Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer 8 Homepage Tab Hijacked?


  • This topic is locked This topic is locked
25 replies to this topic

#1 shattered

shattered

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Sydney, Australia
  • Local time:01:19 PM

Posted 30 May 2010 - 05:56 PM

Hi Orange Blossom, here is the new post - hope I have done as instructed.

On my laptop I have Vista and I use ACG fo antivirus. A few days back I began having a problem where one of my homepage websites (commbank.com.au) has been redirected to google.com.au that is t say even though I enter the commbank address in the address bar I just get the google homepage. I ran various scans (AVG, Malwarebytes, Windows Defender, Spybot) without success. Tried Hijackthis but not sure how to interpet the results (tried to fix some things that didn't look right but not sure if what I did was right). I did get a message that Hijackthis couldn't access the "hosts" file but I don't seem to have the option to run as administrator. I checked and the "hosts" file wasn't in the etc folder (there was a file "hosts.old"). I restored the hosts file with HostsXpert but that doesn't seem to have made a difference.

On Friday (28 May) IE suddenly appeared to be working as it should then part way through Sunday it was being redirected again and now this morning (Monday 31 May) IE is loading commbank web page again! So an intermittant ptroblem?

Your help is much appreciated (thought I'd mention the display driver stopped working for a few seconds during the GMER scan but perhaps that is normal).

Here is the DDS.txt log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Steve at 7:35:23.11 on Mon 31/05/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2045.841 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Windows\system32\atashost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Steve\Desktop\dds.scr
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page =
uStart Page = hxxp://www.google.com.au/
uWindow Title =
mStart Page =
mDefault_Page_URL =
mDefault_Search_URL =
mSearch Page =
mLocal Page =
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: psfus - c:\windows\system32\psqlpwd.dll
AppInit_DLLs: avgrsstx.dll
LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-27 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-13 216200]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2007-6-14 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-10 242896]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2010-5-21 20376]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-12 308064]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-2-27 7168]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-5 1314704]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-7 21504]
S3 TfBulk;TfBulk;c:\windows\system32\drivers\TfBulk.SYS [2007-5-31 13312]

=============== Created Last 30 ================

2010-05-30 08:26:49 0 d-----w- c:\program files\Conduit
2010-05-30 08:26:47 0 d-----w- c:\program files\Zynga
2010-05-27 12:05:54 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-27 12:05:54 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-27 03:35:32 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-27 02:07:27 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-27 02:07:24 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-27 02:02:24 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-27 02:01:42 0 d-----w- c:\programdata\Lavasoft
2010-05-27 02:01:42 0 d-----w- c:\program files\Lavasoft
2010-05-26 08:21:34 0 d-----w- c:\program files\Trend Micro
2010-05-25 21:24:10 0 d-----w- c:\program files\common files\Windows Live
2010-05-25 21:11:51 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-21 05:59:37 0 d-----w- c:\program files\Pure Networks
2010-05-21 05:56:45 26672 ----a-w- c:\windows\system32\drivers\pnarp.sys
2010-05-21 05:55:34 27696 ----a-w- c:\windows\system32\drivers\purendis.sys
2010-05-21 05:55:28 0 d-----w- c:\program files\common files\Pure Networks Shared
2010-05-21 05:51:00 0 d-----w- c:\users\steve\appdata\roaming\Pure Networks
2010-05-21 05:26:24 0 d-----w- c:\program files\Linksys
2010-05-21 05:15:54 76184 ----a-w- c:\windows\system32\atsckernel.exe
2010-05-21 05:15:52 20376 ----a-w- c:\windows\system32\atashost.exe
2010-05-21 05:15:46 0 d-----w- c:\programdata\webex
2010-05-21 05:12:23 0 d-----w- c:\programdata\Pure Networks
2010-05-12 00:47:39 738816 ----a-w- c:\windows\system32\inetcomm.dll

==================== Find3M ====================

2010-05-21 05:56:56 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-21 05:56:56 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-21 05:56:56 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-12 01:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 05:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 05:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 22:03:48 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 00:16:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-10-29 05:16:05 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-07 07:57:54 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-14 09:57:59 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 7:36:52.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 AM

Posted 02 June 2010 - 03:08 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 shattered

shattered
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Sydney, Australia
  • Local time:01:19 PM

Posted 02 June 2010 - 04:48 PM

Hi m0le, yes I'm here and look forward to solving this when you get a chance. Regards shattered

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 AM

Posted 02 June 2010 - 06:26 PM

Hmm, no problems with Gmer and nothing on DDS...?


Please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then run SAS

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Let's see if either of those pick anything up. smile.gif
Posted Image
m0le is a proud member of UNITE

#5 shattered

shattered
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Sydney, Australia
  • Local time:01:19 PM

Posted 03 June 2010 - 03:48 AM

Hi m0le, yes "interesting" that nothing is showing up (very frustrating). Internet Explorer "behaving" itself again last couple of days, maybe I'll have to wait until commbank website is redirected to google as was happening previously and then run scans again?

Here are MBAM and SAS logs, regards shattered (thanks for your help):

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4165

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

3/06/2010 11:20:34 AM
mbam-log-2010-06-03 (11-20-34).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 291919
Time elapsed: 1 hour(s), 24 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/03/2010 at 06:12 PM

Application Version : 4.38.1004

Core Rules Database Version : 5024
Trace Rules Database Version: 2836

Scan type : Complete Scan
Total Scan Time : 01:57:38

Memory items scanned : 693
Memory threats detected : 0
Registry items scanned : 6533
Registry threats detected : 0
File items scanned : 144960
File threats detected : 218

Adware.Flash Tracking Cookie
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\ACVS.MEDIAONENETWORK.NET
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\IA.MEDIA-IMDB.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA.CNETNETWORKS.COM.AU
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA.FOXSPORTS.COM.AU
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA.PODADDIES.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA.SCANSCOUT.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA.TATTOMEDIA.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA1.BREAK.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA2.FASTFREEMEDIA.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIAONENETWORK.NET
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\CLICKSOR.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\INTERCLICK.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\ATDMT.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\RMD.ATDMT.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\M1.AU.2MDN.NET
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\S0.2MDN.NET
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\STATIC.2MDN.NET
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\SECURE-US.IMRWORLDWIDE.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\ODDCAST.COM

Adware.Tracking Cookie
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@112.2o7[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@acpmagazines.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ad.httpool[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ad.yieldmanager[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ad.zanox[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ad1.king[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ads.ad4game[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ads.admaxasia[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ads.ak.facebook[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@aih.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@apmebf[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@at.atwola[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@atdmt[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@bs.serving-sys[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@cadburyschweppesplc.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@cba.122.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@content.yieldmanager[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@content.yieldmanager[3].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@doubleclick[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@eharmony.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ehg-newsinteractive.hitbox[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@f2network.112.2o7[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@fastclick[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@findababysitter.com[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@iacas.adbureau[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@imrworldwide[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@incentaclick[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ingdirect.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@interclick[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@kontera[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@lfstmedia[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@media.sensis.com[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@media6degrees[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@mediaonenetwork[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@mediaplex[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@nrma.122.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@optus.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@overture[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@popcapgames.122.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@questionmarket[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@readersdigest.122.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@reagroup.122.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@richmedia.yahoo[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@sensismediasmart.com[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@server.cpmstar[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@server.iad.liveperson[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@server.iad.liveperson[3].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@server.iad.liveperson[4].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@server.lon.liveperson[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@server.lon.liveperson[3].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@serving-sys[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@statcounter[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@tourismwesternaustralia.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@tribalfusion[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@videoegg.adbureau[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@virginmoneyaustralia.122.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@winecountry.com[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@wotifcom.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@www.3dstats[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@www.clickerpicker[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@www.googleadservices[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@www.googleadservices[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@www.googleadservices[7].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@www.incentaclick[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\belinda@myaccount.centrelink.gov[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@112.2o7[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@3.adbrite[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@a.findarticles[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@a.websponsors[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@adlegend[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@admse012.adbureau[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ads.adbrite[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ads.heias[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ads.moviemaze[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ads.pointroll[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ads.us.e-planning[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ads.warmnetworks[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@apmebf[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@atdmt[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@brightcove.112.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@bs.serving-sys[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@cba.122.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@clickshift[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@data.coremetrics[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@doubleclick[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@drivecleaner[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@e-2dj6wjkyslc5who.stats.esomniture[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ehg-australiansuper.hitbox[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ehg-betterphoto.hitbox[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ehg-foxsports.hitbox[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@fdau.adbureau[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@findarticles[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@i.screensavers[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@imrworldwide[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ingdirect.112.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@insightexpressai[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@kontera[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@media.causes[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@media.sensis.com[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@mediaonenetwork[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@myaccount.centrelink.gov[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@pamedia.com[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@partner2profit[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@powellsbooks.122.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@premiumtv.122.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@reagroup.122.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@richmedia.yahoo[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@segainc.112.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@serving-sys[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@socialmedia[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@specificclick[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@stats.campaignvision.com[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@stats.campaignvision.com[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@stats.drivecleaner[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@statse.webtrendslive[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@te.kontera[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@te100.kontera[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@thomsoneducationdirect.122.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@tripod[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@usatoday1.112.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@virginmobile.122.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@www.drivecleaner[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@www.drivecleaner[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@www.ezytrack[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@www.googleadservices[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@www.screensavers[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ad.flux[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ad2.popcap[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ads.apn.co[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ads.cnn[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ads.gamesbannernet[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ads.silverdisc.co[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ads.techguy[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ads.uknetguide.co[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@antactica.ad.adnetwork.com[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@at.atwola[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@atdmt[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@banner.pumpkinpatchkids[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@bargainfinda.com[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@casalemedia[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@cba.122.2o7[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@content.yieldmanager[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@discountshoppingguide.com[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@dmtracker[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@doubleclick[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@elitecps[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@imrworldwide[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@incutrack.getprice.com[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@media.mtvnservices[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@media.sensis.com[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@media6degrees[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@mediaonenetwork[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@onlinecounter1[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@pamedia.com[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@popcapgames.122.2o7[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@questionmarket[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@revsci[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@sensismediasmart.com[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@serving-sys[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@specificmedia[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@stat.dealtime[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@stats.paypal[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@stats.sitesuite[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@statse.webtrendslive[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@superstats[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@tracker.mediatracker.co[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@www.3dstats[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@www.burstnet[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@www.ezytrack[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@xiti[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@ads.cnn[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@at.atwola[2].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@atdmt[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@bs.serving-sys[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@cba.122.2o7[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@doubleclick[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@imrworldwide[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@msnportal.112.2o7[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@optus.112.2o7[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@questionmarket[2].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@serving-sys[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@2o7[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@ad.wsod[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@ad2.popcap[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@ads.cnn[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@ads.cnn[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@ads.pointroll[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@atdmt[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@bs.serving-sys[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@cba.122.2o7[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@collective-media[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@doubleclick[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@f2network.112.2o7[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@imrworldwide[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@pointroll[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@popcapgames.122.2o7[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@revsci[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@serving-sys[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@statse.webtrendslive[2].txt


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 AM

Posted 03 June 2010 - 03:12 PM

Not even a trace of malware on those logs.

It's good I guess, but...


Let's take a look at the registry and see if there's any clues there.

Open Notepad (go to Start > Run and type in Notepad and click OK).
Copy/paste the following text inside the code box into a new notepad document.

CODE
@ECHO OFF
regedit /e look1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes"
regedit /e look2.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes"
Type look*.txt >log.txt
start log.txt
del look1.txt look2.txt
del %0
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save
  • Close the Notepad.
  • Locate look.bat on the desktop.
  • Right-click to run it as administrator.
  • A notepad opens, copy and paste the content (log.txt) to your reply.

Posted Image
m0le is a proud member of UNITE

#7 shattered

shattered
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Sydney, Australia
  • Local time:01:19 PM

Posted 03 June 2010 - 04:32 PM

Hi m0le, followed your instructions and here is the contents of the log.txt file that was generated:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"DisplayName"="@ieframe.dll,-12512"
@="Live Search"
"URL"="http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
"Version"=dword:00000002
"DownloadUpdates"=dword:00000000
"UpgradeTime"=hex:06,7a,f8,1d,65,cc,c9,01

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"DisplayName"="@ieframe.dll,-12512"
@="Live Search"
"URL"="http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC"
"SuggestionsURLFallback"="http://api.search.live.com/qsml.aspx?query={searchTerms}&src=IE-SearchBox&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}"
"FaviconURLFallback"="http://www.live.com/favicon.ico"
"FaviconPath"="C:\\Users\\Steve\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 AM

Posted 03 June 2010 - 04:50 PM

That looks fine. All point to live.com (now Bing)

Let's leave this topic open for five days and if it returns in that time then let me know. thumbup2.gif

I'll keep the email notifier on.
Posted Image
m0le is a proud member of UNITE

#9 shattered

shattered
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Sydney, Australia
  • Local time:01:19 PM

Posted 03 June 2010 - 05:30 PM

OK. Thanks for your time/help m0le, much appreciated. smile.gif

I'll keep my fingers crossed, regards shattered.

#10 shattered

shattered
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Sydney, Australia
  • Local time:01:19 PM

Posted 07 June 2010 - 05:48 AM

Hi m0le, unfortunately the problem has returned and www.commbank.com.au is again being redirected to google.com.au

I ran look.bat again and here is the resultant log:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"DisplayName"="@ieframe.dll,-12512"
@="Live Search"
"URL"="http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
"Version"=dword:00000002
"DownloadUpdates"=dword:00000000
"UpgradeTime"=hex:06,7a,f8,1d,65,cc,c9,01

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"DisplayName"="@ieframe.dll,-12512"
@="Live Search"
"URL"="http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC"
"SuggestionsURLFallback"="http://api.search.live.com/qsml.aspx?query={searchTerms}&src=IE-SearchBox&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}"
"FaviconURLFallback"="http://www.live.com/favicon.ico"
"FaviconPath"="C:\\Users\\Steve\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"

I'll scan with MBAM and SAS and post the results, regards shattered.

Edited by shattered, 07 June 2010 - 05:48 AM.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 AM

Posted 07 June 2010 - 01:09 PM

QUOTE
I'll scan with MBAM and SAS and post the results, regards shattered.


I was going to suggest something else but let's see those logs then. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#12 shattered

shattered
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Sydney, Australia
  • Local time:01:19 PM

Posted 07 June 2010 - 06:39 PM

Hi m0le, no issues with the registry I presume?

For your info, IE was playing up yesterday when I ran the SAS scan however this morning when I turned the computer on IE was behaving as "normal" but I ran the MBAM scan anyway. Both logs appear below (just tracking cookies by the looks of them).

m0le, thought I'd mention, thinking back I think this all began after I installed a new wireless Linksys router (and associated software). Can't think how it would give rise to the intermittant problem with IE but thought I'd mention it. Look forward to next suggestion as to how we might attack this issue, regards shattered.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/03/2010 at 06:12 PM

Application Version : 4.38.1004

Core Rules Database Version : 5024
Trace Rules Database Version: 2836

Scan type : Complete Scan
Total Scan Time : 01:57:38

Memory items scanned : 693
Memory threats detected : 0
Registry items scanned : 6533
Registry threats detected : 0
File items scanned : 144960
File threats detected : 218

Adware.Flash Tracking Cookie
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\ACVS.MEDIAONENETWORK.NET
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\IA.MEDIA-IMDB.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA.CNETNETWORKS.COM.AU
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA.FOXSPORTS.COM.AU
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA.PODADDIES.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA.SCANSCOUT.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA.TATTOMEDIA.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA1.BREAK.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIA2.FASTFREEMEDIA.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\MEDIAONENETWORK.NET
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\CLICKSOR.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\INTERCLICK.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\ATDMT.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\RMD.ATDMT.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\M1.AU.2MDN.NET
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\S0.2MDN.NET
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\STATIC.2MDN.NET
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\SECURE-US.IMRWORLDWIDE.COM
C:\Users\Steve\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLE3KC3R\ODDCAST.COM

Adware.Tracking Cookie
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@112.2o7[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@acpmagazines.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ad.httpool[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ad.yieldmanager[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ad.zanox[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ad1.king[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ads.ad4game[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ads.admaxasia[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ads.ak.facebook[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@aih.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@apmebf[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@at.atwola[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@atdmt[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@bs.serving-sys[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@cadburyschweppesplc.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@cba.122.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@content.yieldmanager[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@content.yieldmanager[3].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@doubleclick[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@eharmony.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ehg-newsinteractive.hitbox[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@f2network.112.2o7[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@fastclick[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@findababysitter.com[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@iacas.adbureau[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@imrworldwide[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@incentaclick[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@ingdirect.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@interclick[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@kontera[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@lfstmedia[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@media.sensis.com[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@media6degrees[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@mediaonenetwork[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@mediaplex[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@nrma.122.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@optus.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@overture[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@popcapgames.122.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@questionmarket[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@readersdigest.122.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@reagroup.122.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@richmedia.yahoo[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@sensismediasmart.com[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@server.cpmstar[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@server.iad.liveperson[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@server.iad.liveperson[3].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@server.iad.liveperson[4].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@server.lon.liveperson[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@server.lon.liveperson[3].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@serving-sys[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@statcounter[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@tourismwesternaustralia.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@tribalfusion[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@videoegg.adbureau[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@virginmoneyaustralia.122.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@winecountry.com[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@wotifcom.112.2o7[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@www.3dstats[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@www.clickerpicker[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@www.googleadservices[1].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@www.googleadservices[2].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@www.googleadservices[7].txt
C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Cookies\Low\adam@www.incentaclick[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\belinda@myaccount.centrelink.gov[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@112.2o7[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@3.adbrite[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@a.findarticles[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@a.websponsors[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@adlegend[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@admse012.adbureau[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ads.adbrite[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ads.heias[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ads.moviemaze[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ads.pointroll[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ads.us.e-planning[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ads.warmnetworks[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@apmebf[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@atdmt[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@brightcove.112.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@bs.serving-sys[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@cba.122.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@clickshift[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@data.coremetrics[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@doubleclick[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@drivecleaner[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@e-2dj6wjkyslc5who.stats.esomniture[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ehg-australiansuper.hitbox[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ehg-betterphoto.hitbox[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ehg-foxsports.hitbox[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@fdau.adbureau[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@findarticles[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@i.screensavers[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@imrworldwide[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@ingdirect.112.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@insightexpressai[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@kontera[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@media.causes[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@media.sensis.com[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@mediaonenetwork[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@myaccount.centrelink.gov[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@pamedia.com[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@partner2profit[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@powellsbooks.122.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@premiumtv.122.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@reagroup.122.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@richmedia.yahoo[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@segainc.112.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@serving-sys[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@socialmedia[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@specificclick[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@stats.campaignvision.com[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@stats.campaignvision.com[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@stats.drivecleaner[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@statse.webtrendslive[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@te.kontera[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@te100.kontera[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@thomsoneducationdirect.122.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@tripod[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@usatoday1.112.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@virginmobile.122.2o7[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@www.drivecleaner[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@www.drivecleaner[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@www.ezytrack[2].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@www.googleadservices[1].txt
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Cookies\Low\belinda@www.screensavers[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ad.flux[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ad2.popcap[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ads.apn.co[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ads.cnn[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ads.gamesbannernet[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ads.silverdisc.co[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ads.techguy[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@ads.uknetguide.co[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@antactica.ad.adnetwork.com[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@at.atwola[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@atdmt[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@banner.pumpkinpatchkids[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@bargainfinda.com[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@casalemedia[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@cba.122.2o7[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@content.yieldmanager[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@discountshoppingguide.com[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@dmtracker[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@doubleclick[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@elitecps[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@imrworldwide[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@incutrack.getprice.com[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@media.mtvnservices[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@media.sensis.com[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@media6degrees[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@mediaonenetwork[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@onlinecounter1[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@pamedia.com[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@popcapgames.122.2o7[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@questionmarket[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@revsci[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@sensismediasmart.com[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@serving-sys[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@specificmedia[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@stat.dealtime[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@stats.paypal[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@stats.sitesuite[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@statse.webtrendslive[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@superstats[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@tracker.mediatracker.co[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@www.3dstats[2].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@www.burstnet[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@www.ezytrack[1].txt
C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\Low\diane@xiti[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@ads.cnn[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@at.atwola[2].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@atdmt[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@bs.serving-sys[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@cba.122.2o7[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@doubleclick[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@imrworldwide[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@msnportal.112.2o7[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@optus.112.2o7[1].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@questionmarket[2].txt
C:\Users\Steve\AppData\Local\Temp\Low\Cookies\steve@serving-sys[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@2o7[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@ad.wsod[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@ad2.popcap[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@ads.cnn[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@ads.cnn[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@ads.pointroll[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@atdmt[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@bs.serving-sys[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@cba.122.2o7[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@collective-media[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@doubleclick[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@f2network.112.2o7[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@imrworldwide[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@pointroll[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@popcapgames.122.2o7[1].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@revsci[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@serving-sys[2].txt
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\Low\steve@statse.webtrendslive[2].txt


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4165

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

8/06/2010 9:22:48 AM
mbam-log-2010-06-08 (09-22-48).txt

Scan type: Full scan (C:\|)
Objects scanned: 280295
Time elapsed: 1 hour(s), 14 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 AM

Posted 07 June 2010 - 06:56 PM

The registry file was fine, yes.

I'm certainly not suspecting a hijack (not a malicious one any way)

Linksys may be causing this actually. Let's try a quick and dirty fix

Right-click on the Command Prompt icon (find it by opening the bottom left windows logo and type cmd in the search bar) and select
"Run as administrator".

Then type in:
CODE
ipconfig /flushdns

and press Enter
Posted Image
m0le is a proud member of UNITE

#14 shattered

shattered
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Sydney, Australia
  • Local time:01:19 PM

Posted 07 June 2010 - 07:07 PM

Thanks for getting back to me so quickly. As IE is behaving at the moment should I wait until it plays up before actioning your suggestion to see if it results in a "fix" or just do it now and wait and see if the issue arises over the next few days?

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 AM

Posted 07 June 2010 - 07:08 PM

Good question.

I would wait and see. If it returns then flush the DNS cache.

Keep me informed - intermittent hijacking is a strange thing smile.gif
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users