Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacked and Security Essentials will not run


  • Please log in to reply
17 replies to this topic

#1 historybytes

historybytes

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 31 July 2011 - 10:31 AM

Hello! I am new to this site so I hope that you will be patient with me if I make some mistakes in courtesy.

I am running an HP Pavilion Elite e9260f with 64-bit Windows 7 Home Premium. Two or three days ago I noticed that my browser (Internet Explorer 9) was being hijacked to ad sites. I ran a McAfee Scan and it came up with 6 infections. Here's the messy part - the scan was still running late at night and I fell asleep so I do not know what else happened and I have been trying play catch-up ever since. As well, I am getting a warning that Windows Security Center Service is turned off, but I cannot turn it back on, either through the Action Center or with Windows Defender.

I am not very knowledgable about the inner workings of computers so I will need to be talked through any repairs.

The MalwareBytes program identified 5 infected registry keys : two with Adware.SmartShopper, one with Adware.Softomate, and two with Trojan.FakeAlert.SA . There was also one file infected with Trojan.FraudPack. The report states that all infected items were quarantined and removed successfully.

Unfortunately, the problems are still occurring - the browser is redirected and I cannot start Security Essentials.

I have read the Welcome notice and I believe that I have my original Windows backup, but it was factory installed.

I have run scans with McAfee, MalwareBytes, McAfee Stinger, Microsoft Malicious Removal, and SUPERAntiSpyware (which reported Malware.Trace on 1 registry key and 96 file threats).

Thank-you in advance for your help!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:00 AM

Posted 31 July 2011 - 01:44 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 historybytes

historybytes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 31 July 2011 - 02:38 PM

Hi, Broni! Thanks so much for helping.

Here is the Security Check report:

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
McAfee Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Adobe Reader X (10.1.0)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
McAfee VirusScan mcods.exe
``````````End of Log````````````


Here is the MiniToolBox log:

MiniToolBox by Farbar
Ran by Kelly2 (administrator) on 31-07-2011 at 14:07:51
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================



========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Kelly2-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : cgocable.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : cgocable.net
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 40-61-86-2C-43-83
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::99a8:cd87:34dc:ed5b%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : July-30-11 2:35:30 PM
Lease Expires . . . . . . . . . . : August-01-11 10:50:03 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 239100294
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-6F-B0-9A-40-61-86-2C-43-83
DNS Servers . . . . . . . . . . . : 24.226.1.93
24.226.10.193
24.226.10.194
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.cgocable.net:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : cgocable.net
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:107c:24f8:e714:32dd(Preferred)
Link-local IPv6 Address . . . . . : fe80::107c:24f8:e714:32dd%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 24.226.1.93

Name: google.com
Addresses: 74.125.226.84
74.125.226.82
74.125.226.81
74.125.226.80
74.125.226.83


Pinging google.com [74.125.226.80] with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 74.125.226.80:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Server: ns3.cgocable.net
Address: 24.226.1.93

Name: yahoo.com
Addresses: 98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43


Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=205ms TTL=50
Reply from 209.191.122.70: bytes=32 time=89ms TTL=50

Ping statistics for 209.191.122.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 89ms, Maximum = 205ms, Average = 147ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=4ms TTL=128
Reply from 127.0.0.1: bytes=32 time=2ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 4ms, Average = 3ms
===========================================================================
Interface List
10...40 61 86 2c 43 83 ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.102 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.102 276
192.168.1.102 255.255.255.255 On-link 192.168.1.102 276
192.168.1.255 255.255.255.255 On-link 192.168.1.102 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.102 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.102 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:107c:24f8:e714:32dd/128
On-link
10 276 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::107c:24f8:e714:32dd/128
On-link
10 276 fe80::99a8:cd87:34dc:ed5b/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/30/2011 10:28:19 PM) (Source: Customer Experience Improvement Program) (User: )
Description: 80004005

Error: (07/30/2011 10:04:44 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "imaging1".Error in manifest or policy file "imaging2" on line imaging3.
The element imaging appears as a child of element urn:schemas-microsoft-com:asm.v1^assembly which is not supported by this version of Windows.

Error: (07/30/2011 09:58:36 PM) (Source: Customer Experience Improvement Program) (User: )
Description: 80004005

Error: (07/30/2011 02:39:59 PM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 3508 (0xdb4)

Thread address : 0x00000000774C135A

Thread message :

Build VSCORE.14.4.0.333 / 5400.1158
Object being scanned = \Device\HarddiskVolume2\PROGRAM FILES (X86)\HP\DIGITAL IMAGING\DATA\PROJECTS\CONFIGURATION\HPQD_PBK_COLORCOMBO_CONFIG.DLL
by C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (07/30/2011 02:36:05 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/30/2011 11:57:12 AM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 6692 (0x1a24)

Thread address : 0x000000007727135A

Thread message :

Build VSCORE.14.4.0.333 / 5400.1158
Object being scanned = \Device\HarddiskVolume2\Program Files\Common Files\McAfee\SystemCore\mfeapfa.dll
by C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (07/30/2011 11:56:55 AM) (Source: Application Hang) (User: )
Description: The program HPAdvisor.exe version 3.3.12286.3436 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: a70

Start Time: 01cc4ed0554b5e3b

Termination Time: 60000

Application Path: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe

Report Id: 564fba31-bac4-11e0-93d9-4061862c4383

Error: (07/30/2011 11:50:27 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/30/2011 11:47:05 AM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 10192 (0x27d0)

Thread address : 0x000000007731135A

Thread message :

Build VSCORE.14.4.0.333 / 5400.1158
Object being scanned = \Device\HarddiskVolume2\Program Files\Common Files\McAfee\SystemCore\mfeapfa.dll
by C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (07/30/2011 11:46:31 AM) (Source: Application Hang) (User: )
Description: The program Explorer.EXE version 6.1.7601.17567 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 8b8

Start Time: 01cc4ece7da05bd5

Termination Time: 60000

Application Path: C:\Windows\Explorer.EXE

Report Id: e09194a9-bac2-11e0-bc82-4061862c4383


System errors:
=============
Error: (07/31/2011 09:43:39 AM) (Source: Service Control Manager) (User: )
Description: The Security Center service failed to start due to the following error:
%%1079

Error: (07/31/2011 09:40:35 AM) (Source: Service Control Manager) (User: )
Description: The Security Center service failed to start due to the following error:
%%1079

Error: (07/30/2011 02:42:29 PM) (Source: Service Control Manager) (User: )
Description: The McAfee McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (07/30/2011 02:42:17 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Services service hung on starting.

Error: (07/30/2011 02:42:07 PM) (Source: DCOM) (User: )
Description: {9B3BEB4E-1C5E-4A5F-BB36-2F6587DD34E2}

Error: (07/30/2011 02:40:01 PM) (Source: DCOM) (User: )
Description: {26608B46-476A-4BF1-9CC6-AFEA28EBBC17}

Error: (07/30/2011 02:39:59 PM) (Source: DCOM) (User: )
Description: 1053WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (07/30/2011 02:39:08 PM) (Source: Service Control Manager) (User: )
Description: A timeout (120000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

Error: (07/30/2011 02:38:01 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service failed to start due to the following error:
%%1053

Error: (07/30/2011 02:38:01 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (120000 milliseconds) while waiting for the Windows Search service to connect.


Microsoft Office Sessions:
=========================
Error: (12/29/2009 02:38:32 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1798 seconds with 1140 seconds of active time. This session ended with a crash.


========================= Memory info: ===================================

Percentage of memory in use: 30%
Total physical RAM: 8183.08 MB
Available physical RAM: 5694.4 MB
Total Pagefile: 16364.36 MB
Available Pagefile: 13204.65 MB
Total Virtual: 4095.88 MB
Available Virtual: 3988.19 MB

========================= Partitions: =====================================

1 Drive c: (HP) (Fixed) (Total:918.53 GB) (Free:224.6 GB) NTFS
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:12.88 GB) (Free:1.99 GB) NTFS

========================= Users: ========================================

User accounts for \\KELLY2-PC

Administrator Guest Kelly2
kellyl Robin2


== End of log ==


Here is the MalwareBytes log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7340

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

31/07/2011 2:28:00 PM
mbam-log-2011-07-31 (14-28-00).txt

Scan type: Quick scan
Objects scanned: 218602
Time elapsed: 9 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


As well, here is a MalwareBytes log for July 29, the day after things started going wonky:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7322

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

29/07/2011 6:06:13 PM
mbam-log-2011-07-29 (18-06-13).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 461423
Time elapsed: 32 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{8BCB5337-EC01-4E38-840C-A964F174255B} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BCB5337-EC01-4E38-840C-A964F174255B} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\8DDYX0ZBPZ (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XMZH42I4GI (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.


I have to re-run the GMER log and will post back ASAP - there were no issues, though.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:00 AM

Posted 31 July 2011 - 02:43 PM

OK...

I cannot start Security Essentials

You're not trying to run two AV programs? You already have McAfee installed.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 historybytes

historybytes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 31 July 2011 - 03:10 PM

Dear Broni,

There was nothing in the GMER log - and Security Essentials was already running when this mess started. Shall I uninstall Security Essentials, then? (Sorry if this seems really foolish, but I haven't had to make any changes before this).

Still having the browser redirect issue, though - it was hard to get back here!

Thanks in advance!

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:00 AM

Posted 31 July 2011 - 03:14 PM

Let me double check something.

Re-run MiniToolbox.

Checkmark following boxes:
  • List Installed Programs
Click Go and post the result.

Then...

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 historybytes

historybytes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 31 July 2011 - 03:43 PM

Here's the new MiniToolBox report on installed programmes:

MiniToolBox by Farbar
Ran by Kelly2 (administrator) on 31-07-2011 at 16:41:32
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************

=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
3100_3200_3300_Help (Version: 82.0.242.000)
3100_3200_3300trb (Version: 82.0.242.000)
3200 (Version: 130.0.421.000)
64 Bit HP CIO Components Installer (Version: 7.2.8)
Acrobat.com (Version: 2.3.0)
Acrobat.com (Version: 2.3.0.0)
ActiveCheck component for HP Active Support Library (Version: 3.0.0.3)
Adobe AIR (Version: 2.0.2.12610)
Adobe Digital Editions
Adobe Reader X (10.1.0) (Version: 10.1.0)
Adobe Shockwave Player 11.5 (Version: 11.5.7.609)
Adobe SVG Viewer 3.0 (Version: 3.0)
AIO_CDB_ProductContext (Version: 130.0.365.000)
AIO_CDB_Software (Version: 130.0.365.000)
AIO_Scan (Version: 130.0.421.000)
BufferChm (Version: 130.0.331.000)
Caesar 3
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
Copy (Version: 130.0.428.000)
Corel Paint Shop Pro X (Version: 10.03)
D3DX10 (Version: 15.4.2368.0902)
Destinations (Version: 140.0.77.000)
DeviceDiscovery (Version: 130.0.465.000)
DirectX for Managed Code Update (Summer 2004) (Version: 9.02.2904)
DivX Setup (Version: 2.5.0.8)
DocProc (Version: 13.0.0.0)
EndNote Web (Version: 3.0.0.1158)
EndNote X2 (Version: 12.0.4.4459)
EndNote X4 (Version: 14.0.2.5149)
FATE: The Cursed King (Version: 2.2.0.97)
Fax (Version: 130.0.418.000)
File Type Assistant
Genbox Family History 3.7.1
Google Update Helper (Version: 1.3.21.65)
GPBaseService2 (Version: 130.0.371.000)
Hardware Diagnostic Tools (Version: 6.0.5434.08)
HiJackThis (Version: 1.0.0)
HP Advisor (Version: 3.3.12286.3436)
HP Customer Experience Enhancements (Version: 6.0.1.3)
HP Customer Participation Program 13.0 (Version: 13.0)
HP Easy Backup (Version: 1.0.8.0)
HP Games (Version: 1.0.2.5)
HP Imaging Device Functions 13.0 (Version: 13.0)
HP MediaSmart DVD (Version: 3.0.3420)
HP MediaSmart Movie Themes (Version: 3.0.3102)
HP MediaSmart Music/Photo/Video (Version: 3.1.3601)
HP MediaSmart SmartMenu (Version: 3.0.28.2)
HP Odometer (Version: 2.10.0000)
HP Photosmart Essential 3.5 (Version: 3.5)
HP Photosmart Officejet and Deskjet All-In-One Driver Software 13.0 Rel. B (Version: 13.0)
HP Remote Solution (Version: 1.1.9.0)
HP Setup (Version: 1.2.3220.3079)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center 13.0 (Version: 13.0)
HP Support Assistant (Version: 5.1.10.7)
HP Support Information (Version: 10.1.0002)
HP Update (Version: 5.001.000.014)
HPAsset component for HP Active Support Library (Version: 3.0.0.3)
HPDiagnosticAlert (Version: 1.00.0000)
HPPhotoGadget (Version: 130.0.282.000)
HPPhotoSmartDiscLabelContent1 (Version: 2.04.0000)
HPPhotosmartEssential (Version: 2.04.0000)
HPProductAssistant (Version: 130.0.371.000)
HPSSupply (Version: 130.0.371.000)
Intel® Rapid Storage Technology (Version: 9.6.0.1014)
Jewel Quest Mysteries: The Seventh Gate Collector's Edition (Version: 2.2.0.98)
jZip
K-Lite Codec Pack 6.1.0 (Basic) (Version: 6.1.0)
LabelPrint (Version: 2.5.1901)
LightScribe System Software (Version: 1.18.5.1)
Malwarebytes' Anti-Malware version 1.51.1.1800 (Version: 1.51.1.1800)
MarketResearch (Version: 130.0.374.000)
McAfee Internet Security (Version: 11.0.570)
Memeo Instant Backup (Version: 4.60.0.7252)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Corporation (Version: 9.0.30729.1)
Microsoft LifeCam (Version: 3.0.215.0)
Microsoft Live Search Toolbar (Version: 3.0.560.0)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6425.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6425.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ Run Time Lib Setup (Version: 1.0.0)
Microsoft Works (Version: 9.7.0621)
MSVCRT (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Network64 (Version: 130.0.572.000)
Network64 (Version: 140.0.221.000)
Night Before Christmas 3D Screensaver
NVIDIA Display Control Panel (Version: 6.14.12.5936)
NVIDIA Drivers (Version: 1.10.62.40)
OCR Software by I.R.I.S. 13.0 (Version: 13.0)
PowerRecover (Version: 5.5.1923)
PVSonyDll (Version: 1.00.0001)
RealPlayer
Realtek High Definition Audio Driver (Version: 6.0.1.6196)
RealUpgrade 1.0 (Version: 1.0.0)
ResearchSoft Direct Export Helper
Scan (Version: 140.0.80.000)
Seagate Dashboard (Version: 1.1.0.1421)
Shop for HP Supplies (Version: 13.0)
Skype Toolbars (Version: 5.0.4137)
Skype™ 5.0 (Version: 5.0.156)
SmartWebPrinting (Version: 140.0.186.000)
SolutionCenter (Version: 130.0.373.000)
SolveigMM AVI Trimmer (Version: 1.6.912.18)
Status (Version: 130.0.469.000)
SUPERAntiSpyware (Version: 4.55.1000)
Toolbox (Version: 130.0.648.000)
TrayApp (Version: 130.0.422.000)
U3Launcher (Version: 1.0.0)
UnloadSupport (Version: 11.0.0)
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update Installer for WildTangent Games App
VC80CRTRedist - 8.0.50727.4053 (Version: 1.1.0)
VLC media player 1.0.1 (Version: 1.0.1)
WebReg (Version: 130.0.132.017)
WildTangent Games (Version: 1.0.2.5)
WildTangent Games App (HP Games) (Version: 4.0.5.14)
WildTangent Games App (Version: 4.0.5.2)
Windows jZip Toolbar (Version: 2.5.0.102741)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3502.0922)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3502.0922)
Windows Movie Maker 2.6 (Version: 2.6.4038.0)
Yahoo! Toolbar
YouTube Downloader Toolbar v4.5 (Version: 4.5)

== End of log ==


I am moving on to the next step now.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:00 AM

Posted 31 July 2011 - 04:12 PM

I don't see Microsoft Security Essentials installed, so I'm not sure where you can see it running.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 historybytes

historybytes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 31 July 2011 - 04:39 PM

My bad! I uninstalled it but I still get a warning to turn on Windows Security Center service - but I have not been able to turn it on or open it since this started. I cannot recall the last time that I ever did anything with it prior to this last week.

Here is the log from the last scan:

aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-07-31 16:45:50
-----------------------------
16:45:50.332 OS Version: Windows x64 6.1.7601 Service Pack 1
16:45:50.332 Number of processors: 4 586 0x1E05
16:45:50.332 ComputerName: KELLY2-PC UserName: Kelly2
16:45:52.251 Initialize success
16:46:36.443 AVAST engine defs: 11073102
16:47:04.679 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:47:04.679 Disk 0 Vendor: Hitachi_ ST6O Size: 953869MB BusType: 8
16:47:04.679 Disk 0 MBR read successfully
16:47:04.679 Disk 0 MBR scan
16:47:04.694 Disk 0 unknown MBR code
16:47:04.694 Service scanning
16:47:09.764 Modules scanning
16:47:09.764 Disk 0 trace - called modules:
16:47:09.795 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
16:47:09.795 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007efa060]
16:47:09.795 3 CLASSPNP.SYS[fffff88001a5143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007b89050]
16:47:12.260 AVAST engine scan C:\Windows
16:47:15.864 AVAST engine scan C:\Windows\system32
16:49:06.484 AVAST engine scan C:\Windows\system32\drivers
16:49:18.901 AVAST engine scan C:\Users\Kelly2
17:27:02.704 AVAST engine scan C:\ProgramData
17:32:13.504 Scan finished successfully
17:33:43.516 Disk 0 MBR has been saved successfully to "C:\Users\Kelly2\Desktop\MBR.dat"
17:33:43.516 The log file has been saved successfully to "C:\Users\Kelly2\Desktop\aswMBR.txt"

I am sorry if I have messed this up even more than necessary...

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:00 AM

Posted 31 July 2011 - 05:26 PM

I still get a warning to turn on Windows Security Center service - but I have not been able to turn it on or open it since this started

Is this the only issue at the moment.

Go Start and in "Start search" type in:
services.msc
Press Enter.

Find Security Center service.
Is it running?
Is the "Startup Type" set to "Automatic"?

Also....

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :reg
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 historybytes

historybytes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 01 August 2011 - 08:30 AM

Hi, Broni!

Security Essentials was disabed in Services.msc - I changed it to Automatic.

Here is the log from SystemLook:

SystemLook 30.07.11 by jpshortstuff
Log created at 09:25 on 01/08/2011 by Kelly2
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"DisplayName"="Security Center"
"ErrorControl"= 0x0000000001 (1)
"ImagePath"="%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted"
"Start"= 0x0000000004 (4)
"Type"= 0x0000000020 (32)
"Description"="@%SystemRoot%\System32\wscsvc.dll,-201"
"DependOnService"="RpcSs WinMgmt"
"ObjectName"="LocalSystem"
"ServiceSidType"= 0x0000000001 (1)
"RequiredPrivileges"="SeChangeNotifyPrivilege SeImpersonatePrivilege"
"DelayedAutoStart"= 0x0000000000 (0)
"FailureActions"=80 51 01 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 c0 d4 01 00 01 00 00 00 e0 93 04 00 00 00 00 00 00 00 00 00 (REG_BINARY)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]


-= EOF =-

Just a thought - and I have noooo idea how to change or fix this --- could one of the bugs have changed the Group Policy?

Thanks again, Broni!

kel

#12 historybytes

historybytes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 01 August 2011 - 08:54 AM

Oh - and my browser is still being misdirected as well. For example, a search for Kate and William brought up a YellowPages site; a search for how to install a water fountain took me to VideoBash for the tsunami in Japan.

Should I take a whack at the TDSS removal of the redirecting virus? Seriously, I can learn to ignore the little 'windows Security Center' warning so long as it is not causing any problems but the Google redirect is a pain!!! I won't do anything until I hear from you, though - I don't want to make things worse again.

Thanks again, Broni!
k

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:00 AM

Posted 01 August 2011 - 07:28 PM

Security Essentials was disabed in Services.msc - I changed it to Automatic.

We're talking about Windows Security Center here, not Security Essentials.
Is Windows Security Center OK now?

Regarding redirection....

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/


  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
  • Close SUPERAntiSpyware.
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

  • Open SUPERAntiSpyware.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post SUPERAntiSpyware log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 historybytes

historybytes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 02 August 2011 - 10:15 AM

Hi, Broni! Sorry about that east coast-west coast time shift!

To answer your questions
1. the Action Center has a little red X on the flag and the notification is that Windows Security Center is turned off. When I go to the Action Center and click 'Turn on' a pop-up window states that 'Windows Security Center can't be turned on.' The contraction made me nervous the very first time.

2. As to redirecting - it is still happening - I can only get to a site by the URL; Google brings up appropriate responses to a search but clicking on one of these links sends me to adware, a completely unrelated page, or sometimes a blank page.

3. I am posting the SAS log file here but just so you know for comparison, an earlier SAS run on July 29 (now missing?) was done in Safe with Networking mode on drives C:\ and D:\ : it came up with 487 memory files (no threats), 14798 registry items (1 infected with Malware.Trace), and only 68023 files (96 infected with Adware.Tracking Cookie). All were quarantined and removed successfully, according to the log.

4. Here is the latest SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/02/2011 at 10:59 AM

Application Version : 4.56.1000

Core Rules Database Version : 7499
Trace Rules Database Version: 5311

Scan type : Complete Scan
Total Scan Time : 01:35:52

Memory items scanned : 332
Memory threats detected : 0
Registry items scanned : 13821
Registry threats detected : 0
File items scanned : 263086
File threats detected : 2

Trojan.Agent/Gen-IExplorer[Fake]
C:\USERS\KELLY2\APPDATA\LOCAL\TEMP\RARSFX0\NIRD\IEXPLORE.EXE

Trojan.Agent/Gen-PEC
C:\USERS\KELLY2\APPDATA\LOCAL\TEMP\RARSFX0\PROCS\EXPLORER.EXE

Thanks tons! Hope that you are getting some sleep! :busy:
k

#15 historybytes

historybytes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 02 August 2011 - 10:24 AM

Broni - I do not know how this did not get deleted but I found an SAS log from 29 July...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/29/2011 at 02:44 AM

Application Version : 4.55.1000

Core Rules Database Version : 7484
Trace Rules Database Version: 5296

Scan type : Complete Scan
Total Scan Time : 00:38:54

Memory items scanned : 487
Memory threats detected : 0
Registry items scanned : 14798
Registry threats detected : 1
File items scanned : 68023
File threats detected : 96

Malware.Trace
(x86) HKU\S-1-5-21-2279428764-3126448669-449281647-1001\Software\NtWqIVLZEWZU

Adware.Tracking Cookie
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@doubleclick[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@adserver.adtechus[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@atdmt[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@advertising[2].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\kelly2@adserver.adtechus[1].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@bs.serving-sys[2].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@statcounter[1].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@serving-sys[1].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@atdmt[1].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@tribalfusion[1].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@content.yieldmanager[3].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@atdmt[2].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@content.yieldmanager[2].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@ads.networldmedia[1].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@yadro[2].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@doubleclick[1].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@doubleclick[2].txt
C:\Users\Kelly2\AppData\Roaming\Microsoft\Windows\Cookies\Low\kelly2@tradedoubler[1].txt
C:\Users\Robin2\AppData\Local\Temp\Low\Cookies\robin2@doubleclick[1].txt
C:\Users\Robin2\AppData\Local\Temp\Low\Cookies\robin2@ad.yieldmanager[1].txt
media.freegames.org [ C:\Users\Robin2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JXJMTMWJ ]
msnbcmedia.msn.com [ C:\Users\Robin2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JXJMTMWJ ]
s0.2mdn.net [ C:\Users\Robin2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JXJMTMWJ ]
vitamine.networldmedia.net [ C:\Users\Robin2\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JXJMTMWJ ]
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@banners.battleon[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@mm.chitika[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@citi.bridgetrack[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ad3.adfarm1.adition[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@yieldmanager[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@canoe.112.2o7[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@bluestreak[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@adbrite[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@media6degrees[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@doubleclick[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@tribalfusion[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ads.comicskingdom[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@apmebf[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@statcounter[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@bellglobemediapublishing.122.2o7[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@sympatico.112.2o7[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@toplist[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ads.intergi[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@invitemedia[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@viacom.adbureau[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@content.yieldmanager[3].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ad.adopm[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@www5.addfreestats[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@hitbox[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@vitamine.networldmedia[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@bellcan.adbureau[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@serving-sys[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@adlegend[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@adcentriconline[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@server.cpmstar[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@xm.xtendmedia[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ads.networldmedia[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@casalemedia[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@www.burstnet[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@fastclick[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@atdmt[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@imrworldwide[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ads.gamesbannernet[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@legolas-media[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@statse.webtrendslive[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@pro-market[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@overture[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@lucidmedia[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ads.pointroll[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@mediaplex[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@adserver.adtechus[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@beacon.dmsinsights[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@adfarm1.adition[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ads.networldmedia[3].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@yadro[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ad.yieldmanager[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ad2.billboard[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ads.ad4game[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ads.pga[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@advertising[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@content.yieldmanager[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@dmtracker[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@eas4.emediate[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ehg-twi.hitbox[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@intermundomedia[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@msnportal.112.2o7[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@pointroll[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@questionmarket[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@rbc.bridgetrack[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@revsci[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@ru4[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@thestar.122.2o7[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@torstardigital.122.2o7[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@tripod[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\Low\robin2@videoegg.adbureau[2].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\robin2@doubleclick[1].txt
C:\Users\Robin2\AppData\Roaming\Microsoft\Windows\Cookies\robin2@atdmt[2].txt

Take care! k




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users