Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirect to gomeo malware problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Redirect to gomeo malware problem

Unread postby sjs » April 17th, 2011, 4:06 pm

Hi there,
Would be great if you can help. My Explorer and Firefox often (not always) redirect to "Gomeo" sites. Having looked this up it looks complicated, hence my request for help. Scans are posted below. Note that DDS would not complete until I ran it in Safe Mode. When I start up I get "Error Loading C:\\WINDOWS\upiwamohey.ddl. The specified module could not be found". I am happy to remove any programms that it would be good not to have that my duaghter might have loaded previously. Many Thanks, Steve Sargent.
.
DDS (Ver_11-03-05.01) - NTFSx86 MINIMAL
Run by XP User at 20:39:56.51 on 17/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.894.726 [GMT 1:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\XP User\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://uk.mc862.mail.yahoo.com/mc/welco ... nd=8818464
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OfferBox: {fc0d62c2-9640-4aeb-a5d5-cf25df11fa8c} - c:\program files\offerbox\OfferBoxBHO.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\xp user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Yhuqoherajo] rundll32.exe "c:\windows\upiwamohey.dll",Startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\system~1.lnk - c:\program files\systemcontrol\systemcontrol\FanConditioner.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\xpuser~1\applic~1\mozilla\firefox\profiles\el1hfplc.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://uk.mc862.mail.yahoo.com/mc/welco ... nd=4474508
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\offerbox\offerboxffx@offerbox.com\components\OfferBoxXpCom.dll
FF - plugin: c:\documents and settings\xp user\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coFFPlgn
FF - Ext: OfferBox: offerboxffx@offerbox.com - c:\program files\offerbox\offerboxffx@offerbox.com
FF - Ext: XULRunner: {50983140-FF2D-49E1-AE2E-53DC1BDDCA8B} - c:\documents and settings\xp user\local settings\application data\{50983140-FF2D-49E1-AE2E-53DC1BDDCA8B}
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2011-1-23 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2011-1-23 173104]
R3 filter;filter;c:\windows\system32\drivers\filter.sys [2004-11-26 8832]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-10 800376]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-8-12 13696]
S1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [2009-8-12 8192]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2011-1-23 501888]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2011-1-23 116784]
S2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2011-1-23 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-1-22 102448]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110415.003\IDSXpx86.sys [2011-4-16 341944]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110417.004\NAVENG.SYS [2011-4-17 86136]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110417.004\NAVEX15.SYS [2011-4-17 1393144]
.
=============== Created Last 30 ================
.
2011-04-13 19:36:58 -------- d-----w- C:\Output
2011-04-13 19:35:52 -------- d-----w- C:\MP4ToMP3Converter
2011-03-19 12:23:11 -------- d-----w- c:\windows\system32\N360_BACKUP
.
==================== Find3M ====================
.
2011-03-01 21:23:07 0 ----a-w- c:\windows\Xqoreqewi.bin
2011-01-22 14:46:47 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
1998-12-09 03:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 03:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 03:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 03:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 03:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 03:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6V200E0 rev.VA111900 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x856B6ECC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xb10b2879; SUB DWORD [EBP-0x4], 0xb10b2135; PUSH EDI; CALL 0xffffffffffffdf2c; }
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x8571A5C8]
3 CLASSPNP[0xF7863FD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\00000071[0x85760F18]
5 ACPI[0xF77DA620] -> nt!IofCallDriver[0x804E37C5] -> [0x85773030]
[0x85698CC8] -> IRP_MJ_CREATE -> 0x856B6ECC
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000070 -> \??\IDE#DiskMaxtor_6V200E0__________________________VA111900#345648304C364741202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 20:40:43.45 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/08/2009 14:51:42
System Uptime: 17/04/2011 20:38:33 (0 hours ago)
Processor: AMD Sempron(tm) Processor 3200+ | Socket 754 | 1808/201mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 190 GiB total, 65.595 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {1860459D-4692-4825-B761-44A725991050}
Description: Acronis True Image Backup Archive Explorer
Device ID: ROOT\ACRONISDEVICES\0000
Manufacturer: Acronis
Name: Acronis True Image Backup Archive Explorer
PNP Device ID: ROOT\ACRONISDEVICES\0000
Service: timounter
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C4500 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C4500 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
RP242: 21/01/2011 00:31:17 - Unsigned driver install
RP243: 22/01/2011 13:04:43 - Removed Kaspersky Internet Security 2009.
RP244: 22/01/2011 14:40:04 - Removed Windows Live Sign-in Assistant
RP245: 22/01/2011 14:40:26 - Removed Windows Live Upload Tool
RP246: 23/01/2011 16:19:11 - Unsigned driver install
RP247: 24/01/2011 20:46:31 - System Checkpoint
RP248: 25/01/2011 21:36:40 - System Checkpoint
RP249: 26/01/2011 23:35:06 - System Checkpoint
RP250: 27/01/2011 23:49:59 - System Checkpoint
RP251: 29/01/2011 00:49:26 - System Checkpoint
RP252: 30/01/2011 01:49:30 - System Checkpoint
RP253: 31/01/2011 02:49:28 - System Checkpoint
RP254: 01/02/2011 03:49:31 - System Checkpoint
RP255: 02/02/2011 04:49:29 - System Checkpoint
RP256: 03/02/2011 05:49:31 - System Checkpoint
RP257: 04/02/2011 06:48:59 - System Checkpoint
RP258: 05/02/2011 07:48:51 - System Checkpoint
RP259: 06/02/2011 09:16:54 - System Checkpoint
RP260: 07/02/2011 09:48:49 - System Checkpoint
RP261: 08/02/2011 10:48:49 - System Checkpoint
RP262: 09/02/2011 11:48:49 - System Checkpoint
RP263: 10/02/2011 12:48:50 - System Checkpoint
RP264: 11/02/2011 13:49:32 - System Checkpoint
RP265: 13/02/2011 00:35:08 - System Checkpoint
RP266: 14/02/2011 01:12:55 - System Checkpoint
RP267: 15/02/2011 02:12:56 - System Checkpoint
RP268: 16/02/2011 03:12:59 - System Checkpoint
RP269: 17/02/2011 04:12:58 - System Checkpoint
RP270: 18/02/2011 05:12:57 - System Checkpoint
RP271: 19/02/2011 06:12:57 - System Checkpoint
RP272: 20/02/2011 07:12:59 - System Checkpoint
RP273: 21/02/2011 08:12:58 - System Checkpoint
RP274: 22/02/2011 08:14:03 - System Checkpoint
RP275: 25/02/2011 20:10:48 - System Checkpoint
RP276: 26/02/2011 20:34:29 - System Checkpoint
RP277: 28/02/2011 20:30:38 - System Checkpoint
RP278: 01/03/2011 20:46:29 - System Checkpoint
RP279: 02/03/2011 21:02:55 - System Checkpoint
RP280: 03/03/2011 21:18:23 - System Checkpoint
RP281: 04/03/2011 22:02:34 - System Checkpoint
RP282: 05/03/2011 23:44:09 - System Checkpoint
RP283: 07/03/2011 00:02:33 - System Checkpoint
RP284: 08/03/2011 01:02:33 - System Checkpoint
RP285: 09/03/2011 02:02:34 - System Checkpoint
RP286: 10/03/2011 03:02:33 - System Checkpoint
RP287: 11/03/2011 03:13:35 - System Checkpoint
RP288: 12/03/2011 04:13:35 - System Checkpoint
RP289: 13/03/2011 05:13:35 - System Checkpoint
RP290: 14/03/2011 06:13:34 - System Checkpoint
RP291: 15/03/2011 07:51:26 - System Checkpoint
RP292: 16/03/2011 08:22:55 - System Checkpoint
RP293: 17/03/2011 09:35:54 - System Checkpoint
RP294: 18/03/2011 10:21:52 - System Checkpoint
RP295: 19/03/2011 13:27:28 - System Checkpoint
RP296: 20/03/2011 14:21:53 - System Checkpoint
RP297: 21/03/2011 15:21:54 - System Checkpoint
RP298: 22/03/2011 18:24:43 - System Checkpoint
RP299: 23/03/2011 18:53:09 - System Checkpoint
RP300: 24/03/2011 19:19:33 - System Checkpoint
RP301: 26/03/2011 00:25:55 - System Checkpoint
RP302: 27/03/2011 10:33:40 - System Checkpoint
RP303: 28/03/2011 18:57:59 - System Checkpoint
RP304: 29/03/2011 19:19:29 - System Checkpoint
RP305: 30/03/2011 20:23:35 - System Checkpoint
RP306: 31/03/2011 22:00:18 - System Checkpoint
RP307: 01/04/2011 22:21:10 - System Checkpoint
RP308: 02/04/2011 22:21:16 - System Checkpoint
RP309: 03/04/2011 22:47:20 - System Checkpoint
RP310: 04/04/2011 23:28:24 - System Checkpoint
RP311: 06/04/2011 00:21:14 - System Checkpoint
RP312: 07/04/2011 00:22:25 - System Checkpoint
RP313: 08/04/2011 00:28:14 - System Checkpoint
RP314: 09/04/2011 01:45:57 - System Checkpoint
RP315: 10/04/2011 02:20:56 - System Checkpoint
RP316: 11/04/2011 03:20:56 - System Checkpoint
RP317: 13/04/2011 06:01:03 - System Checkpoint
RP318: 14/04/2011 06:51:38 - System Checkpoint
RP319: 15/04/2011 15:51:39 - System Checkpoint
RP320: 16/04/2011 16:45:12 - System Checkpoint
RP321: 17/04/2011 16:53:46 - System Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Belkin 54g USB Network Adapter
Bonjour
BufferChm
C4580
Convert MP4 to MP3 1.5
Copy
Destination Component
DeviceDiscovery
Driver Magician 3.41
EA Download Manager
EA Download Manager UI
Generic USB Card Reader Driver v2.3b
Google Chrome
GPBaseService2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Update
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPProductAssistant
HPSSupply
iTunes
Java(TM) 6 Update 15
Java(TM) 6 Update 7
LightScribe 1.4.136.1
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.6.16)
MP4 To MP3 Converter V3.0.4
MSXML 4.0 SP2 (KB954430)
Nero 7 Essentials
Network
Norton 360
NVIDIA Drivers
OfferBox Browser
OpenOffice.org 3.0
PowerDVD
PS_AIO_04_C4580_Software_Min
QuickTime
Realtek AC'97 Audio
Scan
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Shop for HP Supplies
Sky Player
Skype Toolbars
Skype™ 5.1
SmartWebPrinting
SolutionCenter
Status
SystemControl
The Sims™ 3
The Sims™ 3 Ambitions
The Sims™ 3 World Adventures
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
.
==== Event Viewer Messages From Past Week ========
.
17/04/2011 20:40:35, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 BHDrvx86 BIOS BS_I2cIo ccHP eeCtrl Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSP SRTSPX SymIRON SYMTDI Tcpip
17/04/2011 20:40:35, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
17/04/2011 20:40:35, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
17/04/2011 20:40:35, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
17/04/2011 20:40:35, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
17/04/2011 20:40:35, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
17/04/2011 20:40:35, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
17/04/2011 20:39:18, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
17/04/2011 20:39:16, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
17/04/2011 19:56:18, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
13/04/2011 16:48:06, error: Service Control Manager [7023] - The Pml Driver HPZ12 service terminated with the following error: The specified module could not be found.
13/04/2011 16:48:06, error: Service Control Manager [7023] - The Net Driver HPZ12 service terminated with the following error: The specified module could not be found.
13/04/2011 16:48:06, error: Service Control Manager [7023] - The HP Network Devices Support service terminated with the following error: The specified module could not be found.
13/04/2011 16:48:06, error: Service Control Manager [7023] - The HP CUE DeviceDiscovery Service service terminated with the following error: The specified module could not be found.
13/04/2011 16:48:00, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
13/04/2011 16:47:48, error: Dhcp [1002] - The IP address lease 192.168.1.66 for the Network Card with network address 00173F1427B6 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
sjs
Active Member
 
Posts: 4
Joined: March 31st, 2011, 6:56 pm
Advertisement
Register to Remove

Re: Redirect to gomeo malware problem

Unread postby Gary R » April 18th, 2011, 2:58 am

Looking over your log, back soon.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Redirect to gomeo malware problem

Unread postby Gary R » April 18th, 2011, 4:00 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Hi sjs

I'm Gary R, I'll be glad to help you with your computer problems.

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
  • If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
  • If you're using Vista or Windows7, it will be necessary to right click all tools we use and select ----> Run as Administrator
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Download ComboFix from one of these locations and save it to your Desktop: (if you already have a copy of Combofix, delete it and use this version)

Link 1
Link 2

IMPORTANT !!! ComboFix.exe must be run from your Desktop

  • Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix. There are details for disabling many programmes here.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install Microsoft Windows Recovery Console.

**Please note: If Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image

Once Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you.

Please include this log in your next reply. ......... (it can also be found at C:\ComboFix.txt)

IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.
If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Redirect to gomeo malware problem

Unread postby sjs » April 19th, 2011, 4:33 pm

Hi Gary R, many thanks for your help. All seemed to go as planned running ComboFix and here is the Log:
I await your reply - all the best - Steven.

ComboFix 11-04-19.01 - XP User 19/04/2011 20:59:16.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.894.372 [GMT 1:00]
Running from: c:\documents and settings\XP User\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Programs\OfferBox Browser.lnk
c:\documents and settings\XP User\Application Data\OfferBox
c:\documents and settings\XP User\Application Data\OfferBox\config.dat
c:\documents and settings\XP User\Application Data\OfferBox\config.xml
c:\documents and settings\XP User\Local Settings\Application Data\{50983140-FF2D-49E1-AE2E-53DC1BDDCA8B}
c:\documents and settings\XP User\Local Settings\Application Data\{50983140-FF2D-49E1-AE2E-53DC1BDDCA8B}\chrome.manifest
c:\documents and settings\XP User\Local Settings\Application Data\{50983140-FF2D-49E1-AE2E-53DC1BDDCA8B}\chrome\content\_cfg.js
c:\documents and settings\XP User\Local Settings\Application Data\{50983140-FF2D-49E1-AE2E-53DC1BDDCA8B}\chrome\content\overlay.xul
c:\documents and settings\XP User\Local Settings\Application Data\{50983140-FF2D-49E1-AE2E-53DC1BDDCA8B}\install.rdf
c:\program files\OfferBox
c:\program files\OfferBox\OfferBox.exe
c:\program files\OfferBox\OfferBoxBHO.dll
c:\program files\OfferBox\OfferBoxChromeExtension.crx
c:\program files\OfferBox\OfferBoxEngine.dll
c:\program files\OfferBox\offerboxffx@offerbox.com\chrome.manifest
c:\program files\OfferBox\offerboxffx@offerbox.com\chrome\content\events.js
c:\program files\OfferBox\offerboxffx@offerbox.com\chrome\content\overlay.xul
c:\program files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.dll
c:\program files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.xpt
c:\program files\OfferBox\offerboxffx@offerbox.com\install.rdf
c:\program files\OfferBox\OfferBoxLauncher.exe
c:\program files\OfferBox\res\language.xml
c:\program files\OfferBox\res\loader.gif
c:\program files\OfferBox\uninst.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-19 to 2011-04-19 )))))))))))))))))))))))))))))))
.
.
2011-04-13 19:36 . 2011-04-13 19:50 -------- d-----w- C:\Output
2011-04-13 19:35 . 2011-04-13 19:35 -------- d-----w- C:\MP4ToMP3Converter
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-22 14:46 . 2011-01-22 14:46 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-01-22 14:46 . 2011-01-22 14:46 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
1998-12-09 03:53 . 1998-12-09 03:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 03:53 . 1998-12-09 03:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 03:53 . 1998-12-09 03:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 577536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-31 7561216]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SystemControl.lnk - c:\program files\SystemControl\SystemControl\FanConditioner.exe [2009-8-12 3276288]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{0BC1A5B2-79A1-4716-B3E5-4071E9AB6F43}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [23/01/2011 17:26 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [23/01/2011 17:26 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110415.001\BHDrvx86.sys [15/04/2011 21:29 802936]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/08/2009 15:23 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [12/08/2009 15:34 8192]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [23/01/2011 17:26 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [23/01/2011 17:26 116784]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [23/01/2011 17:25 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [22/01/2011 15:59 102448]
R3 filter;filter;c:\windows\system32\drivers\filter.sys [26/11/2004 07:32 8832]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110419.001\IDSXpx86.sys [19/04/2011 07:23 341944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1659004503-682003330-1004Core.job
- c:\documents and settings\XP User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-18 12:25]
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1659004503-682003330-1004UA.job
- c:\documents and settings\XP User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-18 12:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.mc862.mail.yahoo.com/mc/welco ... nd=8818464
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\XP User\Application Data\Mozilla\Firefox\Profiles\el1hfplc.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://uk.mc862.mail.yahoo.com/mc/welco ... nd=4474508
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKLM-Run-hpqSRMon - c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
HKLM-Run-Yhuqoherajo - c:\windows\upiwamohey.dll
AddRemove-OfferBox Browser - c:\program files\OfferBox\uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-19 21:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-436374069-1659004503-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:a9,a1,74,83,7c,d8,0e,eb,45,25,9e,c9,60,d5,23,3b,67,5b,91,52,7d,
e4,b8,b1,61,2e,73,30,76,a8,af,05,28,79,fb,3e,9d,ed,88,87,84,6c,f6,ae,2f,a7,\
"rkeysecu"=hex:e9,3f,0b,ae,5c,80,bb,86,5a,30,e9,7f,2c,c6,46,53
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3732)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-04-19 21:18:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-19 20:18
.
Pre-Run: 71,370,219,520 bytes free
Post-Run: 71,273,230,336 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 1CF988E8AC713688763CC10602BE9812
sjs
Active Member
 
Posts: 4
Joined: March 31st, 2011, 6:56 pm

Re: Redirect to gomeo malware problem

Unread postby Gary R » April 19th, 2011, 5:14 pm

It's not clear from your Combofix log whether it has removed the TDL3 rootkit indicated in your DDS logs earlier, so before we go any further I'd like to check to see if it is still present.

Please run a new scan with DDS ....

Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save DDS.txt to your Desktop (I'm not interested in Attach.txt this time)
  • Copy/Paste the contents of DDS.txt only in your next reply please.

Next

Download TDSSKiller.zip and extract it to your Desktop.
  • Double click on TDSSKiller.exe to launch it.
    • If using Vista or Windows7, when prompted by UAC allow the prompt.
  • Click on Start Scan
  • The scan will run.
  • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
  • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
  • Post the contents in your next reply please.
  • DO NOT TRY TO FIX ANYTHING AT THIS POINT

Summary of the logs I need from you in your next post:
  • DDS.txt
  • TDSSKiller log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Redirect to gomeo malware problem

Unread postby sjs » April 20th, 2011, 6:43 pm

Hi Gary, below is the DDS.txt, but then there is a PROBLEM. I have TDSSKiller.exe on my desktop, but when I run it, it comes up with "initialising" for about 2 seconds, then the computer immediately closes down and re-starts. I then thought that the VirusGuard was supposed to be still turned off so I tried again with it off and the same thing happened. On the second restart it came up with a -
Symantec Service Framework
Error Signature
szAppName : ccsvchst.exe szAppVer : 109.0.3.4 szModName : ccl90u.dll
szModVer : 109.0.3.4 offset : 00062102
[not sure if that is any help...]

DDS (Ver_11-03-05.01) - NTFSx86
Run by XP User at 23:03:14.67 on 20/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.894.459 [GMT 1:00]
.
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\SystemControl\SystemControl\FanConditioner.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\XP User\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://uk.mc862.mail.yahoo.com/mc/welco ... nd=8818464
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\system~1.lnk - c:\program files\systemcontrol\systemcontrol\FanConditioner.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\xpuser~1\applic~1\mozilla\firefox\profiles\el1hfplc.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://uk.mc862.mail.yahoo.com/mc/welco ... nd=4474508
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\xp user\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coFFPlgn
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2011-1-23 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2011-1-23 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110419.001\BHDrvx86.sys [2011-4-19 802936]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-8-12 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [2009-8-12 8192]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2011-1-23 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2011-1-23 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2011-1-23 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-1-22 102448]
R3 filter;filter;c:\windows\system32\drivers\filter.sys [2004-11-26 8832]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110419.002\IDSXpx86.sys [2011-4-20 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110420.002\NAVENG.SYS [2011-4-20 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110420.002\NAVEX15.SYS [2011-4-20 1393144]
.
=============== Created Last 30 ================
.
2011-04-19 19:57:56 -------- d-sha-r- C:\cmdcons
2011-04-19 19:54:44 98816 ----a-w- c:\windows\sed.exe
2011-04-19 19:54:44 89088 ----a-w- c:\windows\MBR.exe
2011-04-19 19:54:44 256512 ----a-w- c:\windows\PEV.exe
2011-04-19 19:54:44 161792 ----a-w- c:\windows\SWREG.exe
2011-04-13 19:36:58 -------- d-----w- C:\Output
2011-04-13 19:35:52 -------- d-----w- C:\MP4ToMP3Converter
.
==================== Find3M ====================
.
2011-03-01 21:23:07 0 ----a-w- c:\windows\Xqoreqewi.bin
2011-01-22 14:46:47 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
1998-12-09 03:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 03:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 03:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 03:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 03:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 03:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6V200E0 rev.VA111900 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x854E3ECC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xb10b2879; SUB DWORD [EBP-0x4], 0xb10b2135; PUSH EDI; CALL 0xffffffffffffdf2c; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8557AAB8]
3 CLASSPNP[0xF764FFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000072[0x85579F18]
5 ACPI[0xF74E6620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x85416030]
[0x8557B788] -> IRP_MJ_CREATE -> 0x854E3ECC
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000071 -> \??\IDE#DiskMaxtor_6V200E0__________________________VA111900#345648304C364741202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:04:10.56 ===============
sjs
Active Member
 
Posts: 4
Joined: March 31st, 2011, 6:56 pm

Re: Redirect to gomeo malware problem

Unread postby Gary R » April 23rd, 2011, 5:05 am

So sorry I haven't got back to you sooner :oops: , I did not get notification of your post, so was not aware that you had posted a reply. My most sincere apology.

Your DDS log shows you still have a TDL infection, but since TDSSKiller seems to be having problems we'll need to use another tool on it. I first need to run a scan to see if this tool can see the version of TDL you have since it does not remove them all.

  • Download aswMBR.exe to your desktop.
  • Double click aswMBR.exe to run it
Image
  • Click the SCAN button to start the scan.
Image
  • On completion of the scan click SAVE LOG and save it to your desktop.
  • Post the log contents in your next reply please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Redirect to gomeo malware problem

Unread postby sjs » April 25th, 2011, 6:10 pm

Hi Gary. No problem, I have been away for Easter. Hope your break was good.
Scan from aswMBR:
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-25 23:05:41
-----------------------------
23:05:41.390 OS Version: Windows 5.1.2600 Service Pack 3
23:05:41.390 Number of processors: 1 586 0x5F02
23:05:41.390 ComputerName: XP-89C6A3FB3E73 UserName: XP User
23:05:42.468 Initialize success
23:05:56.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000032
23:05:56.500 Disk 0 Vendor: Maxtor_6V200E0 VA111900 Size: 194481MB BusType: 3
23:05:56.500 Device \Device\00000071 -> \??\IDE#DiskMaxtor_6V200E0__________________________VA111900#345648304C364741202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
23:05:56.500 Disk 0 MBR read error
23:05:56.500 Disk 0 MBR scan
23:05:56.500 MBR BIOS signature not found 0
23:05:56.500 Disk 0 scanning sectors +398283480
23:05:56.500 Disk 0 scanning C:\WINDOWS\system32\drivers
23:06:01.656 Service scanning
23:06:02.703 Disk 0 trace - called modules:
23:06:02.718 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x854e3ecc]<<
23:06:02.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8557aab8]
23:06:02.718 3 CLASSPNP.SYS[f7610fd7] -> nt!IofCallDriver -> \Device\00000072[0x85579f18]
23:06:02.718 5 ACPI.sys[f74a7620] -> nt!IofCallDriver -> [0x85416030]
23:06:03.218 [0x85590f38] -> IRP_MJ_CREATE -> 0x854e3ecc
23:06:03.218 Scan finished successfully
sjs
Active Member
 
Posts: 4
Joined: March 31st, 2011, 6:56 pm

Re: Redirect to gomeo malware problem

Unread postby Gary R » April 26th, 2011, 2:14 am

It's not 100% clear from your log, but I believe you have one of the newer versions of TDL rootkit.

Like the others this one re-writes the Master Boot Record (MBR) of your hard drive, but unlike most of the earlier versions this one cannot be removed whilst Windows is running, so we need to remove it whilst booted to Recovery Console (which Combofix installed earlier).

This procedure is not entirely without risk.

I will take precautions to minimise them, but I would still advise you to ensure you have a back-up of your personal files and folders before going any further.

Before we attempt to fix things I'd like to make a backup of your Master Boot Record (MBR) so we can restore it if anything goes wrong.

  • Download MBRFix and extract it to your Desktop.
  • Copy MBRFix.exe to the C:\ folder.
  • Click Start > Run type cmd in the :Open box then hit Enter.
    • This will open a Command box.
    • Now type the following command C:\MBRFix /drive 0 savembr C:\Backup_MBR_0.bin hit Enter
    • Exit the command window.
    • Check to make sure there is a file Backup_MBR_0.bin in your C:\ folder.
    • Let me know if you have any problems, or if the file is not created.

DO NOT PROCEED WITH THE INSTRUCTION BELOW IF YOU ARE UNABLE TO BACK-UP YOUR MBR

Next

  • Restart your computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select the Recovery Console option and click Enter.
  • Enter the number that corresponds to your XP installation (usually 1) and hit Enter.
  • Type in your password and hit Enter, if you don't use a password just hit Enter.
  • You should now get a prompt ... C:\Windows
  • Type in fixmbr
  • The MBR should now be re-written with a new default XP Master Boot Record.
  • Type Exit then hit Enter to boot into Normal Mode.

Next

Once you've rebooted into Normal Mode, run a new scan with aswMBR (as detailed in my earlier post) and post me the new log please.

Also let me know whether you are still being re-directed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Redirect to gomeo malware problem

Unread postby Gary R » April 29th, 2011, 1:37 am

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware