Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser hijacked by ViauddiXi and SearchNewTab


  • This topic is locked This topic is locked
14 replies to this topic

#1 BaconFace

BaconFace

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 27 April 2013 - 09:28 AM

Hello, Bleepers! Thanks for being here. I really need help. 
 
What I caught:
A few days back, I allowed what looked like a legit video streaming site--showing a PBS documentary, of all things--to install a new codec for its proprietary video format.
 
HUGE mistake. Up popped two browser add-ons that have infested all three browsers (IE, Chrome, Firefox). I am terrified of both of them. What are they secretly doing?
 
One is called SearchNewTab, and it likes to hijack the homepage and new tab page and send it to a page that looks like this one: hxxp://websearch.youwillfind.info/?r=2013/04/26 (FYI: link borrowed from another post, not my infestation). The other is called ViauddiXi. No idea what it does. But the video player was the ViddiX player, so perhaps it's playing off that name.
 
In IE, they show up in the Toolbars and Extensions section and the Disable button is, ironically, disabled. They are still there. 
In Firefox, I removed them through the normal extensions menu, but I have a suspicion they are still active.
In Chrome, I deleted them via the extensions menu and manually reset my homepage away from YouWillFind. Don't know if they're still active or not, but Chrome keeps crashing randomly even after a full uninstall/reinstall.
 
What I've done so far (much of which was probably in the wrong order and none of which worked):
- I did a full scan with Microsoft Security Essentials -- No effect.
- I found file folders for both items in my ProgramData folder and ran their uninstallers. -- No effect. 
- I then deleted those folders manually. -- No effect. 
- Did a full scan with Revo Uninstaller. It found them both and claimed to have deleted them. But they're still there.
- I disabled MSE and did Flash, Quick, and Full scans with Malaware Bytes. The first two found some things, but deleting those things had absolutely no effect on these two add-ons. Might have been something else entirely. 
- I found this site and a thread with a similar-sounding infection. Which led to . . . 
- I ran Defogger. Then Security Check. Then DDS. 
- I ran adscleaner. It found several items in IE and Firefox, but none in Chrome. 
- I ran RogueKiller. It found some registry stuff and deleted/replaced it. 
- I started up IE again, and although the homepage is no longer hijacked, the extensions are still there in the menu, operating invisibly behind the scenes (which is why I wonder if they're still in Firefox and Chrome as well). Mocking me. Then I cried a little and started to write this post. 
 
I'll insert a pile of reports below. Thanks in advance for any advice anyone can offer. I'm about two more failures away from a complete reformat and reinstall.
 
 
Defogger: -------------------------------------------------------------------------------------------------------
 
 
 
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 06:05 on 27/04/2013 (Eric)
 
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
 
Checking for services/drivers...
 
 
-=E.O.F=-
 
 
Security Check: ------------------------------------------------------------------------------------------------
 
 
Results of screen317's Security Check version 0.99.63  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
  (On Access scanning disabled!) 
 Error obtaining update status for antivirus!
`````````Anti-malware/Other Utilities Check:`````````
 SpyroPortalDriver     
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 21  
 Adobe Flash Player 11.6.602.180  
 Mozilla Firefox 17.0.1 Firefox out of Date!
 Google Chrome 26.0.1410.64  
````````Process Check: objlist.exe by Laurent````````
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 
 
 
DDS-------------------------------------------------------------------------------------------------------------
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16537  BrowserJavaVersion: 10.21.2
Run by Eric at 6:15:45 on 2013-04-27
#Option Extended Search is enabled.
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3070.1846 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\ibmpmsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATIGCA.EXE
C:\Users\Eric\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Users\Eric\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k defragsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://websearch.helpmefindyour.info/?pid=320&r=2013/04/24&hid=1487849986&lg=EN&cc=US
uWindow Title = Internet Explorer, enhanced for Bing and MSN
mStart Page = hxxp://websearch.helpmefindyour.info/?pid=320&r=2013/04/24&hid=1487849986&lg=EN&cc=US
BHO: SearchNewTab: {20E0E3AF-C2DA-E4DF-9F07-31F6213EDC88} - 
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ViauddiXi: {D03FD3E6-7FAF-4412-535D-9617616CF0C3} - 
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Epson Stylus NX420(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatigca.exe /fu "c:\windows\temp\E_SAD9.tmp" /EF "HKCU"
uRun: [Spotify Web Helper] "c:\users\eric\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\eric\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\eric\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\eric\appdata\roaming\micros~1\windows\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{EDAAD3E2-C11E-4CEB-9BB6-07805D557200} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{EDAAD3E2-C11E-4CEB-9BB6-07805D557200}\242716473686562713 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{EDAAD3E2-C11E-4CEB-9BB6-07805D557200}\24271647368684F6D65653 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{EDAAD3E2-C11E-4CEB-9BB6-07805D557200}\26D22656C6B696E6 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{EDAAD3E2-C11E-4CEB-9BB6-07805D557200}\4456C66696E616D2745756374725F6F6D6D275966496 : DHCPNameServer = 4.2.2.1
TCP: Interfaces\{EDAAD3E2-C11E-4CEB-9BB6-07805D557200}\E4567784F6573756 : DHCPNameServer = 192.168.3.1
AppInit_DLLs= c:\progra~1\websea~1\sprote~1.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\eric\appdata\roaming\mozilla\firefox\profiles\1zpuek4y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://websearch.helpmefindyour.info/?pid=320&r=2013/04/24&hid=1487849986&lg=EN&cc=US&l=1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://websearch.helpmefindyour.info/?pid=320&r=2013/04/24&hid=1487849986&lg=EN&cc=US&l=1&q=
FF - plugin: c:\program files\aspera\aspera connect\lib\npasperaweb.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-8-23 13672]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-4-26 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-4-26 701512]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-4-26 22856]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 100328]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
S3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [2009-7-24 9472]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-4-24 14848]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2011-4-11 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2013-4-24 24064]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-4-24 49664]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2013-4-24 27136]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2011-4-11 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-11-16 1343400]
.
=============== Created Last 60 ================
.
2067-05-27 22:16:26 1249280 ----a-w- c:\program files\microsoft games\impossible creatures\InsectMod.dll
2067-05-22 05:35:22 106496 ----a-w- c:\program files\microsoft games\impossible creatures\Filesystem.dll
2013-04-27 02:13:05 6906960 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{32456063-8656-401b-af71-40cd28da37b2}\mpengine.dll
2013-04-27 01:40:44 -------- d-----w- c:\users\eric\appdata\roaming\Malwarebytes
2013-04-27 01:40:36 -------- d-----w- c:\programdata\Malwarebytes
2013-04-27 01:40:35 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-27 01:40:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-26 03:18:47 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-25 15:26:23 6906960 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-04-24 15:05:52 247808 ----a-w- c:\windows\system32\schannel.dll
2013-04-24 15:05:52 136560 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-04-24 15:05:51 369856 ----a-w- c:\windows\system32\drivers\cng.sys
2013-04-24 15:05:51 1039360 ----a-w- c:\windows\system32\lsasrv.dll
2013-04-24 14:33:48 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-24 03:18:48 -------- d-----w- c:\programdata\SoftSafe
2013-04-24 03:18:41 -------- d-----w- c:\program files\WebSearch
2013-04-24 03:18:31 -------- d-----w- c:\program files\VaudiX
2013-04-24 03:16:44 -------- d-----w- c:\programdata\InstallMate
2013-04-23 18:06:18 706640 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{61fc72c2-3fe3-4bd5-ab10-864a28569ecd}\gapaengine.dll
2013-04-10 15:09:35 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-04-10 15:09:32 196328 ----a-w- c:\windows\system32\drivers\fvevol.sys
2013-04-10 15:09:28 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 15:09:28 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-10 15:09:27 69632 ----a-w- c:\windows\system32\smss.exe
2013-04-10 15:09:27 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-06 21:35:38 -------- d-----w- c:\users\eric\appdata\local\IsolatedStorage
2013-04-06 21:33:34 -------- d-----w- c:\users\eric\appdata\roaming\Intuit
2013-04-06 21:30:22 -------- d-----w- c:\program files\common files\Intuit
2013-04-06 21:29:00 -------- d-----w- c:\program files\TurboTax
2013-04-06 21:28:36 -------- d-----w- c:\programdata\Intuit
2013-03-29 05:27:15 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2013-03-29 05:26:16 -------- d-----w- c:\program files\iPod
2013-03-29 05:26:14 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-03-29 05:26:14 -------- d-----w- c:\program files\iTunes
2013-03-29 05:24:50 -------- d-----w- c:\program files\Bonjour
2013-03-23 20:00:43 -------- d--h--w- c:\windows\msdownld.tmp
2013-03-17 19:32:15 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-11 06:30:37 -------- d-----w- c:\users\eric\appdata\local\Downloaded Installations
2013-03-11 06:30:32 -------- d-----w- c:\program files\FS
2013-02-27 18:00:51 3419136 ----a-w- c:\windows\system32\d2d1.dll
.
==================== Find6M  ====================
.
2013-04-02 10:33:22 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-03-14 03:20:38 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-14 03:20:38 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-05 16:55:24 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-05 16:55:24 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-21 10:30:16 1766912 ----a-w- c:\windows\system32\wininet.dll
2013-02-21 10:29:39 2877440 ----a-w- c:\windows\system32\jscript9.dll
2013-02-21 10:29:37 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-02-21 10:29:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-02-19 12:01:03 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-02-19 11:10:53 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-02-12 04:48:31 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-01-20 23:59:04 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-01-20 23:59:04 100328 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-13 21:17:03 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 21:17:02 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 21:16:42 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 21:12:46 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 21:11:21 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 21:11:08 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 21:11:07 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 21:11:07 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 21:11:07 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 20:31:00 1247744 ----a-w- c:\windows\system32\DWrite.dll
2013-01-13 20:30:34 906240 ----a-w- c:\windows\system32\FntCache.dll
2013-01-13 20:22:22 1988096 ----a-w- c:\windows\system32\d3d10warp.dll
2013-01-13 20:20:31 293376 ----a-w- c:\windows\system32\dxgi.dll
2013-01-13 20:09:00 249856 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-01-13 20:08:43 220160 ----a-w- c:\windows\system32\d3d10core.dll
2013-01-13 20:08:35 1504768 ----a-w- c:\windows\system32\d3d11.dll
2013-01-13 19:54:01 604160 ----a-w- c:\windows\system32\d3d10level9.dll
2013-01-13 19:53:58 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2013-01-13 19:53:14 187392 ----a-w- c:\windows\system32\UIAnimation.dll
2013-01-13 19:48:47 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2013-01-13 19:46:25 1080832 ----a-w- c:\windows\system32\d3d10.dll
2013-01-13 19:43:21 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-01-13 19:02:06 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2013-01-13 18:34:58 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2013-01-13 17:26:42 1158144 ----a-w- c:\windows\system32\XpsPrint.dll
2013-01-04 06:11:21 2284544 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2013-01-04 04:50:52 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-01-03 05:05:20 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-03 05:04:43 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-12-16 14:13:28 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-13 20:50:38 6112864 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-12-13 20:50:38 45056 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-12-11 13:22:08 72048 ----a-w- c:\windows\system32\ibmpmctl.exe
2012-12-11 13:22:08 51056 ----a-w- c:\windows\system32\ibmpmsvc.exe
2012-12-11 13:22:08 36208 ----a-w- c:\windows\system32\tpinspm.dll
2012-12-11 13:22:08 36040 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys
2012-12-07 12:26:17 308736 ----a-w- c:\windows\system32\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- c:\windows\system32\gameux.dll
2012-11-30 04:47:45 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-11-30 02:55:25 271360 ----a-w- c:\windows\system32\conhost.exe
2012-11-30 02:38:59 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-23 02:48:41 49152 ----a-w- c:\windows\system32\taskhost.exe
2012-11-22 04:45:03 626688 ----a-w- c:\windows\system32\usp10.dll
2012-11-20 04:51:09 220160 ----a-w- c:\windows\system32\ncrypt.dll
2012-11-09 04:43:04 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-11-09 04:42:49 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-02 05:11:31 376832 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 04:47:54 1389568 ----a-w- c:\windows\system32\msxml6.dll
2012-10-30 15:22:32 232312 ----a-w- c:\windows\system32\drivers\e1e6232.sys
.
============= FINISH:  6:16:35.34 ===============
 
 
AdwClearner--------------------------------------------------------------------------------------------------
 
 
# AdwCleaner v2.202 - Logfile created 04/27/2013 at 06:20:27
# Updated 23/04/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Eric - ERIC-LAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Eric\Desktop\4 adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\END
Folder Deleted : C:\Program Files\Vaudix
Folder Deleted : C:\Program Files\WebSearch
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\SoftSafe
Folder Deleted : C:\Users\Eric\AppData\Local\APN
Folder Deleted : C:\Users\Eric\AppData\Local\TempDir
Folder Deleted : C:\Users\Eric\AppData\LocalLow\AskToolbar
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\AppDataLow\SProtector
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SProtector
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v10.0.9200.16537
 
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://websearch.helpmefindyour.info/?pid=320&r=2013/04/24&hid=1487849986&lg=EN&cc=US --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://websearch.helpmefindyour.info/?pid=320&r=2013/04/24&hid=1487849986&lg=EN&cc=US --> hxxp://www.google.com
 
-\\ Mozilla Firefox v17.0.1 (en-US)
 
File : C:\Users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\1zpuek4y.default\prefs.js
 
Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Deleted : user_pref("aol_toolbar.default.search.check", false);
Deleted : user_pref("browser.search.defaultenginename", "WebSearch");
Deleted : user_pref("browser.search.defaultenginename,S", "WebSearch");
Deleted : user_pref("browser.search.defaulturl", "hxxp://websearch.helpmefindyour.info/?pid=320&r=2013/04/24&h[...]
Deleted : user_pref("browser.search.order.1", "WebSearch");
Deleted : user_pref("browser.search.order.1,S", "WebSearch");
Deleted : user_pref("browser.search.selectedEngine,S", "WebSearch");
Deleted : user_pref("extensions.517758216b2c8.scode", "(function(){try{if('aol.com,mail.google.com,premiumrepo[...]
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Deleted : user_pref("keyword.URL", "hxxp://websearch.helpmefindyour.info/?pid=320&r=2013/04/24&hid=1487849986&[...]
Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");
 
-\\ Google Chrome v26.0.1410.64
 
File : C:\Users\Eric\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [3789 octets] - [27/04/2013 06:19:14]
AdwCleaner[S1].txt - [3715 octets] - [27/04/2013 06:20:27]
 
########## EOF - C:\AdwCleaner[S1].txt - [3775 octets] ##########
 
 
RogueKiller---------------------------------------------------------------------------------------------
 
 
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Eric [Admin rights]
Mode : Scan -- Date : 04/27/2013 06:27:08
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 4 ¤¤¤
[TASK][SUSP PATH] {8704BB5A-F493-4BC0-90AD-D65FD0825C41} : C:\Users\Eric\Desktop\Xbox Neighborhood Setup\XBSESetup.exe  [x] -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST9500420AS ATA Device +++++
--- User ---
[MBR] d330d64d3287ec333075fcdbed6fb970
[BSP] 7d8b902d60588154a882ff99478e636b : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE
 
 
RogueKiller [2nd report] --------------------------------------------------------------------------------------
 
 
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Eric [Admin rights]
Mode : Remove -- Date : 04/27/2013 06:30:26
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 4 ¤¤¤
[TASK][SUSP PATH] {8704BB5A-F493-4BC0-90AD-D65FD0825C41} : C:\Users\Eric\Desktop\Xbox Neighborhood Setup\XBSESetup.exe  [x] -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST9500420AS ATA Device +++++
--- User ---
[MBR] d330d64d3287ec333075fcdbed6fb970
[BSP] 7d8b902d60588154a882ff99478e636b : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[2]_D_04272013_02d0630.txt >>
RKreport[1]_S_04272013_02d0627.txt ; RKreport[2]_D_04272013_02d0630.txt
 
---------------------------------------------------------------------------------------------------------------
 
That's it for now! Thanks again.

Edited by Orange Blossom, 27 April 2013 - 10:27 AM.
Deactivated link. ~ OB


BC AdBot (Login to Remove)

 


#2 BaconFace

BaconFace
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 27 April 2013 - 12:46 PM

One additional note: the original infection happened the evening of 4/23, despite the fact that the Created Last 60 log in DDS shows a chunk of activity around 3am on 4/24. Perhaps DDS is using a different time zone rather than local machine time? 

 

Also, the thing may have wiped out about ten days of my browser history. Fantastic. 



#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Instructor
  • 5,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:13 AM

Posted 27 April 2013 - 01:02 PM

Hello BaconFace, and welcome to Bleeping Computer!

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.

==========

It looks like AdwCleaner has already removed your issues and the corresponding registry entries as well:

 

Folder Deleted : C:\Program Files\Vaudix
Folder Deleted : C:\Program Files\WebSearch
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://websearch.helpmefindyour.info/?pid=320&r=2013/04/24&hid=1487849986&lg=EN&cc=US --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://websearch.helpmefindyour.info/?pid=320&r=2013/04/24&hid=1487849986&lg=EN&cc=US --> hxxp://www.google.com

That's a good thing!

 

==========

 

At this point I'd like you to run Combofix to see if we can get those orphaned entries and other leftovers cleaned up:

 

Run Combofix

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out here or here

Combofix may need to reboot your computer more than once to do its job...this is normal.

You can download Combofix from one of these links.

  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

 

 

bloopie



#4 BaconFace

BaconFace
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 27 April 2013 - 05:01 PM

Hello, bloopie! and thanks in advance for the assist. 

 

Here's what Combofix had to say: 

 

 

 

ComboFix 13-04-27.04 - Eric 04/27/2013  14:38:04.1.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3070.2196 [GMT -7:00]
Running from: c:\users\Eric\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-27 to 2013-04-27  )))))))))))))))))))))))))))))))
.
.
2067-05-27 22:16 . 2011-12-19 04:56 1249280 ----a-w- c:\program files\Microsoft Games\Impossible Creatures\InsectMod.dll
2067-05-22 05:35 . 2003-06-06 00:40 106496 ----a-w- c:\program files\Microsoft Games\Impossible Creatures\Filesystem.dll
2013-04-27 21:48 . 2013-04-27 21:49 -------- d-----w- c:\users\Eric\AppData\Local\temp
2013-04-27 21:48 . 2013-04-27 21:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-27 02:13 . 2013-04-10 03:08 6906960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{32456063-8656-401B-AF71-40CD28DA37B2}\mpengine.dll
2013-04-27 01:40 . 2013-04-27 01:40 -------- d-----w- c:\users\Eric\AppData\Roaming\Malwarebytes
2013-04-27 01:40 . 2013-04-27 01:40 -------- d-----w- c:\programdata\Malwarebytes
2013-04-27 01:40 . 2013-04-27 01:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-27 01:40 . 2013-04-04 21:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-26 21:03 . 2013-04-26 21:04 -------- d-----w- c:\program files\Google
2013-04-26 03:20 . 2013-04-26 03:20 -------- d-----w- c:\program files\Common Files\Java
2013-04-26 03:18 . 2013-04-04 12:35 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-25 15:26 . 2013-04-10 03:08 6906960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-24 15:05 . 2012-08-24 17:05 136560 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-04-24 15:05 . 2012-08-24 16:57 247808 ----a-w- c:\windows\system32\schannel.dll
2013-04-24 15:05 . 2012-08-24 17:02 369856 ----a-w- c:\windows\system32\drivers\cng.sys
2013-04-24 15:05 . 2012-08-24 16:56 1039360 ----a-w- c:\windows\system32\lsasrv.dll
2013-04-24 14:33 . 2013-04-12 13:45 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-23 18:06 . 2013-04-23 18:05 706640 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{61FC72C2-3FE3-4BD5-AB10-864A28569ECD}\gapaengine.dll
2013-04-10 15:09 . 2013-03-01 03:09 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-04-10 15:09 . 2013-01-24 04:47 196328 ----a-w- c:\windows\system32\drivers\fvevol.sys
2013-04-10 15:09 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 15:09 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-10 15:09 . 2013-03-19 04:48 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-10 15:09 . 2013-03-19 02:49 69632 ----a-w- c:\windows\system32\smss.exe
2013-04-06 21:35 . 2013-04-06 21:35 -------- d-----w- c:\users\Eric\AppData\Local\IsolatedStorage
2013-04-06 21:33 . 2013-04-06 21:33 -------- d-----w- c:\users\Eric\AppData\Roaming\Intuit
2013-04-06 21:30 . 2013-04-06 21:31 -------- d-----w- c:\program files\Common Files\Intuit
2013-04-06 21:29 . 2013-04-06 21:29 -------- d-----w- c:\program files\TurboTax
2013-04-06 21:28 . 2013-04-06 21:31 -------- d-----w- c:\programdata\Intuit
2013-03-29 05:27 . 2013-03-29 05:27 -------- dc----w- c:\windows\system32\DRVSTORE
2013-03-29 05:27 . 2012-08-21 20:01 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2013-03-29 05:26 . 2013-03-29 05:26 -------- d-----w- c:\program files\iPod
2013-03-29 05:26 . 2013-03-29 05:27 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-03-29 05:26 . 2013-03-29 05:27 -------- d-----w- c:\program files\iTunes
2013-03-29 05:24 . 2013-03-29 05:24 -------- d-----w- c:\program files\Bonjour
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-02 10:33 . 2011-11-17 03:47 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-03-23 19:58 . 2013-03-23 19:58 745472 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-03-23 19:58 . 2013-03-23 19:58 185344 ----a-w- c:\windows\system32\elshyph.dll
2013-03-23 19:58 . 2013-03-23 19:58 523264 ----a-w- c:\windows\system32\vbscript.dll
2013-03-23 19:58 . 2013-03-23 19:58 158720 ----a-w- c:\windows\system32\msls31.dll
2013-03-23 19:58 . 2013-03-23 19:58 150528 ----a-w- c:\windows\system32\iexpress.exe
2013-03-23 19:58 . 2013-03-23 19:58 138752 ----a-w- c:\windows\system32\wextract.exe
2013-03-23 19:58 . 2013-03-23 19:58 73728 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-03-23 19:58 . 2013-03-23 19:58 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-03-23 19:58 . 2013-03-23 19:58 38400 ----a-w- c:\windows\system32\imgutil.dll
2013-03-23 19:58 . 2013-03-23 19:58 137216 ----a-w- c:\windows\system32\ieUnatt.exe
2013-03-23 19:58 . 2013-03-23 19:58 12800 ----a-w- c:\windows\system32\mshta.exe
2013-03-23 19:58 . 2013-03-23 19:58 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-03-23 19:58 . 2013-03-23 19:58 719360 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-03-23 19:58 . 2013-03-23 19:58 61952 ----a-w- c:\windows\system32\tdc.ocx
2013-03-23 19:58 . 2013-03-23 19:58 361984 ----a-w- c:\windows\system32\html.iec
2013-03-23 19:58 . 2013-03-23 19:58 23040 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-23 19:58 . 2013-03-23 19:58 1441280 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-14 03:20 . 2012-08-15 05:08 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-14 03:20 . 2011-11-21 23:49 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-05 16:55 . 2012-09-02 03:43 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-05 16:55 . 2011-11-17 06:34 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-12 04:48 . 2013-03-13 05:51 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 05:51 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-12 03:32 . 2013-03-17 19:32 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2012-12-11 18:05 . 2012-12-11 18:05 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"="c:\users\Eric\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-03-23 1104280]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-19 1314816]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-23 1725736]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Eric\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-3-12 29106336]
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2012-3-26 4656632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
GPSvcGroup REG_MULTI_SZ   GPSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-26 21:04 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 03:20]
.
2013-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-04-26 21:03]
.
2013-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-04-26 21:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\1zpuek4y.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{20E0E3AF-C2DA-E4DF-9F07-31F6213EDC88} - c:\programdata\SearchNewTab\51775839aa349.dll
BHO-{D03FD3E6-7FAF-4412-535D-9617616CF0C3} - c:\programdata\ViauddiXi\517758216b3a3.dll
AddRemove-SP_b0285714 - c:\program files\WebSearch\uninstall.exe
AddRemove-{D3C760B3-7AD4-5EB2-6484-CD75ED4BA378} - c:\progra~2\INSTAL~1\{62741~1\Setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-04-27  14:55:11
ComboFix-quarantined-files.txt  2013-04-27 21:55
.
Pre-Run: 62,850,048,000 bytes free
Post-Run: 63,695,851,520 bytes free
.
- - End Of File - - B86573290F344DEBC5099819B47F4900
 

---------------------------------------------------------------------------------------------------------------------------------------------------------------

 

So, shall I open IE and see if the offending program is still hanging around? 



#5 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Instructor
  • 5,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:13 AM

Posted 27 April 2013 - 08:44 PM

Hello again,
 
Combofix did take care of the entries I had targeted, so how is the computer running now?
 

So, shall I open IE and see if the offending program is still hanging around?

Yes, please do!
 
==========
 
Now, for some follow ups:
 
Step :step1:
 
thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
==========
 
Step :step2:
 
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: EOLS3.gif
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Now click on: EOLS4.gif
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
 
 
==========
 
In your next reply, please include the following:
  • The JRT log
  • The ESET log
bloopie

#6 BaconFace

BaconFace
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 28 April 2013 - 11:27 PM

Okay! Sorry about the delayed response. 

 

So, I fired up IE and indeed, the suspect entries are not showing in the Extensions list any more. Hallelujah!

 

Here are the logs you requested: 

 

 

JRT------------------------------------

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.1 (04.27.2013:1)
OS: Windows 7 Ultimate x86
Ran by Eric on Sat 04/27/2013 at 21:35:23.42
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
Successfully deleted: [File] C:\eula.1028.txt
Successfully deleted: [File] C:\eula.1031.txt
Successfully deleted: [File] C:\eula.1033.txt
Successfully deleted: [File] C:\eula.1036.txt
Successfully deleted: [File] C:\eula.1040.txt
Successfully deleted: [File] C:\eula.1041.txt
Successfully deleted: [File] C:\eula.1042.txt
Successfully deleted: [File] C:\eula.1049.txt
Successfully deleted: [File] C:\eula.2052.txt
Successfully deleted: [File] C:\install.res.1028.dll
Successfully deleted: [File] C:\install.res.1031.dll
Successfully deleted: [File] C:\install.res.1033.dll
Successfully deleted: [File] C:\install.res.1036.dll
Successfully deleted: [File] C:\install.res.1040.dll
Successfully deleted: [File] C:\install.res.1041.dll
Successfully deleted: [File] C:\install.res.1042.dll
Successfully deleted: [File] C:\install.res.1049.dll
Successfully deleted: [File] C:\install.res.2052.dll
Successfully deleted: [File] C:\install.res.3082.dll
 
 
 
~~~ Folders
 
 
 
~~~ FireFox
 
Emptied folder: C:\Users\Eric\AppData\Roaming\mozilla\firefox\profiles\1zpuek4y.default\minidumps [4 files]
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 04/27/2013 at 21:36:58.92
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

ESET Online Scanner: _______________________________________________________________

 

 

C:\Users\Eric\Documents\Downloads\Shout_?_In_Your_Face_(1989)_downloader_us_99308.exe a variant of Win32/ExpressFiles.B application
C:\Users\Eric\Documents\Downloads\VaudiX (1).exe Win32/InstalleRex.I application
C:\Users\Eric\Documents\Utilities\SiSoft Sandra\cbsidlm-tr1_8-SiSoftware_Sandra-SEO2-10556571.exe Win32/DownloadAdmin.E application
C:\Users\Eric\Documents\Utilities\tools - Foxit PDF Reader\FoxitReader510.1021_enu_Setup.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\Eric\Documents\Utilities\tools - SUMO\sumo.exe multiple threats
C:\Users\Eric\Documents\Utilities\video - AllConverter Pro\cnet2_ALLConverterPRO_exe.exe a variant of Win32/InstallCore.D application
C:\Users\Eric\Documents\Utilities\video - KMPlayer\cnet2_KMPlayer_EN_3_0_0_1442_R2_exe.exe a variant of Win32/InstallCore.D application
 

 

-----------------------------------------------------------------------------------

 

I have a couple questions, if you don't mind.   

 

1. - About that last report: I didn't have it repair any of those things. Should I have? I suspect I should manually delete those exe files in the downloads folder, but do you think the other stuff should go as well? Or it it just identifying junkware that they try to install alongside themselves and the desired software is safe to use once installed?

 

2. - Going back a post, I noticed the locked registry key described as "BlindDial" in the ComboFix report, which appears to be locked to all users but open to specific mystery program. Is that anything I should worry about? I got an email from my ISP saying it appeared that a bot was active on my computer, and I would love to feel confident that it was un-botted.  

 

I've been too paranoid to use the computer for anything personal in the meantime, so I can't tell you how well it's running, but Chrome seems stable again, so as long as it's not beaming all our important info into the world, I consider it a win. 

 

3. - Anything else? If not, could you please tell me if there's anything I have to do other than A) reenable Microsoft Security Essentials and B) run Defogger again to enable whatever it disabled?

 

Thanks in advance!



#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Instructor
  • 5,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:13 AM

Posted 29 April 2013 - 03:28 PM

Hello again,
 

1. - About that last report: I didn't have it repair any of those things. Should I have? I suspect I should manually delete those exe files in the downloads folder, but do you think the other stuff should go as well? Or it it just identifying junkware that they try to install alongside themselves and the desired software is safe to use once installed?

No, you have done exactly what I instructed you to.  :thumbup2:  I will instruct you to remove the ESET scan items with a batch below.
 

2. - Going back a post, I noticed the locked registry key described as "BlindDial" in the ComboFix report, which appears to be locked to all users but open to specific mystery program. Is that anything I should worry about? I got an email from my ISP saying it appeared that a bot was active on my computer, and I would love to feel confident that it was un-botted.

The locked registry key on your machine is related to your modem's settings. Your "Blind Dial" is set to off which, in this case, means that your modem will wait for a dial tone before dialing. If you're using a broadband connection then this setting bears no impact on your system.
 
And there is no evidence, nor is there any sign of a bot present on your machine according to your logs. I don't think your ISP has someone trained in remotely finding bots on your computer. Ask them to provide their proof and let me know what they tell you.
 
I wouldn't be to worried about using your computer. Your machine should be secure as you didn't have any rootkits or backdoor trojans on board. Use your computer and let me know if you have any remaining issues.
 

3. - Anything else? If not, could you please tell me if there's anything I have to do other than A) reenable Microsoft Security Essentials and B) run Defogger again to enable whatever it disabled?

When I give you my "all clean" speech, it will contain the instructions to uninstall programs, run defogger, and provide some useful information for you to keep your computer safe for the future. Not to worry.
 
You may re-enable your Microsoft Security Essentials whenever you're not running a scan with ESET or Combofix. You will need to disable it one more time when we uninstall Combofix later. But let's not get ahead of ourselves. Now to remove the ESET scan results with a batch, and then some updates:
 
Step :step1:

  • Hold the "Windows" key and press "R" to open the runbox and type in notepad and click Ok.
  • Copy the text in the code box below then paste it into the blank Notepad and save it to your Desktop as DelFile.bat
@echo off
del /f /s /q "C:\Users\Eric\Documents\Downloads\Shout_?_In_Your_Face_(1989)_downloader_us_99308.exe"
del /f /s /q "C:\Users\Eric\Documents\Downloads\VaudiX (1).exe"
del /f /s /q "C:\Users\Eric\Documents\Utilities\SiSoft Sandra\cbsidlm-tr1_8-SiSoftware_Sandra-SEO2-10556571.exe"
del /f /s /q "C:\Users\Eric\Documents\Utilities\tools - Foxit PDF Reader\FoxitReader510.1021_enu_Setup.exe"
del /f /s /q "C:\Users\Eric\Documents\Utilities\tools - SUMO\sumo.exe"
del /f /s /q "C:\Users\Eric\Documents\Utilities\video - AllConverter Pro\cnet2_ALLConverterPRO_exe.exe"
del /f /s /q "C:\Users\Eric\Documents\Utilities\video - KMPlayer\cnet2_KMPlayer_EN_3_0_0_1442_R2_exe.exe"
 
del %0
  • ---->>The batch file should now look like this: batwin7.png<--in Windows Vista/7 and this:batxp.png<--in Windows XP
  • Now double click on the DelFile.bat on your Desktop and the batch will quickly run and delete itself for you.
  • Now reboot the machine.

==========
 
Step :step2:
 
Now please update your Malwarebytes Antimalware (MBAM), then run a quick scan (remove anything it finds!) and post the resultant log in your next reply.
 
==========
 
Step :step3:
 
 Your version of Internet Explorer is outdated.

==========
 
Now this part is not really mission critical, but it's worth noting that your Security Check log shows your hard drive is pretty well fragmented. It would be wise to run the disk defragmenter either overnight or if you have a couple of hours (it may take some time). You hard drive has to work very hard when the disc has fragments scattered all over, so it's a good maintenance procedure to run once in a while.
 
==========
 
Let me know if you had any trouble with the above steps and post the MBAM log in your next reply. We're nearly finished! :)
 
bloopie



#8 BaconFace

BaconFace
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 29 April 2013 - 04:40 PM

Here's the Malaware report:

 

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.04.29.09
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16540
Eric :: ERIC-LAPTOP [administrator]
 
Protection: Disabled
 
4/29/2013 2:18:09 PM
mbam-log-2013-04-29 (14-18-09).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 206305
Time elapsed: 5 minute(s), 46 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 

--------------------------------------

 

I downloaded the IE at the link you posted, but it claims it can't install because it's older than the version on my system (which is 10.0.9200.16540IS, update version 10.0.4). I have it set for automatic updates, apparently, though I usually just use Chrome. 

 

Defragging underway. 

 

Thank you!

 

-E



#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Instructor
  • 5,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:13 AM

Posted 29 April 2013 - 05:11 PM

Hello again,
 

Thank you!

It's my pleasure!
 

it can't install because it's older than the version on my system

Okay, that's no problem...your first Security Check log showed your IE version was 9, but if you're up to 10 now, then you're all good!
 
 

Defragging underway.

Excellent! When that completes, then I have some good news for you:

Your machine appears to be clean! :thumbsup:

Let's do some housekeeping now:



The following steps will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.


Step :step1:

DeFogger:

Note** This only needs to be run if it was run before - If not then skip it.

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.

==========

Step :step2:

Uninstall ComboFix:
  • Turn off all active protection software.
  • Hold the "Windows0d8a4985-b5e2-41a6-a1b6-e4bafb517937_92." key and press "R" to open the runbox, then copy/paste ComboFix /Uninstall into the box and click Ok.
  • Note the space between the X and the /Uninstall, it needs to be there.
CF-Uninstall.png


==========

Step :step3:

Uninstall adwCleaner:
  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.
==========

Step :step4:

Download and Run OTC:

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click OTC_Icon.jpg icon to start the program. If you are using Vista or Windows 7, please right-click and choose run as administrator
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Any programs and logs that are left over you can just delete from the desktop.


Are you having any additional problems at this point? If so, please let me know. Otherwise feel free to enjoy use of your repaired machine :thumbup2:


Useful information!
Below is some more information and useful tools and tips about how to keep your computer safe in the future.



The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. you can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out of date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows XP SP2 or later is fine) and leaving it on, and using and keeping up to date an antivirus solution such as Norton AntiVirus. Antiviral solutions don't even have to cost money; for instance Microsoft Secuity Essentials provides perfectly acceptable protection for free. If for some reason you don't like MSE, there are other free products available as well:
  • Avast (home use only)
  • Avira (shows nag screen to purchase full product when updating, home use only)
That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:If you want more information on methods malware use to infect your computer, consider browsing our How did I get infected? topic.

Please respond to this post so I can close the thread unless you have any other questions.


Best of regards, and happy surfing!! :wink:

bloopie

#10 BaconFace

BaconFace
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 30 April 2013 - 11:28 AM

Feeling good about this! 

 

Quick question: Defogger didn't ask me to restart the computer, so I clicked Re-enable again and it gave me a stern message NOT to click re-enable again unless someone smarter than me said to. So . . . should I? Or no?



#11 BaconFace

BaconFace
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 30 April 2013 - 12:10 PM

If it helps, here's a log file it created. 

 

 

 

defogger_enable by jpshortstuff (23.02.10.1)
Log created at 09:26 on 30/04/2013 (Eric)
 
Parsing file...
 
 
-=E.O.F=-


#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Instructor
  • 5,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:13 AM

Posted 30 April 2013 - 01:55 PM

Hi again,

 

Did Defogger display the "Finished!" message? If so, you should be fine. You can always reboot the machine and run the tool again to make sure the drivers are re-enabled.

 

bloopie



#13 BaconFace

BaconFace
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 30 April 2013 - 11:14 PM

Looks like I'm all clear! Thanks again for all your help! You saved me a full reinstall, and I learned a few things. Double-win.



#14 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Instructor
  • 5,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:13 AM

Posted 01 May 2013 - 08:33 AM

It was my pleasure, and I'm glad I could help! :)

 

Stay safe!

 

~bloopie



#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Instructor
  • 5,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:13 AM

Posted 01 May 2013 - 08:33 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users