internet searches been redirected

[johnb35]

Reboot your system and press the f8 button right after the bios or post screen, this will give you access to safe mode options. hit enter on safe mode and then when it loads, click on your user name and then you can run combofix.

 

[andylowekcx]

Machine 2

Download Filefind By Attribune.

•Unzip the file and save it to your desktop.
•Double-click on FileFind.exe
•In the box labeled "Enter the directory to search" type C:\
•(note if your default Windows boot drive is not drive C, substitute your drive letter).
•In the box labeled "Enter the file to search" type regsvc.dll
•Click on the Find button.
•Once the utility has found the files click on Export. This will save a text file to your C:\ drive (or your default Windows drive) as Export.txt.

Add the C:\Export.txt log to your next message.

also this returned 0 files found in 7193 Directories for machine 2

 

[johnb35]

Since there are no more on your system I need to have you take the attached zipped file, unzip it, and then copy the file to both of these directories.

C:\WINDOWS\system32
C:\WINDOWS\system32\dllcache

And then rerun combofix on machine 2 so I can get an updated report from it.

 

[andylowekcx]

Still unable to run combofix on machine 1 even in safe mode.

however i have made progress on machine 2 running another combofix log and here it is

ComboFix 11-03-21.01 - Administrator 21/03/2011 19:15:49.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.759.311 [GMT 0:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-21 to 2011-03-21 )))))))))))))))))))))))))))))))
.
.
2011-03-21 19:06 . 2008-04-14 05:42 59904 ----a-w- c:\windows\system32\dllcache\regsvc.dll
2011-03-21 19:05 . 2008-04-14 05:42 59904 ----a-w- c:\windows\system32\regsvc.dll
2011-03-21 16:37 . 2011-03-21 16:37 -------- d-----w- c:\windows\system32\xircom
2011-03-21 16:37 . 2011-03-21 16:37 -------- d-----w- c:\windows\system32\wbem\snmp
2011-03-21 16:37 . 2011-03-21 16:37 -------- d-----w- c:\windows\srchasst
2011-03-21 16:37 . 2011-03-21 16:37 -------- d-----w- c:\program files\microsoft frontpage
2011-03-21 15:51 . 2011-03-21 15:51 -------- d-----w- c:\program files\Common Files\Java
2011-03-21 15:50 . 2011-03-21 15:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-21 15:50 . 2011-03-21 15:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-21 15:50 . 2011-03-21 15:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-21 14:11 . 2011-03-21 14:11 388096 ----a-r- c:\users\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-21 09:35 . 2011-03-21 09:35 -------- d-----w- c:\users\Administrator\Application Data\Malwarebytes
2011-03-21 09:34 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-21 09:34 . 2011-03-21 09:34 -------- d-----w- c:\users\All Users\Application Data\Malwarebytes
2011-03-21 09:34 . 2011-03-21 09:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-21 09:34 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-20 17:17 . 2011-03-20 17:18 -------- d-----w- c:\program files\Veetle
2011-03-16 23:06 . 2011-03-16 23:26 -------- d-----w- c:\windows\system32\NtmsData
2011-03-16 23:00 . 2011-03-04 16:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-16 23:00 . 2011-03-04 14:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-16 23:00 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-03-16 23:00 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-03-16 23:00 . 2011-03-16 23:00 -------- d-----w- c:\users\All Users\Application Data\Avira
2011-03-16 23:00 . 2011-03-16 23:00 -------- d-----w- c:\program files\Avira
2011-03-12 22:30 . 2011-03-09 07:47 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-12 22:19 . 2011-03-09 07:47 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-12 22:18 . 2011-03-12 22:18 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-12 22:15 . 2011-03-12 22:15 -------- d-----w- c:\users\NetworkService\Local Settings\Application Data\Google
2011-03-12 22:13 . 2011-03-12 22:13 -------- d-----w- c:\users\Administrator\Local Settings\Application Data\Sunbelt Software
2011-03-12 22:10 . 2011-03-20 10:17 -------- d-----w- c:\users\Administrator\Local Settings\Application Data\Temp
2011-03-12 22:10 . 2011-03-12 22:10 -------- d-----w- c:\users\LocalService\Local Settings\Application Data\Google
2011-03-12 22:09 . 2011-03-16 22:32 -------- d-----w- c:\users\Administrator\Local Settings\Application Data\Google
2011-03-12 22:09 . 2011-03-12 22:12 -------- d-----w- c:\program files\Google
2011-03-12 22:09 . 2011-03-12 22:09 -------- dc-h--w- c:\users\All Users\Application Data\{78A29A4D-35CE-4C46-9AC9-2692EE35F0BE}
2011-03-12 22:08 . 2011-03-12 22:12 -------- d-----w- c:\users\All Users\Application Data\Lavasoft
2011-03-12 22:08 . 2011-03-12 22:08 -------- d-----w- c:\program files\Lavasoft
2011-03-09 20:51 . 2011-03-09 20:51 -------- d-sh--w- c:\users\Administrator\PrivacIE
2011-03-01 20:33 . 2011-03-01 20:34 -------- d-----w- c:\users\Administrator\Application Data\Media Player Classic
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
.
[-] 2007-04-05 . 7179AC3F4258AEC9627590A842FDA1D6 . 574976 . . [5.1.2600.3113] . . c:\windows\system32\drivers\ntfs.sys
.
[-] 2007-05-21 . 1A5FB58FC6E970A308719A4EA49EB8B5 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2007-05-21 . 39128B5A743545BAEDD3984C210F00A8 . 77824 . . [5.1.2600.2586] . . c:\windows\system32\browser.dll
.
[-] 2007-05-21 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll
.
[-] 2007-05-21 . 348F04E3582EF2467EE5379D67B99FD7 . 399360 . . [5.1.2600.2948] . . c:\windows\system32\rpcss.dll
.
[-] 2007-05-21 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
.
[-] 2007-05-21 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2006-08-25 . C4E80875C1CF1222FC5EFD0314AE5C01 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
[7] 2001-08-23 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
.
[-] 2007-05-21 . 87F3E2D2A3231F820F9248DB90090F42 . 62464 . . [5.1.2600.2845] . . c:\windows\system32\cryptsvc.dll
.
[-] 2007-05-21 19:40 . 3D9418CF112A11ADC45E2A0C0A44DF47 . 243200 . . [2001.12.4414.312] . . c:\windows\system32\es.dll
.
[-] 2007-05-21 . 16F21882C96EE0136A92E867DA94215C . 985600 . . [5.1.2600.2991] . . c:\windows\system32\kernel32.dll
.
[-] 2007-05-21 . 212DEC5056523F8727C7B4E7E86782D5 . 19968 . . [5.1.2600.2839] . . c:\windows\system32\linkinfo.dll
.
[-] 2007-05-21 . 154C00AE9C017C3650E33CE75116A312 . 343040 . . [7.0.2600.3085] . . c:\windows\system32\msvcrt.dll
[-] 2007-02-19 . 4295F398C188D02DC7A5899EAC121914 . 343040 . . [7.0.2600.3085] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.3085_x-ww_e059201c\msvcrt.dll
[7] 2001-08-23 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
.
[-] 2007-05-21 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll
.
[-] 2007-05-21 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\system32\user32.dll
.
[-] 2007-05-21 . 42D32722B805D7DF42D30487A0BCBD78 . 1033216 . . [6.00.2900.2894] . . c:\windows\explorer.exe
.
[-] 2007-05-21 . B044C6A4D1A8240085F61F2353BD2FE6 . 1286656 . . [5.1.2600.2948] . . c:\windows\system32\ole32.dll
.
[-] 2007-05-21 . 456FB859236C9074ACF6C3B6243D8B46 . 502784 . . [1.0626.6000.16386] . . c:\windows\system32\usp10.dll
.
[-] 2007-05-21 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\system32\shsvcs.dll
.
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\regsvc.dll
.
[-] 2007-05-21 . C29A5286E64D97385178452D5F307B98 . 295424 . . [5.1.2600.2627] . . c:\windows\system32\termsrv.dll
.
[-] 2005-05-28 09:14 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\drivers\aec.sys
.
[-] 2007-05-21 19:40 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll
.
[-] 2007-01-17 21:43 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
.
[-] 2007-05-21 . 4D3DBDCCBF97F5BA1E74F322B155C3BA . 2059392 . . [5.1.2600.3093] . . c:\windows\system32\ntkrnlpa.exe
.
[-] 2007-05-21 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\system32\upnphost.dll
.
[-] 2007-05-21 . FBCE44CCE9D83687A4C68C955FB11E12 . 2321792 . . [5.1.2600.3093] . . c:\windows\system32\ntoskrnl.exe
.
[-] 2007-05-21 . D9F097AA3B97034D3358A01B43E635B2 . 333824 . . [5.1.2600.3051] . . c:\windows\system32\wiaservc.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-03-21_16.39.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-21 18:12 . 2011-03-21 18:12 16384 c:\windows\Temp\Perflib_Perfdata_25c.dat
+ 2011-03-21 19:20 . 2011-03-21 19:20 53248 c:\windows\Temp\catchme.dll
- 2011-03-21 16:38 . 2011-03-21 16:38 53248 c:\windows\Temp\catchme.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/03/2011 22:19 64512]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16/03/2011 23:00 135336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2011 07:47 1405384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/03/2011 22:10 136176]
S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\DCalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [02/07/2010 14:34 13224]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [09/03/2011 07:47 15232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-09 07:47]
.
2010-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2011-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-12 22:09]
.
2011-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-12 22:09]
.
2011-03-21 c:\windows\Tasks\User_Feed_Synchronization-{E89E4D32-0B82-4A4E-ABDB-9EF18C595AAA}.job
- c:\windows\system32\msfeedssync.exe [2007-05-21 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\d2bpt7s8.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-21 19:20
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-1284227242-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,10,77,81,89,34,ef,f7,40,bd,0f,c2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,10,77,81,89,34,ef,f7,40,bd,0f,c2,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2768)
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2011-03-21 19:24:07
ComboFix-quarantined-files.txt 2011-03-21 19:23
ComboFix2.txt 2011-03-21 16:47
.
Pre-Run: 18,155,331,584 bytes free
Post-Run: 18,148,802,560 bytes free
.
- - End Of File - - 2F3ED95ED6CD3681F1A5D71450D6924F

 

[johnb35]

Ok. Looks like machine 2 is good to go except for a few things.

1. I still see that adaware is still installed. I would recommend to uninstall it and just use malwarebytes as your scanner. It's only a recommendation not forcing you to do it though. I just feel that malwarebytes is a lot better scanner then adaware.

2. Download and run ccleaner to delete all the old internet temp files and system files and it should restore some speed back to the system.

http://download.cnet.com/ccleaner/

Just download and install, open the program and click on run cleaner.

3. Since this machine was badly infected, we need to clear out the system restore points and start fresh with a new one. To do that, right click on "my computer" click on properties, click on the system restore tab, check the box where it says "turn off system restore on all drives" and click apply. This will turn off system restore and delete your existing restore points. Then go back and uncheck it and click apply. This will turn system restore back on.

As far as combofix crashing on machine 1 did you disable avira before running it?

 

[andylowekcx]

i removed it earlier along with AVG that i had installed.

i currently have no anti virus software installed. Do you have any suggestions as to anti virus software?

 

[johnb35]

Either Avast or Microsoft Security Essentials.

Ok. Lets do some other scans on machine 1. First one is this.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.

If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it. Please open the log and copy and paste it back here.

 

[andylowekcx]

the TDS killer found nothing

does this mean it is clean?

 

[johnb35]

Nope. Just means its doesn't have the tdss infection. Next step.

Download DDS from the following location

DDS Download Link

When you click on the above link you will see be brought to a download page. Please click on the Download Now button and a download prompt similar to Figure 1 below.

Click on the Save button. You will now be presented with a screen similar to Figure 2 below asking where you would like to save the file.

Click once on the Desktop button, designated by the red arrow in the figure above, to save the file to your Desktop and then press the Save button. Your computer will now download the file to your computer and save it on your Desktop. When it is done downloading you will now find an icon on your desktop that looks like Figure 3 below.

Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

Once you double-click the icon a Windows security warning may also appear asking if you are sure you would like to run the program. This warning is shown in Figure 4 below.

Click on the Run button to start DDS. If no warning appeared, as shown above, then you should just continue reading.

DDS will now display a small black window providing information as to what DDS is doing on your computer as shown in Figure 5 below.

DDS will now start scanning your computer and compiling a variety of information about what programs are starting on your computer, what files have been recently created, and the general configuration of your computer. When DDS has finished scanning, all of this information will be compiled and be displayed in two Notepad windows named dds.txt and attach.txt as shown below.

You will then be shown a small box giving instructions as to what you should do with these files. Feel free to close this message box by pressing the OK button.

We now need to save the two log files that were created. First click on the DDS.txt window and click on the File menu and then select Save As... menu option. You will now be presented with a screen similar to Figure 8 below asking where you would like to save the file.

Click once on the Desktop button, designated by the red arrow in the figure above, to save the file to your Desktop and then press the Save button. The DDS.txt log will now be saved to your Desktop. Now click on the Attach.txt Notepad window and perform the same steps to save that file to your Desktop as well.

Please copy and paste the contents of the dds.txt log and the attach.txt log in your next reply.

 

[andylowekcx]

Again I cant get a result from this program. It begins scanning but around 60-70% it stops and progresses no further after 3 attempts now leaving the final attempt 30minutes i still had no luck producing a log.

 

[johnb35]

One last thing before you throw in the towel and copy your important data and do a fresh install of windows. I know this is the machine that we worked on before and I recommended then to do a fresh install. Do you know what brand hard drive is in the machine? Western Digital, Seagate, Samsung, Hitachi?

 

[andylowekcx]

I have a Dell equium laptop with toshiba plastered all over it so could that be the make of the hard drive?

Not sure if this could be linked but about a year ago the dvd drive just stopped working.

 

[johnb35]

Go into device manager, under disk drives it will show you the model number, post it back here.

 

[andylowekcx]

this is the code under device manager - HTS541060G9AT00

 

[johnb35]

It's a hitachi drive. Download their utility here.

http://www.hitachigst.com/hdd/support/downloads/dft32_v416_b00.iso

You will need to download this file and then use burning software to burn the image to a cd and then boot to the cd. Then perform the extended test, which may take an hour or so.

 

[andylowekcx]

It's a hitachi drive. Download their utility here.

http://www.hitachigst.com/hdd/support/downloads/dft32_v416_b00.iso

You will need to download this file and then use burning software to burn the image to a cd and then boot to the cd. Then perform the extended test, which may take an hour or so.

This wont wipe my hard drive will it?

 

[lucasbytegenius]

This wont wipe my hard drive will it?

It shouldn't.

 

[johnb35]

This wont wipe my hard drive will it?

Just make sure you run the right utility. It will warn you if you go to delete the drive data.

here is the user guide for it.

http://www.hitachigst.com/hdd/support/downloads/Dft32_User_Guide_415.pdf

 

[andylowekcx]

Hi john,

ive come to the end of the line with this computer and have decided to start all over with a wipe of the system.

if possible how do i back up all my files that are scattered throughout the system?
For example i NEED to keep all microsoft word/excel docs even if i havent used them in a while.

how do i back up the programs i have so i dont have to reinstall again?

thanks

 

[johnb35]

You can use a usb flash drive to copy all your excel and word documents to it. However, all programs/games will need to be reinstalled.