Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

caught the savenshare and searchnewtab virus


  • This topic is locked This topic is locked
16 replies to this topic

#1 Ruby3

Ruby3

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 21 August 2013 - 08:48 PM

Hello, I am looking for help in removing these program which have malware in them.

I posted a similar thread in the other forum around last week but it never got a response:

 

 

http://www.bleepingcomputer.com/forums/t/504642/unable-to-remove-savenshare-and-searchnewtab/

 

 

 

thanks



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 20,851 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:10 AM

Posted 22 August 2013 - 09:14 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Download DDS by sUBs from one of the following links, if you no longer have it available. Save it to your desktop.

1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
2: DDS.pif
3: DDS.COM

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

dds_scr.gif

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===



Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 Ruby3

Ruby3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 22 August 2013 - 12:15 PM

Hello nasdaq, thanks for your help

 

 

Here are the 3 logs:

 

 

Adware Cleaner Log:

 

 

 

# AdwCleaner v3.000 - Report created 22/08/2013 at 11:31:09
# Updated 20/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : JinPC - PCJIN
# Running from : C:\Documents and Settings\JinPC\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Documents and Settings\All Users\Start Menu\Programs\eBay.lnk
File Found : C:\Documents and Settings\JinPC\Application Data\Mozilla\Firefox\Profiles\icjieoj8.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
File Found : C:\Documents and Settings\JinPC\Application Data\Mozilla\Firefox\Profiles\icjieoj8.default\searchplugins\SweetIm.xml
File Found : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Found : C:\WINDOWS\system32\ImhxxpComm.dll
Folder Found : C:\Documents and Settings\JinPC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Folder Found : C:\Documents and Settings\JinPC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Folder Found C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Found C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Found C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Found C:\Documents and Settings\JinPC\Application Data\AVG Secure Search
Folder Found C:\Documents and Settings\JinPC\Local Settings\Application Data\AVG Secure Search
Folder Found C:\Documents and Settings\JinPC\Local Settings\Application Data\Conduit
Folder Found C:\Program Files\AVG Secure Search
Folder Found C:\Program Files\Common Files\AVG Secure Search
Folder Found C:\Program Files\SweetIM
Folder Found C:\Program Files\Viewpoint

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\SProtector
Key Found : HKCU\Software\AVG Secure Search
Key Found : HKCU\Software\IM
Key Found : HKCU\Software\ImInstaller
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\WNLT
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\Software\AVG Secure Search
Key Found : HKLM\Software\AVG Security Toolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{BF0118D4-63FF-4138-9327-F3028FB1A578}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C670DCAE-E392-AA32-6F42-143C7FC4BDFD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DD85D6BF-4787-4A93-99A5-3F0CF0AE8834}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C670DCAE-E392-AA32-6F42-143C7FC4BDFD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DD85D6BF-4787-4A93-99A5-3F0CF0AE8834}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\Software\SP Global
Key Found : HKLM\Software\SProtector
Key Found : HKLM\Software\Viewpoint
Key Found : HKLM\Software\WNLT
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll]
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\WINDOWS\system32\ARFC\wrtc.exe]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page] - hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={514DBC01-0AC9-11E3-8F69-0018391A3295}
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs] - hxxp://isearch.avg.com/tab?cid={CD3AF2B6-B8F2-4291-BB72-F88E66C45975}&mid=8cb22575803075d34ef95d7b44479d3c-21de821f88e66489dfa31310fe364b5db78423e5&lang=en&ds=AVG&pr=fr&d=2012-01-25 14:37:43&pid=avg&sg=0&v=15.5.0.2&sap=nt

-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Documents and Settings\JinPC\Application Data\Mozilla\Firefox\Profiles\icjieoj8.default\prefs.js ]

Line Found : user_pref("aol_toolbar.default.homepage.check", false);
Line Found : user_pref("aol_toolbar.default.search.check", false);
Line Found : user_pref("avg.install.installDirPath", "C:\\Documents and Settings\\All Users\\Application Data\\AVG Secure Search\\FireFoxExt\\15.5.0.2");
Line Found : user_pref("avg.userPreferences.URLBarFocus.whiteList", "bing\\.com|google\\.\\w+|yahoo\\.\\w+|gmail\\.\\w+|hotmail\\.\\w+|live\\.\\w+|isearch\\.avg\\.com|mysearch\\.avg\\.com");
Line Found : user_pref("browser.search.order.1", "WebSearch");
Line Found : user_pref("browser.search.order.1,S", "WebSearch");
Line Found : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Line Found : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Line Found : user_pref("extensions.enabledAddons", "DivXWebPlayer%40divx.com:2.0.2.039,optimizegoogle%40optimizegoogle.com:0.79.1,%7B20a82645-c095-46ed-80e3-08825760534b%7D:0.0.0,%7B34712C68-7391-4c47-94F3-8F88D49[...]
Line Found : user_pref("extensions.installCache", "[{\"name\":\"winreg-app-global\",\"addons\":{\"{20a82645-c095-46ed-80e3-08825760534b}\":{\"descriptor\":\"c:\\\\WINDOWS\\\\Microsoft.NET\\\\Framework\\\\v3.5\\\\W[...]
Line Found : user_pref("keyword.URL", "hxxp://start.sweetpacks.com/?src=2&st=12&crg=3.5000006.10045&barid={514DBC01-0AC9-11E3-8F69-0018391A3295}&q=");
Line Found : user_pref("plugin.blocklisted.npviewpoint", true);
Line Found : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Line Found : user_pref("sweetim.toolbar.previous.browser.search.defaulturl", "hxxp://websearch.simplesearches.info/?pid=377&r=2013/08/16&hid=609948256&lg=EN&cc=US&unqvl=31&l=1&q=");
Line Found : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Line Found : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "hxxp://google.com");
Line Found : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Line Found : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Line Found : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Line Found : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Line Found : user_pref("sweetim.toolbar.searchguard.enable", "");
Line Found : user_pref("sweetim.toolbar.urls.homepage", "hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={514DBC01-0AC9-11E3-8F69-0018391A3295}");

-\\ Google Chrome v

[ File : C:\Documents and Settings\JinPC\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Found : homepage

*************************

AdwCleaner[R0].txt - [14373 octets] - [22/08/2013 11:31:09]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [14434 octets] ##########

 

 

 

 

 

Junk Removal Log:

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.4 (08.22.2013:1)
OS: Microsoft Windows XP x86
Ran by JinPC on Thu 08/22/2013 at 11:45:01.50
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-336385976-1161712265-3600816209-1008\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\updater by sweetpacks
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2786678



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\WINDOWS\system32\ai_recyclebin"



~~~ FireFox

Successfully deleted the following from C:\Documents and Settings\JinPC\Application Data\mozilla\firefox\profiles\icjieoj8.default\prefs.js

user_pref("extensions.optimizegoogle.cookies.SafeSearch", "empty");
user_pref("extensions.optimizegoogle.cookies.enableSafeSearch", false);
user_pref("extensions.vidbar.search_searchbox_welcomeshown", true);
Emptied folder: C:\Documents and Settings\JinPC\Application Data\mozilla\firefox\profiles\icjieoj8.default\minidumps [2 files]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 08/22/2013 at 11:48:08.59
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

 

 

DDS Log:

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.9.2
Run by JinPC at 11:53:12 on 2013-08-22
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1982.1529 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\PdaNet for Android\PdaNetPC.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - <orphaned>
BHO: hpWebHelper Class: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Google Update] "c:\documents and settings\jinpc\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
StartupFolder: c:\docume~1\jinpc\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe
StartupFolder: c:\docume~1\jinpc\startm~1\programs\startup\pinmclnk.lnk - c:\hp\bin\cloaker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1354149290031
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DHCPNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
TCP: Interfaces\{C789FDA2-C7C8-4B12-B220-4013C62D1CE2} : DHCPNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jinpc\application data\mozilla\firefox\profiles\icjieoj8.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlhtml5videoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlpepperflashvideoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\npdlplugin.dll
FF - plugin: c:\documents and settings\jinpc\local settings\application data\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: !HIDDEN! 2012-08-13 12:18; [email protected]; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 302368]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-5 37664]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [2013-8-7 13440]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2013-8-7 9472]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 dualshock3;DUALSHOCK3 Controller HID Minidriver (USB) Beta;c:\windows\system32\drivers\dualshock3.sys [2010-8-15 11392]
S2 vToolbarUpdater15.5.0;vToolbarUpdater15.5.0;c:\program files\common files\avg secure search\vtoolbarupdater\15.5.0\toolbarupdater.exe --> c:\program files\common files\avg secure search\vtoolbarupdater\15.5.0\ToolbarUpdater.exe [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2012-8-15 33792]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\drivers\MijXfilt.sys [2012-12-25 95304]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-9 14336]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2012-11-29 38608]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\WORDPAD.EXE="c:\program files\windows nt\accessories\WORDPAD.EXE" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2013-08-22 16:44:58    --------    d-----w-    c:\windows\ERUNT
2013-08-22 16:31:04    --------    d-----w-    C:\AdwCleaner
2013-08-22 01:22:55    632656    ----a-w-    c:\windows\system32\msvcr80.dll
2013-08-22 01:22:55    554832    ----a-w-    c:\windows\system32\msvcp80.dll
2013-08-22 01:22:55    479232    ----a-w-    c:\windows\system32\msvcm80.dll
2013-08-16 20:07:38    --------    d-----w-    c:\documents and settings\all users\application data\StarApp
2013-08-16 20:05:27    --------    d-----w-    c:\documents and settings\all users\application data\sAvenshArE
2013-08-07 06:36:53    9472    ----a-w-    c:\windows\system32\drivers\pnetmdm.sys
2013-08-07 06:36:52    --------    d-----w-    c:\program files\PdaNet for Android
2013-08-07 06:04:07    13440    ----a-w-    c:\windows\system32\drivers\pneteth.sys
2013-08-06 23:14:18    20747    ----a-w-    c:\windows\system32\drivers\AegisP.sys
2013-08-06 23:14:14    245504    ----a-w-    c:\windows\system32\rt73.sys
2013-08-06 23:14:14    2048    ----a-w-    c:\windows\system32\rt73.bin
2013-08-03 05:16:17    --------    d-----w-    c:\program files\DevPro
.
==================== Find3M  ====================
.
2013-08-21 03:45:20    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-21 03:45:20    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-08-15 05:31:53    37664    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
2013-07-26 02:47:17    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-07-26 02:47:13    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-07-26 02:47:12    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-07-25 15:52:59    385024    ----a-w-    c:\windows\system32\html.iec
2013-07-10 10:37:53    406016    ------w-    c:\windows\system32\usp10.dll
2013-07-04 03:03:25    2149888    ------w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30    2028544    ------w-    c:\windows\system32\ntkrnlpa.exe
2013-06-04 07:23:02    562688    ------w-    c:\windows\system32\qedit.dll
2013-06-04 01:40:45    1876736    ----a-w-    c:\windows\system32\win32k.sys
2013-05-28 01:59:37    590848    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-05-28 00:41:07    6144    ----a-w-    c:\windows\system32\xpsp4res.dll
.
============= FINISH: 11:54:13.50 ===============
 

 

 

 

 

 

 

 

 

 

 

 

 

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 20,851 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:10 AM

Posted 22 August 2013 - 01:04 PM

If not already done please run the AdwCleaner tool and Clean all the items that are found.

===

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know of any remaining issues.

#5 Ruby3

Ruby3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 22 August 2013 - 02:19 PM

I cleaned everything from the AdwCleaner, this was my other log when the scan was complete:

 

 

# AdwCleaner v3.000 - Report created 22/08/2013 at 11:34:24
# Updated 20/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : JinPC - PCJIN
# Running from : C:\Documents and Settings\JinPC\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\SweetIM
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Documents and Settings\JinPC\Local Settings\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\JinPC\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\JinPC\Application Data\AVG Secure Search
[!] Folder Deleted : C:\Documents and Settings\JinPC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
[!] Folder Deleted : C:\Documents and Settings\JinPC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
File Deleted : C:\Documents and Settings\JinPC\Application Data\Mozilla\Firefox\Profiles\icjieoj8.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
File Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\eBay.lnk
File Deleted : C:\WINDOWS\system32\ImhxxpComm.dll
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\Documents and Settings\JinPC\Application Data\Mozilla\Firefox\Profiles\icjieoj8.default\searchplugins\SweetIm.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BF0118D4-63FF-4138-9327-F3028FB1A578}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\WINDOWS\system32\ARFC\wrtc.exe]
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\WNLT
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\SProtector
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SProtector
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\Software\WNLT
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C670DCAE-E392-AA32-6F42-143C7FC4BDFD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DD85D6BF-4787-4A93-99A5-3F0CF0AE8834}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C670DCAE-E392-AA32-6F42-143C7FC4BDFD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DD85D6BF-4787-4A93-99A5-3F0CF0AE8834}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]

-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Documents and Settings\JinPC\Application Data\Mozilla\Firefox\Profiles\icjieoj8.default\prefs.js ]

Line Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Line Deleted : user_pref("aol_toolbar.default.search.check", false);
Line Deleted : user_pref("avg.install.installDirPath", "C:\\Documents and Settings\\All Users\\Application Data\\AVG Secure Search\\FireFoxExt\\15.5.0.2");
Line Deleted : user_pref("avg.userPreferences.URLBarFocus.whiteList", "bing\\.com|google\\.\\w+|yahoo\\.\\w+|gmail\\.\\w+|hotmail\\.\\w+|live\\.\\w+|isearch\\.avg\\.com|mysearch\\.avg\\.com");
Line Deleted : user_pref("browser.search.order.1", "WebSearch");
Line Deleted : user_pref("browser.search.order.1,S", "WebSearch");
Line Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Line Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Line Deleted : user_pref("extensions.enabledAddons", "DivXWebPlayer%40divx.com:2.0.2.039,optimizegoogle%40optimizegoogle.com:0.79.1,%7B20a82645-c095-46ed-80e3-08825760534b%7D:0.0.0,%7B34712C68-7391-4c47-94F3-8F88D49[...]
Line Deleted : user_pref("extensions.installCache", "[{\"name\":\"winreg-app-global\",\"addons\":{\"{20a82645-c095-46ed-80e3-08825760534b}\":{\"descriptor\":\"c:\\\\WINDOWS\\\\Microsoft.NET\\\\Framework\\\\v3.5\\\\W[...]
Line Deleted : user_pref("keyword.URL", "hxxp://start.sweetpacks.com/?src=2&st=12&crg=3.5000006.10045&barid={514DBC01-0AC9-11E3-8F69-0018391A3295}&q=");
Line Deleted : user_pref("plugin.blocklisted.npviewpoint", true);
Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaulturl", "hxxp://websearch.simplesearches.info/?pid=377&r=2013/08/16&hid=609948256&lg=EN&cc=US&unqvl=31&l=1&q=");
Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Line Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "hxxp://google.com");
Line Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Line Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Line Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Line Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Line Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");
Line Deleted : user_pref("sweetim.toolbar.urls.homepage", "hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={514DBC01-0AC9-11E3-8F69-0018391A3295}");

-\\ Google Chrome v

[ File : C:\Documents and Settings\JinPC\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage

*************************

AdwCleaner[R0].txt - [14515 octets] - [22/08/2013 11:31:09]
AdwCleaner[S0].txt - [14430 octets] - [22/08/2013 11:34:24]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [14491 octets] ##########
 

 

 

 

 

 

 

 

 

I downloaded the Security Check software and got this error message:

 

UNSUPPORTED OPERATING SYSTEM! ABORTED!

 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 20,851 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:10 AM

Posted 23 August 2013 - 07:28 AM

To run the SecuritCheck tool as I suggested you must restart the computer.

If you have already restarted the computer since you post, it should run.

Let me know if you still have some issues with this computer.

#7 Ruby3

Ruby3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 23 August 2013 - 05:38 PM

Ok ran the security check successfully, here is the log:


Results of screen317's Security Check version 0.99.72
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
WinPatrol
SpywareBlaster 4.5
Malwarebytes Anti-Malware version 1.75.0.1300
CCleaner
JavaFX 2.1.1
Java™ 6 Update 30
Java 7 Update 9
Java version out of Date!
Adobe Flash Player 11.8.800.94
Adobe Reader 10.1.4 Adobe Reader out of Date!
Mozilla Firefox (23.0.1)
````````Process Check: objlist.exe by Laurent````````
WinPatrol winpatrol.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgnsx.exe
BillP Studios WinPatrol winpatrol.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````





The only problem left is that savenshare still remains under programs.
Searchnewtab is gone but not savenshare


#8 nasdaq

nasdaq

  • Malware Response Team
  • 20,851 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:10 AM

Posted 24 August 2013 - 08:28 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.

JavaFX 2.1.1
Java™ 6 Update 30
Java 7 Update 9


Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
http://www.benedelman.org/images/iac-jan13/ask-iac-011613-small.png
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

<<<>>>

The only problem left is that savenshare still remains under programs.

It is under the Add/Remove Programs list or the Start menu programs?

#9 Ruby3

Ruby3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 24 August 2013 - 02:43 PM

updated everything and removed old java yes, savenshare still exists under add/remove programs. I also found Internet Explorer Toolbar 4.8 by SweetPacks that is not removable

 

 

 

am71aw.jpg

 

 

 

 

1192xbq.jpg



#10 nasdaq

nasdaq

  • Malware Response Team
  • 20,851 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:10 AM

Posted 25 August 2013 - 07:29 AM

These are just entries in the Registry.
The programs are gone, nothing to worry about.

If you want to remove the empty items, use this tool.


MyUninstaller v1.74 - Alternative to the standard add / remove control panel module
Tutorial on the site: http://www.nirsoft.net/utils/myuninst.html

Go to the following link and download MyUninstaller v1.74 Open the link and scroll down below "Feedback" to find access to the download. Also read all of the available information at the link, specifically the section marked "Removing an Uninstall entry"

http://www.nirsoft.net/utils/myuninst.html

When you have the download unzip to your Desktop. Right click on the application and select "Run as Administrator" the program is a standalone executable so will not install.

When the program runs wait and the main interface will populate with an Installed Programs list.

Check through the list until you see the entry you need. Below the menu bar are column headers, look under Obsolete and Uninstall If the word Yes is listed under Obsolete and not Uninstall against the entry it means we can safely delete that entry, or vice versa....

#11 Ruby3

Ruby3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 26 August 2013 - 08:02 PM

Hello

I downloaded the program and was unable to run as administrator (required a password), so I ran it on my regular account which has admin privileges


savenshare had No under Obsolete and Yes under uninstall

I was unable to find the sweetpack toolbar

#12 nasdaq

nasdaq

  • Malware Response Team
  • 20,851 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:10 AM

Posted 27 August 2013 - 08:26 AM


Lets find out if you have anything left on this computer.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :regfind
    sweetpack


    You can also add savenshare if you want.
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt
  • [/list]
    Let me know if you have any other issues?


#13 Ruby3

Ruby3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 27 August 2013 - 02:55 PM

ok here is the log:

 

 

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 14:50 on 27/08/2013 by JinPC
Administrator - Elevation successful

========== regfind ==========

Searching for "sweetpack"
[HKEY_CURRENT_USER\Software\BillP Studios\Detected\ActiveTasks]
"C:\Documents and Settings\JinPC\Local Settings\temp\dlm3.tmp\SWEETPACKS0613.EXE"="08/21/2013 8:23 PM"
[HKEY_CURRENT_USER\Software\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES\UPDATER BY SWEETPACKS\EXTENSIONUPDATERSERVICE.EXE"="08/21/2013 8:27 PM"
[HKEY_CURRENT_USER\Software\BillP Studios\Detected\IEHelper]
"C:\Program Files\Updater By SweetPacks\Extension32.dll"="08/21/2013 8:27 PM"
[HKEY_CURRENT_USER\Software\BillP Studios\Detected\Services]
"C:\PROGRAM FILES\UPDATER BY SWEETPACKS\EXTENSIONUPDATERSERVICE.EXE"="08/21/2013 8:27 PM"
[HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\Services]
"Updater By SweetPacks"="700"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FB6D58DD787439A4995AF3C00FEA8843]
"ProductName"="Internet Explorer Toolbar 4.8 by SweetPacks"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FB6D58DD787439A4995AF3C00FEA8843\InstallProperties]
"DisplayName"="Internet Explorer Toolbar 4.8 by SweetPacks"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions]
"{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}"="C:\Program Files\Updater By SweetPacks\Firefox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Updater By SweetPacks]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Updater By SweetPacks]
"product_name"="Updater By SweetPacks"
[HKEY_USERS\.DEFAULT\Software\Updater By SweetPacks]
[HKEY_USERS\S-1-5-21-336385976-1161712265-3600816209-1008\Software\BillP Studios\Detected\ActiveTasks]
"C:\Documents and Settings\JinPC\Local Settings\temp\dlm3.tmp\SWEETPACKS0613.EXE"="08/21/2013 8:23 PM"
[HKEY_USERS\S-1-5-21-336385976-1161712265-3600816209-1008\Software\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES\UPDATER BY SWEETPACKS\EXTENSIONUPDATERSERVICE.EXE"="08/21/2013 8:27 PM"
[HKEY_USERS\S-1-5-21-336385976-1161712265-3600816209-1008\Software\BillP Studios\Detected\IEHelper]
"C:\Program Files\Updater By SweetPacks\Extension32.dll"="08/21/2013 8:27 PM"
[HKEY_USERS\S-1-5-21-336385976-1161712265-3600816209-1008\Software\BillP Studios\Detected\Services]
"C:\PROGRAM FILES\UPDATER BY SWEETPACKS\EXTENSIONUPDATERSERVICE.EXE"="08/21/2013 8:27 PM"
[HKEY_USERS\S-1-5-21-336385976-1161712265-3600816209-1008\Software\BillP Studios\WinPatrol\Services]
"Updater By SweetPacks"="700"
[HKEY_USERS\S-1-5-18\Software\Updater By SweetPacks]

Searching for "savenshare"
[HKEY_CURRENT_USER\Software\BillP Studios\Detected\IEHelper]
"C:\Documents and Settings\All Users\Application Data\sAvenshArE\pOpJhG3b.dll"="08/16/2013 3:06 PM"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"a"="C:\Documents and Settings\JinPC\Desktop\SORRv5(1)\savenshare.png"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\png]
"d"="C:\Documents and Settings\JinPC\Desktop\SORRv5(1)\savenshare.png"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\savvEnsHarree.savvEnsHarree]
@="sAvenshArE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\savvEnsHarree.savvEnsHarree.5.10]
@="sAvenshArE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{62D82EC1-0D3A-DF54-8E3E-07E1337A5311}]
"UninstallString"=""regsvr32.exe" /s /n /i:"ExecuteCommands;UninstallCommands" "C:\Documents and Settings\All Users\Application Data\sAvenshArE\xtEQPKqy.dll""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{62D82EC1-0D3A-DF54-8E3E-07E1337A5311}]
"SilentUninstall"=""regsvr32.exe" /s /n /i:"ExecuteCommands;UninstallCommands" "C:\Documents and Settings\All Users\Application Data\sAvenshArE\xtEQPKqy.dll""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{62D82EC1-0D3A-DF54-8E3E-07E1337A5311}]
"DisplayName"="sAvenshArE"
[HKEY_USERS\S-1-5-21-336385976-1161712265-3600816209-1008\Software\BillP Studios\Detected\IEHelper]
"C:\Documents and Settings\All Users\Application Data\sAvenshArE\pOpJhG3b.dll"="08/16/2013 3:06 PM"
[HKEY_USERS\S-1-5-21-336385976-1161712265-3600816209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"a"="C:\Documents and Settings\JinPC\Desktop\SORRv5(1)\savenshare.png"
[HKEY_USERS\S-1-5-21-336385976-1161712265-3600816209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\png]
"d"="C:\Documents and Settings\JinPC\Desktop\SORRv5(1)\savenshare.png"

-= EOF =-

 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 20,851 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:10 AM

Posted 28 August 2013 - 08:23 AM

; Purpose: Remove traces in the registry.
;
; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.
;
; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
 

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FB6D58DD787439A4995AF3C00FEA8843]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FB6D58DD787439A4995AF3C00FEA8843\InstallProperties]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions]
"{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Updater By SweetPacks]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Updater By SweetPacks]
[-HKEY_USERS\.DEFAULT\Software\Updater By SweetPacks]
[-HKEY_USERS\S-1-5-18\Software\Updater By SweetPacks]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"a"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\png]
"d"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\savvEnsHarree.savvEnsHarree]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\savvEnsHarree.savvEnsHarree.5.10]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{62D82EC1-0D3A-DF54-8E3E-07E1337A5311}]
[HKEY_USERS\S-1-5-21-336385976-1161712265-3600816209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"a"=-
[HKEY_USERS\S-1-5-21-336385976-1161712265-3600816209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\png]
"d"=-


; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

On a Vista or Windows 7 operating system, right click the Fix.reg and run as Administrator.

Delete the Fix.reg file when done.

Restart the Computer normally to reset the registry.

How is it now?

#15 Ruby3

Ruby3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 28 August 2013 - 02:32 PM

It worked! everything is clean now. thanks your help nasdaq


Edited by Ruby3, 28 August 2013 - 02:33 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users