-03-28 21:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-27 23:15 . 2010-03-27 23:15 -------- d-----w- c:\program files\AVG
2010-03-27 04:30 . 2010-03-27 05:12 -------- d-----w- c:\users\Milne Clan\DoctorWeb
2010-03-27 04:16 . 2010-03-27 20:10 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\GetRight
2010-03-26 09:46 . 2010-03-26 09:46 -------- d-----w- c:\users\Milne Clan\AppData\Local\Mozilla
2010-03-26 04:38 . 2010-03-26 04:38 -------- d-----w- c:\windows\Sun
2010-03-26 02:23 . 2010-03-26 02:23 -------- d-----w- C:\_OTL
2010-03-25 23:13 . 2010-03-25 23:13 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Malwarebytes
2010-03-25 23:13 . 2010-01-07 05:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-25 23:13 . 2010-03-25 23:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-25 23:13 . 2010-03-25 23:13 -------- d-----w- c:\programdata\Malwarebytes
2010-03-25 23:13 . 2010-01-07 05:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 01:32 . 2010-03-25 01:32 -------- d-----w- c:\program files\Trend Micro
2010-03-24 20:48 . 2010-03-24 20:48 388096 ----a-r- c:\users\Milne Clan\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-24 20:48 . 2010-03-24 20:48 -------- d-----w- c:\program files\TrendMicro
2010-03-23 19:27 . 2010-03-23 19:27 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-23 19:27 . 2010-03-23 19:27 -------- d-----w- c:\programdata\Hitman Pro
2010-03-23 19:27 . 2010-03-23 19:27 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-03-18 12:18 . 2010-03-20 09:38 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\vlc
2010-03-18 12:18 . 2010-03-18 12:18 -------- d-----w- c:\program files\VideoLAN
2010-03-11 17:17 . 2010-03-11 17:17 -------- d-----w- c:\windows\system32\Wat
2010-03-11 17:16 . 2009-12-13 09:30 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-03-11 17:16 . 2009-12-13 09:30 465408 ----a-w- c:\windows\system32\psisdecd.dll
2010-03-11 17:16 . 2009-12-13 09:29 417792 ----a-w- c:\windows\system32\msdri.dll
2010-03-11 17:16 . 2010-01-18 23:29 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-03-11 17:16 . 2010-01-18 23:29 369152 ----a-w- c:\windows\system32\secproc.dll
2010-03-11 17:16 . 2010-01-18 23:28 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-03-11 17:16 . 2010-01-18 23:28 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-03-11 17:16 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-03-11 17:16 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-03-11 17:16 . 2010-01-18 23:28 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-03-11 17:16 . 2010-01-18 23:28 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-03-09 06:48 . 2010-03-09 06:48 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\LEAPS
2010-03-09 06:46 . 2010-03-09 06:46 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Pegasys Inc
2010-03-09 06:43 . 2010-03-09 06:43 -------- d-----w- c:\program files\Pegasys Inc
2010-03-04 19:03 . 2010-03-04 19:03 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup .dll
2010-03-04 19:03 . 2010-03-04 19:03 336192 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\Spotlight Resources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 21:06 . 2010-03-28 21:06 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-03-28 21:06 . 2010-02-14 19:05 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\skypePM
2010-03-28 21:05 . 2010-02-14 14:54 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Skype
2010-03-28 06:10 . 2010-02-09 11:54 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-24 19:08 . 2010-02-05 20:47 -------- d-----w- c:\programdata\Lavasoft
2010-03-24 19:08 . 2010-01-06 07:12 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\uTorrent
2010-03-18 00:08 . 2010-01-07 09:01 1 ----a-w- c:\users\Milne Clan\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-11 16:02 . 2010-01-04 06:29 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-23 23:16 . 2010-01-04 06:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 20:46 . 2010-02-20 20:46 -------- d-----w- c:\program files\SPCA1528
2010-02-20 20:46 . 2010-01-04 06:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-19 20:53 . 2010-02-19 20:53 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-14 14:53 . 2010-02-14 14:53 -------- d-----w- c:\program files\Common Files\Skype
2010-02-14 14:53 . 2010-02-14 14:53 -------- d-----r- c:\program files\Skype
2010-02-14 14:53 . 2010-01-28 22:27 -------- d-----w- c:\programdata\Skype
2010-02-05 06:27 . 2010-01-04 05:54 61736 ----a-w- c:\users\Milne Clan\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-05 06:27 . 2010-02-05 06:25 -------- d-----w- c:\programdata\Microsoft Help
2010-02-02 11:04 . 2010-02-02 03:03 -------- d-----w- c:\program files\FMS
2010-02-02 07:45 . 2010-02-24 08:52 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-02 02:47 . 2010-02-02 02:47 -------- d-----w- c:\program files\HeliSim
2010-02-01 04:11 . 2010-02-01 04:11 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Leawo
2010-01-31 01:54 . 2010-01-24 21:01 539 ----a-w- c:\users\Milne Clan\AppData\Local\CastleLinkProps.dat
2010-01-28 22:28 . 2010-01-28 22:28 -------- d-----w- c:\program files\Common Files\logishrd
2010-01-08 03:18 . 2010-02-10 05:19 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-01-08 03:17 . 2010-02-10 05:19 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2009-07-08 337184]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-08 714016]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-19 62752]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-06 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-06 150552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-18 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSv c]
@="Service"

R2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\Drivers\Ca1528av.sys [2008-12-16 516480]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]
R3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\Drivers\Bulk1528.sys [2008-06-27 11648]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-08 75040]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-11 1343400]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-14 62320]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000009

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2508)
c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\conhost.exe
c:\windows\System32\TpShocks.exe
c:\windows\System32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\sppsvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2010-03-29 08:08:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-28 21:08
ComboFix2.txt 2010-03-28 20:18
ComboFix3.txt 2010-03-25 19:36

Pre-Run: 51,306,766,336 bytes free
Post-Run: 51,176,595,456 bytes free

- - End Of File - - C202616573C0CF53F12F708F6156AC9B

quirkymac is offline  
Old 28th March 2010   #69
Inactive
THREAD STARTER
 
Profile:
Join Date: Sep 2006
Location: Blue Mountains, Australia
Posts: 196
Computer Experience:
Intermediate
quirkymac Reputation Level

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:11 AM, on 29/03/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5362 bytes

quirkymac is offline  
Old 28th March 2010   #70
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 20,105
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
How is redirection?

broni is offline  
Old 29th March 2010   #71
Inactive
THREAD STARTER
 
Profile:
Join Date: Sep 2006
Location: Blue Mountains, Australia
Posts: 196
Computer Experience:
Intermediate
quirkymac Reputation Level

Still being redirected.
Search for great moments
Same results. Clicked on first option which should have been www.greatmomentsinc.com

but got taken to

http://www.borders.com.au/book/great...ments/2796558/

:-(

quirkymac is offline  
Old 29th March 2010   #72
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 20,105
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Please download Sophos Anti-rootkit & save it to your desktop.

IMPORTANT!
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives

  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.

  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\

broni is offline  
Old 29th March 2010   #73
Inactive
THREAD STARTER
 
Profile:
Join Date: Sep 2006
Location: Blue Mountains, Australia
Posts: 196
Computer Experience:
Intermediate
quirkymac Reputation Level

Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 29/03/2010 at 17:09:59 PM
User "Milne Clan" on computer "MILNECLAN-PC"
Windows version 6.1 SP 0.0 build 7600 SM=0x100 PT=0x1 Win32
Info: Starting registry scan.
Stopped logging on 29/03/2010 at 17:11:12 PM


Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 29/03/2010 at 17:11:50 PM
User "Milne Clan" on computer "MILNECLAN-PC"
Windows version 6.1 SP 0.0 build 7600 SM=0x100 PT=0x1 Win32
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Users\Milne Clan\AppData\Roaming\Microsoft\Windows\Recent\Thomas And Friends(Join Thomas with his carriages Annie and Clarabelle, and friends James, Edward and Percy as they travel the tracks on the Island of Sodor, under the direction of the Fat Co.lnk
Stopped logging on 29/03/2010 at 17:32:35 PM


Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 29/03/2010 at 18:43:02 PM
User "Milne Clan" on computer "MILNECLAN-PC"
Windows version 6.1 SP 0.0 build 7600 SM=0x100 PT=0x1 Win32
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Stopped logging on 29/03/2010 at 19:01:17 PM


Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 29/03/2010 at 19:13:41 PM
User "Milne Clan" on computer "MILNECLAN-PC"
Windows version 6.1 SP 0.0 build 7600 SM=0x100 PT=0x1 Win32
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Stopped logging on 29/03/2010 at 19:33:37 PM

quirkymac is offline  
Old 29th March 2010   #74
Inactive
THREAD STARTER
 
Profile:
Join Date: Sep 2006
Location: Blue Mountains, Australia
Posts: 196
Computer Experience:
Intermediate
quirkymac Reputation Level

If you are not getting frustrated by now I will get frustrated for you!!

Still getting redirected and nothing was found in the Sophos scan.

quirkymac is offline  
Old 29th March 2010   #75
Inactive
THREAD STARTER
 
Profile:
Join Date: Sep 2006
Location: Blue Mountains, Australia
Posts: 196
Computer Experience:
Intermediate
quirkymac Reputation Level

There are another couple of symptoms. I cannot use windows update, I can't update windows security essentials or windows defender.
Plus some websites just seem to fail for no apparent reason.

quirkymac is offline  


 

THIS THREAD HAS EXPIRED.

Are you having the same problem? Please post a new thread, but first you'll have to join us by Registering (FREE).



Discussion Forums
Operating Systems
Windows 10 Windows 10
Windows 8 Windows 8
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Legacy Windows OS Legacy Windows OS
Internet & Networking
Networking (Hardware & Software) Networking
Internet Explorer Internet Explorer
Microsoft Mail Microsoft Mail
Firefox, Thunderbird & SeaMonkey Firefox, Thunderbird
      & SeaMonkey

Web Applications & Cloud Web Applications & Cloud
General Internet
Security
Malware and Virus Removal Malware and Virus
     Removal

Security and Privacy Security and Privacy

Other
Other PC Software Other PC Software
Test Posts Test Posts
Hardware
PC Hardware PC Hardware
Mobile Devices Mobile Devices
Community
Introductions Introductions
General Discussions General Discussions
Site Comments & Suggestions Site Comments
      & Suggestions

News News @ WindowsBBS

Thread Tools


Find us on Facebook   Web Of Trust Rating

All times are GMT. The time now is 19:19.


Recent Discussions
Record Blu Ray Disc with Standard O.. (2)
How to change outdated Mail address.. (5)
How to remove undeletable folders (9)
Hard drive information. (7)
During the sleep mode, it sometimes.. (13)
[Activation issues] (20)
Happy Holidays! (7)
Xmas Wish (4)
dell laptop no operating system fou.. (5)
Long Running Scripts (15)
Updating Vista (4)
Teluguword setup.exe (8)
Need TV Buying Advice (19)
Strange character in emails (8)
Information regarding WD My Cloud 3.. (13)
Samsung RC512 laptop won't boot up (3)
Pin to taskbar question (6)
MS Fax and Scan Replacement (23)


Donate!
Support Windows BBS!



Powered by vBulletin® Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO
Copyright 2002 - 2014 WindowsBBS.com. All rights reserved.
FDMA Media LLC
Terms of Use, Legal Information & Privacy Policy
Page generated in 0.36916 seconds with 7 queries