Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Websearch Mocafix HELP with removing !


  • This topic is locked This topic is locked
8 replies to this topic

#1 Freyi

Freyi

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 23 November 2012 - 06:04 PM

Hello,
Please help me with removing Websearch mocafix from my Google Chrome. I'm adding log from HijackThis program.
Thanks in advance !

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:56:30, on 2012-11-23
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Moje dokumenty\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.avg.com/?cid={D10A57C6-6CA4-4C42-9187-D23C80D8CEAE}&mid=08d82074dd0147d08623d1d961010e6b-8eafb470bd812d53c18b62333d26c5c8a3a9ba5e&lang=pl&ds=st011&pr=sa&d=2012-08-20 22:09:13&v=13.2.0.5&sap=hp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://websearch.mocaflix.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MI1933~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [ROC_ROC_JULY_P1] "C:\Program Files\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ChomikBox] C:\Program Files\ChomikBox\chomikbox.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-21-1004336348-2139871995-682003330-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Wyślij &do programu OneNote - res://C:\PROGRA~1\MI1933~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: &Notatki połączone programu OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Notatki połączone programu OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1342472504843
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\progra~1\mocaflix\sprote~1.dll
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Usługa Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Usługa Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: vToolbarUpdater13.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe

--
End of file - 8632 bytes

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 20,412 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:54 PM

Posted 24 November 2012 - 10:14 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.

#3 Freyi

Freyi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 24 November 2012 - 01:28 PM

Attached File  ComboFix.txt   23.88KB   1 downloadsThank you for your quick reply.
I'm adding logs from ComboFix, AdwCleaner and Security Check.
ComboFix 12-11-24.02 - User 2012-11-24  19:17:06.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1250.48.1045.18.3327.2810 [GMT 1:00]
Uruchomiony z: c:\documents and settings\User\Moje dokumenty\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Usuniêto   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Dane aplikacji\Download and Sa
c:\documents and settings\All Users\Dane aplikacji\Download and Sa\50afdc7f288ff.ocx
c:\documents and settings\All Users\Dane aplikacji\Download and Sa\50afdc7f28937.html
c:\documents and settings\All Users\Dane aplikacji\Download and Sa\50afdc7f28970.js
c:\documents and settings\All Users\Dane aplikacji\Download and Sa\lalcgjfbfmibmbefpidogebjekhipehe.crx
c:\documents and settings\All Users\Dane aplikacji\Download and Sa\settings.ini
c:\documents and settings\All Users\Dane aplikacji\TEMP
c:\windows\IsUn0415.exe
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\a620d2f5116071a6.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f7f5f72a853fe836.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
.
.
(((((((((((((((((((((((((   Pliki utworzone od 2012-10-24 do 2012-11-24  )))))))))))))))))))))))))))))))
.
.
2012-11-24 18:17 . 2012-11-24 18:17 29904 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Microsoft\Microsoft Antimalware\Definition Updates\{82D8D36F-F342-4E5B-B665-6A87D4209EC8}\MpKsla5561235.sys
2012-11-24 18:04 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Microsoft\Microsoft Antimalware\Definition Updates\{82D8D36F-F342-4E5B-B665-6A87D4209EC8}\mpengine.dll
2012-11-23 20:28 . 2012-11-23 20:28 -------- d-----w- c:\program files\MocaFlix
2012-11-23 20:27 . 2012-11-23 20:27 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\InstallMate
2012-11-23 12:00 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-22 20:59 . 2012-11-22 21:41 -------- d-----w- c:\documents and settings\User\Dane aplikacji\Trine2
2012-11-22 20:58 . 2012-11-22 20:58 -------- d-----w- c:\program files\Ubisoft
2012-11-22 20:48 . 2012-11-22 20:48 -------- d--h--w- c:\windows\msdownld.tmp
2012-11-19 21:20 . 2012-11-19 21:20 -------- d-----w- c:\documents and settings\User\Ustawienia lokalne\Dane aplikacji\SKIDROW
2012-11-19 21:19 . 2012-11-19 21:19 -------- d-----w- C:\steamapps
2012-11-19 20:53 . 2012-11-19 20:53 -------- d-----w- c:\program files\THQ
2012-11-17 20:09 . 2012-11-17 20:09 -------- d-----w- c:\documents and settings\User\Dane aplikacji\dll-files.com
2012-11-17 20:09 . 2012-11-17 20:09 -------- d-----w- c:\program files\Dll-Files.com Fixer
2012-11-16 21:55 . 2012-11-16 21:55 -------- d-----w- c:\windows\Sun
2012-11-16 21:55 . 2012-11-16 21:55 -------- d-----w- c:\documents and settings\User\Ustawienia lokalne\Dane aplikacji\Sun
2012-11-16 21:55 . 2012-11-16 21:55 -------- d-----w- c:\program files\Common Files\Java
2012-11-16 21:54 . 2012-11-16 21:53 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-16 21:54 . 2012-11-16 21:53 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-16 21:54 . 2012-11-16 21:53 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-16 21:54 . 2012-11-16 21:53 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-16 21:53 . 2012-11-16 21:53 -------- d-----w- c:\program files\Java
2012-11-15 18:47 . 2012-09-23 14:28 888168 ----a-w- c:\windows\system32\nvdispgenco32.dll
2012-11-15 18:47 . 2012-09-23 14:28 5947392 ----a-w- c:\windows\system32\nvopencl.dll
2012-11-14 18:10 . 2012-11-14 18:10 -------- d-----w- c:\documents and settings\User\Ustawienia lokalne\Dane aplikacji\VS Revo Group
2012-11-14 18:10 . 2009-12-30 10:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-11-14 18:10 . 2012-11-14 18:10 -------- d-----w- c:\program files\VS Revo Group
2012-11-14 15:33 . 2012-11-14 15:47 -------- d-----w- c:\program files\Mass Effect 3
2012-11-14 15:12 . 2012-11-14 15:12 -------- d-----w- c:\windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP
2012-11-14 15:12 . 2012-11-14 15:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-11-14 14:59 . 2012-11-14 15:30 -------- d-----w- c:\program files\Mass Effect 2
2012-11-14 13:44 . 2012-11-14 14:34 -------- d-----w- c:\program files\Mass Effect
2012-11-04 23:07 . 2012-11-04 23:07 -------- d-----w- c:\documents and settings\User\Ustawienia lokalne\Dane aplikacji\Focus Home Interactive
2012-11-04 23:07 . 2012-11-04 23:07 -------- d-----w- c:\program files\Focus Home Interactive
2012-11-04 00:55 . 2012-11-04 00:55 -------- d-----w- c:\documents and settings\User\Ustawienia lokalne\Dane aplikacji\Disney Interactive
2012-11-04 00:44 . 2012-11-04 00:44 -------- d-----w- c:\program files\Disney Interactive Studios
.
.
.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-09 13:17 . 2012-08-20 20:09 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2012-10-22 19:57 . 2008-04-15 12:00 1866624 ----a-w- c:\windows\system32\win32k.sys
2012-10-09 12:25 . 2012-07-16 19:12 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 12:25 . 2012-07-16 19:12 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 12:25 . 2012-10-09 11:25 10220472 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-10-02 18:04 . 2008-04-15 12:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-23 14:28 . 2012-07-16 19:28 19103744 ----a-w- c:\windows\system32\nvoglnt.dll
2012-09-23 14:28 . 2012-07-16 19:28 2578792 ----a-w- c:\windows\system32\nvcuvid.dll
2012-09-23 14:28 . 2012-07-16 19:28 1866088 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-09-23 14:28 . 2012-07-16 19:28 1009512 ----a-w- c:\windows\system32\nvdispco32.dll
2012-09-23 14:28 . 2012-07-16 19:28 7446528 ----a-w- c:\windows\system32\nvcuda.dll
2012-09-23 14:28 . 2012-07-16 19:28 4494208 ----a-w- c:\windows\system32\nv4_disp.dll
2012-09-23 14:28 . 2012-07-16 19:28 2376704 ----a-w- c:\windows\system32\nvapi.dll
2012-09-23 14:28 . 2012-07-16 19:28 17551360 ----a-w- c:\windows\system32\nvcompiler.dll
2012-09-23 14:28 . 2012-07-16 19:28 12557728 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-09-23 13:09 . 2012-07-16 19:31 253952 ----a-w- c:\windows\system32\nvrsth.dll
2012-09-23 13:09 . 2012-07-16 19:31 335872 ----a-w- c:\windows\system32\nvrsar.dll
2012-09-23 13:09 . 2012-07-16 19:31 282624 ----a-w- c:\windows\system32\nvrses.dll
2012-09-23 13:09 . 2012-07-16 19:31 274432 ----a-w- c:\windows\system32\nvrspt.dll
2012-09-23 13:09 . 2012-07-16 19:31 274432 ----a-w- c:\windows\system32\nvrsja.dll
2012-09-23 13:09 . 2012-07-16 19:31 270336 ----a-w- c:\windows\system32\nvrsptb.dll
2012-09-23 13:09 . 2012-07-16 19:31 286720 ----a-w- c:\windows\system32\nvrsfr.dll
2012-09-23 13:09 . 2012-07-16 19:31 258048 ----a-w- c:\windows\system32\nvrssl.dll
2012-09-23 13:09 . 2012-07-16 19:31 258048 ----a-w- c:\windows\system32\nvrssk.dll
2012-09-23 13:09 . 2012-07-16 19:31 253952 ----a-w- c:\windows\system32\nvrssv.dll
2012-09-23 13:09 . 2012-07-16 19:31 229376 ----a-w- c:\windows\system32\nvrszhc.dll
2012-09-23 13:09 . 2012-07-16 19:31 335872 ----a-w- c:\windows\system32\nvrshe.dll
2012-09-23 13:09 . 2012-07-16 19:31 258048 ----a-w- c:\windows\system32\nvrstr.dll
2012-09-23 13:09 . 2012-07-16 19:31 258048 ----a-w- c:\windows\system32\nvrspl.dll
2012-09-23 13:09 . 2012-07-16 19:31 253952 ----a-w- c:\windows\system32\nvrsno.dll
2012-09-23 13:09 . 2012-07-16 19:31 282624 ----a-w- c:\windows\system32\nvrsit.dll
2012-09-23 13:09 . 2012-07-16 19:31 282624 ----a-w- c:\windows\system32\nvrsel.dll
2012-09-23 13:09 . 2012-07-16 19:31 249856 ----a-w- c:\windows\system32\nvrseng.dll
2012-09-23 13:09 . 2012-07-16 19:31 274432 ----a-w- c:\windows\system32\nvrsesm.dll
2012-09-23 13:09 . 2012-07-16 19:31 266240 ----a-w- c:\windows\system32\nvrsko.dll
2012-09-23 13:09 . 2012-07-16 19:31 249856 ----a-w- c:\windows\system32\nvrscs.dll
2012-09-23 13:09 . 2012-07-16 19:31 270336 ----a-w- c:\windows\system32\nvrsru.dll
2012-09-23 13:09 . 2012-07-16 19:31 249856 ----a-w- c:\windows\system32\nvrsfi.dll
2012-09-23 13:09 . 2012-07-16 19:31 278528 ----a-w- c:\windows\system32\nvrsde.dll
2012-09-23 13:09 . 2012-07-16 19:31 274432 ----a-w- c:\windows\system32\nvrsnl.dll
2012-09-23 13:09 . 2012-07-16 19:31 262144 ----a-w- c:\windows\system32\nvrshu.dll
2012-09-23 13:09 . 2012-07-16 19:31 253952 ----a-w- c:\windows\system32\nvrsda.dll
2012-09-23 13:09 . 2012-07-16 19:31 126976 ----a-w- c:\windows\system32\nvrszht.dll
2012-09-23 13:04 . 2012-07-16 19:31 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-09-23 13:04 . 2012-07-16 19:31 15512424 ----a-w- c:\windows\system32\nvcpl.dll
2012-09-23 13:04 . 2012-07-16 19:31 164200 ----a-w- c:\windows\system32\nvsvc32.exe
2012-09-23 13:04 . 2012-07-16 19:31 143720 ----a-w- c:\windows\system32\nvcolor.exe
2012-09-23 13:04 . 2012-07-16 19:31 108392 ----a-w- c:\windows\system32\nvmctray.dll
2012-09-03 13:21 . 2012-09-06 13:35 74520 ----a-w- c:\windows\system32\DSETUP.dll
2012-08-30 20:03 . 2011-04-18 11:18 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:18 . 2008-04-15 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:18 . 2008-04-15 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:18 . 2008-04-15 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2008-04-15 12:00 385024 ------w- c:\windows\system32\html.iec
2012-09-08 17:57 . 2012-09-08 17:56 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyœlne, prawid³owe wpisy nie s¹ pokazane  
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-11-09 13:17 1796552 ----a-w- c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [2012-11-09 1796552]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChomikBox"="c:\program files\ChomikBox\chomikbox.exe" [2012-02-22 5951488]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-08-20 896400]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-11-09 997320]
"ROC_ROC_JULY_P1"="c:\program files\AVG Secure Search\ROC_ROC_JULY_P1.exe" [2012-08-29 1022048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-09-23 15512424]
"NvMediaCenter"="NvMCTray.dll" [2012-09-23 108392]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-09-23 1634112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
.
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2012-11-9 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\MocaFlix\sprotector.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChomikBox]
2012-02-22 14:27 5951488 ----a-w- c:\program files\ChomikBox\chomikbox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-15 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2012-04-17 15:19 3671872 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2008-04-15 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-15 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-09-12 15:19 947176 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-15 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2012-09-23 13:04 15512424 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2012-09-23 13:04 108392 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2012-09-23 14:28 1634112 ----a-w- c:\program files\NVIDIA Corporation\nview\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-15 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-15 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2012-08-17 04:41 336992 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ROC_ROC_JULY_P1]
2012-08-29 13:22 1022048 ----a-w- c:\program files\AVG Secure Search\ROC_ROC_JULY_P1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ROC_roc_ssl_v12]
2012-08-20 20:09 1020512 ----a-w- c:\program files\AVG Secure Search\ROC_roc_ssl_v12.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2012-04-24 06:51 20065896 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 11:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-08-20 19:46 896400 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vProt]
2012-11-09 13:17 997320 ----a-w- c:\program files\AVG Secure Search\vprot.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Paradox Interactive\\Majesty 2\\Majesty2.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\THQ\\Saints Row The Third\\saintsrowthethird.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
.
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-08-20 26984]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-08-20 242240]
R1 MpKsla5561235;MpKsla5561235;c:\documents and settings\All Users\Dane aplikacji\Microsoft\Microsoft Antimalware\Definition Updates\{82D8D36F-F342-4E5B-B665-6A87D4209EC8}\MpKsla5561235.sys [2012-11-24 29904]
R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [2012-11-09 711112]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-07-13 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-07-16 1691480]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\docume~1\User\USTAWI~1\Temp\RarSFX0\kerneld.wnt --> c:\docume~1\User\USTAWI~1\Temp\RarSFX0\kerneld.wnt [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-11-14 27064]
.
--- Inne Us³ugi/Sterowniki w Pamiêci ---
.
*NewlyCreated* - MPKSLA5561235
.
ZawartoϾ folderu 'Zaplanowane zadania'
.
2012-11-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-16 12:25]
.
2012-11-24 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2012-10-08 13:30]
.
2012-11-21 c:\windows\Tasks\DLL-files.com Fixer_UPDATES.job
- c:\program files\Dll-Files.com Fixer\DLLFixer.exe [2012-11-17 11:41]
.
2012-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-10 17:59]
.
2012-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-10 17:59]
.
2012-11-24 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 15:25]
.
.
------- Skan uzupe³niaj¹cy -------
.
uStart Page = hxxp://isearch.avg.com/?cid={D10A57C6-6CA4-4C42-9187-D23C80D8CEAE}&mid=08d82074dd0147d08623d1d961010e6b-8eafb470bd812d53c18b62333d26c5c8a3a9ba5e&lang=pl&ds=st011&pr=sa&d=2012-08-20 22:09&v=13.2.0.5&sap=hp
mStart Page = hxxp://websearch.mocaflix.com/
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
IE: Wyœlij &do programu OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\User\Dane aplikacji\Mozilla\Firefox\Profiles\s0l9p11o.default\
FF - prefs.js: browser.search.selectedEngine - WebSearch
FF - prefs.js: browser.startup.homepage - hxxp://websearch.mocaflix.com/
FF - prefs.js: browser.search.defaulturl - hxxp://websearch.mocaflix.com/?l=1&q=
FF - prefs.js: keyword.URL - hxxp://websearch.mocaflix.com/?l=1&q=
.
- - - - USUNIÊTO PUSTE WPISY - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
AddRemove-Adobe Photoshop 7.0 CE - c:\windows\ISUN0415.EXE
AddRemove-{0A0CADCF-78DA-33C4-A350-CD51849B9702}.KB2487367 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{0A0CADCF-78DA-33C4-A350-CD51849B9702}.KB2656351 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2604121 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2656351 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2656368v2 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2656405 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2686827 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2729449 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2737019 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-24 19:21
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
.
skanowanie ukrytych procesów ...  
.
skanowanie ukrytych wpisów autostartu ... 
.
skanowanie ukrytych plików ...  
.
skanowanie pomyœlnie ukoñczone
ukryte pliki: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\docume~1\User\USTAWI~1\Temp\RarSFX0\kerneld.wnt"
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Czas ukoñczenia: 2012-11-24  19:22:20
ComboFix-quarantined-files.txt  2012-11-24 18:22
.
Przed: 124 434 571 264 bajtów wolnych
Po: 124 596 858 880 bajtów wolnych
.
WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 7578535A4B3BBAB854009792480F6013

AdwCleaner Log

# AdwCleaner v2.009 - Logfile created 11/24/2012 at 19:24:17
# Updated 24/11/2012 by Xplode
# Operating system : Microsoft Windows XP Dodatek Service Pack 3 (32 bits)
# User : User - PC-ACF0AA827D1F
# Boot Mode : Normal
# Running from : C:\Documents and Settings\User\Moje dokumenty\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
Folder Found : C:\Documents and Settings\All Users\Dane aplikacji\AVG Secure Search
Folder Found : C:\Documents and Settings\All Users\Dane aplikacji\InstallMate
Folder Found : C:\Documents and Settings\User\Dane aplikacji\AVG Secure Search
Folder Found : C:\Program Files\AVG Secure Search
Folder Found : C:\Program Files\Common Files\AVG Secure Search

***** [Registry] *****

Key Found : HKCU\Software\AVG Secure Search
Key Found : HKLM\Software\AVG Secure Search
Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Found : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://isearch.avg.com/?cid={D10A57C6-6CA4-4C42-9187-D23C80D8CEAE}&mid=08d82074dd0147d08623d1d961010e6b-8eafb470bd812d53c18b62333d26c5c8a3a9ba5e&lang=pl&ds=st011&pr=sa&d=2012-08-20 22:09:13&v=13.2.0.5&sap=hp
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://isearch.avg.com/tab?cid={D10A57C6-6CA4-4C42-9187-D23C80D8CEAE}&mid=08d82074dd0147d08623d1d961010e6b-8eafb470bd812d53c18b62333d26c5c8a3a9ba5e&lang=pl&ds=st011&pr=sa&d=2012-08-20 22:09:13&v=13.2.0.5&sap=nt

*************************

AdwCleaner[R1].txt - [2855 octets] - [24/11/2012 19:24:17]

########## EOF - C:\AdwCleaner[R1].txt - [2915 octets] ##########

Security Check LOG

Results of screen317's Security Check version 0.99.55
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
AVG Security Toolbar
Microsoft Security Essentials
`````````Anti-malware/Other Utilities Check:`````````
CCleaner
Java 7 Update 9
Adobe Flash Player 11.4.402.287
Adobe Reader X (10.1.4)
Mozilla Firefox 15.0.1 Firefox out of Date!
Google Chrome 22.0.1229.94
Google Chrome 23.0.1271.64
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C::
````````````````````End of Log``````````````````````

Edited by nasdaq, 24 November 2012 - 02:29 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 20,412 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:54 PM

Posted 24 November 2012 - 02:40 PM

Open notepad and copy/paste the text in the quote box below into it:

File::
c:\program files\ChomikBox\chomikbox.exe
c:\Program Files (x86)\MocaFlix\sprotector.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChomikBox"=-

Driver::
EverestDriver

Firefox::
FF - ProfilePath - c:\documents and settings\User\Dane aplikacji\Mozilla\Firefox\Profiles\s0l9p11o.default\
FF - prefs.js: browser.search.selectedEngine - WebSearch
FF - prefs.js: browser.startup.homepage - hxxp://websearch.mocaflix.com/
FF - prefs.js: browser.search.defaulturl - hxxp://websearch.mocaflix.com/?l=1&q=
FF - prefs.js: keyword.URL - hxxp://websearch.mocaflix.com/?l=1&q=

ClearJavaCache::


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..
===

Please let me know what problem persists.

Edited by nasdaq, 24 November 2012 - 02:42 PM.


#5 Freyi

Freyi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 24 November 2012 - 04:19 PM

Log from AdwCleaner,

# AdwCleaner v2.009 - Logfile created 11/24/2012 at 22:12:23
# Updated 24/11/2012 by Xplode
# Operating system : Microsoft Windows XP Dodatek Service Pack 3 (32 bits)
# User : User - PC-ACF0AA827D1F
# Boot Mode : Normal
# Running from : C:\Documents and Settings\User\Moje dokumenty\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
Folder Deleted : C:\Documents and Settings\All Users\Dane aplikacji\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Dane aplikacji\InstallMate
Folder Deleted : C:\Documents and Settings\User\Dane aplikacji\AVG Secure Search
Folder Deleted : C:\Program Files\AVG Secure Search

***** [Registry] *****

Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://isearch.avg.com/?cid={D10A57C6-6CA4-4C42-9187-D23C80D8CEAE}&mid=08d82074dd0147d08623d1d961010e6b-8eafb470bd812d53c18b62333d26c5c8a3a9ba5e&lang=pl&ds=st011&pr=sa&d=2012-08-20 22:09:13&v=13.2.0.5&sap=hp --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://isearch.avg.com/tab?cid={D10A57C6-6CA4-4C42-9187-D23C80D8CEAE}&mid=08d82074dd0147d08623d1d961010e6b-8eafb470bd812d53c18b62333d26c5c8a3a9ba5e&lang=pl&ds=st011&pr=sa&d=2012-08-20 22:09:13&v=13.2.0.5&sap=nt --> hxxp://www.google.com

*************************

AdwCleaner[R1].txt - [2984 octets] - [24/11/2012 19:24:17]
AdwCleaner[S1].txt - [3042 octets] - [24/11/2012 22:12:23]

########## EOF - C:\AdwCleaner[S1].txt - [3102 octets] ##########


When I double-click on Google chrome icon, it still opens Websearch Mocafix site, even that my home page is set to Google. When I try to open a new card from this Mocafix site, it's opening regular Google Chrome homepage.

Attached Files


Edited by Freyi, 24 November 2012 - 04:19 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 20,412 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:54 PM

Posted 25 November 2012 - 09:35 AM

Check your Chrome settings.

Under Under "On Start up" open the window and remove any reference to Mocafix site.

Keep me posted.

#7 Freyi

Freyi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 25 November 2012 - 12:43 PM

Indeed, websearch mocafix was set as a site to open on start up, so I remove it from settings, and everything seems fine now. Although can I be certain that this mocafix-site, this virus or something similiar is permanently removed from my computer?
I'm sorry for dumb question, I'm not really a computer pro.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 20,412 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:54 PM

Posted 25 November 2012 - 04:56 PM

It' just a nuisance. It should be fine from now one.
It not come back.

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#9 Freyi

Freyi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 26 November 2012 - 08:56 AM

Alright, thank you very much for your help :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users