Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Continuing browser redirects after viral cleanouts


  • This topic is locked This topic is locked
30 replies to this topic

#1 JMK2012

JMK2012

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 11 December 2011 - 12:33 AM

Ok, I posted an introductory message here: http://www.bleepingcomputer.com/forums/topic431713.html that gives some background into this problem laptop.

Since then, I've run SuperAntiSpyware & Malwarebytes in Safe Mode, then DDS and GMER in normal mode with MSE AV turned off.

I'm currently only running Microsoft Security Essentials, since I was having trouble with error messages from MalwareBytes, Spybot & AVG yesterday. Obviously, something is still wrong even after running all of these "anti-products", since I've still got browser redirects... What I do not know is whether or not I'll have any further intrusions into the system, or how much basic damage to the system has already been done. If I can get to a point where there's no active viruses/trojans/exploits/redirects/malware/spyware/etc on the machine, I might feel comfortable exporting my sis-in-law's music files to another machine. Even with just the browser redirects, I know there's still some bug in the system, and I don't want her to inadvertently infect anyone elses laptop. I am guessing we need to do a complete restore since she's already lost all of the shortcuts that had been hidden. She really only uses this machine for Quickbooks and iTunes, but I'm thinking she needs to wipe it out completely and RESTORE to new, and then load all of the AV products, or at least MS Security Essentials...

Hoping someone has an answer and some sage advice.

Thanks in advance for checking!

Joe


Here's the logs:

=============================================================================================
SuperAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/10/2011 at 08:11 PM

Application Version : 5.0.1136

Core Rules Database Version : 8038
Trace Rules Database Version: 5850

Scan type : Complete Scan
Total Scan Time : 01:48:00

Operating System Information
Windows 7 Home Premium 64-bit (Build 6.01.7600)
UAC Off - Administrator

Memory items scanned : 396
Memory threats detected : 0
Registry items scanned : 72465
Registry threats detected : 0
File items scanned : 257497
File threats detected : 149

Adware.Tracking Cookie
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\ET6JF1BO.txt [ /rotator.adjuggler.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\GU6Q3O6O.txt [ /media6degrees.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\VUFFRBJ3.txt [ /adxpose.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\6JFGEBVW.txt [ /c.atdmt.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\UZNZVNNZ.txt [ /apmebf.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\MLR30HRE.txt [ /ru4.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\CJJ24GXU.txt [ /enhance.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\9BC911OA.txt [ /liveperson.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\2LPZ0MXS.txt [ /yieldmanager.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\UG59JT63.txt [ /ad.wsod.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\A0A3VENV.txt [ /counter.surfcounters.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\V3RHRAIW.txt [ /247realmedia.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\NETPJENA.txt [ /r1-ads.ace.advertising.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\TNI1XXC6.txt [ /imrworldwide.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Y86S4XDI.txt [ /www.burstnet.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\6HLSJZAR.txt [ /mediaplex.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\0CBB2YJG.txt [ /a1.interclick.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\TON2BW5H.txt [ /advertise.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\6PC3WX6E.txt [ /sales.liveperson.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\2IY6Z8AQ.txt [ /martiniadnetwork.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\1MDN92MP.txt [ /linksynergy.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\TYGZVCNE.txt [ /kontera.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\XJ5ZS6L2.txt [ /trafficmp.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\13X25CCB.txt [ /atwola.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\36TV33QJ.txt [ /network.realmedia.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\KDFA3SFP.txt [ /adbrite.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\9ZS0EP4E.txt [ /at.atwola.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\EQXOHWGN.txt [ /microsoftwlsearchcrm.112.2o7.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\26F16JU7.txt [ /interclick.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\O590MRTZ.txt [ /akamai.interclickproxy.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\XYHAGRWE.txt [ /ads.bridgetrack.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\M0P0W2LO.txt [ /bs.serving-sys.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Q023ZR1O.txt [ /cdn.jemamedia.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\JDSW3GXE.txt [ /doubleclick.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\4OFBTVE2.txt [ /avgtechnologies.112.2o7.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\CMUIJZUI.txt [ /marchex.bafind.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\34Z0F8O1.txt [ /statcounter.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\C2AXY27Y.txt [ /ads.blogtalkradio.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\T0HYII5P.txt [ /tacoda.at.atwola.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\A2THQWVR.txt [ /xml.prostreammedia.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\EQ1TY803.txt [ /lfstmedia.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\AIEY1Q1N.txt [ /atdmt.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\L88HC4OJ.txt [ /collective-media.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\5X30S8RK.txt [ /legolas-media.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\06J5VMWI.txt [ /revsci.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\76ZLWPHJ.txt [ /ad.yieldmanager.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\253CNWO7.txt [ /pro-market.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\JBHVV417.txt [ /pointroll.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\GZZIYWKZ.txt [ /casalemedia.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\6RGGEYWW.txt [ /c1.atdmt.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\UDYS4BEJ.txt [ /ads.pubmatic.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\ZLXKC9P4.txt [ /mediaservices-d.openxenterprise.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\JHGD3KGS.txt [ /advertising.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\2QRZ230W.txt [ /adserver.adtechus.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\8M5N32MI.txt [ /realmedia.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\YFC9J62S.txt [ /ad.360yield.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\PAC6V06G.txt [ /mediadakine.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\L5E2LYZQ.txt [ /insightexpressai.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\ES1JYJZG.txt [ /serving-sys.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\YE35GIZE.txt [ /2o7.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\T9VL1I03.txt [ /lucidmedia.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\R2JNA6M7.txt [ /eyewonder.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\WAP7JEM2.txt [ /liveperson.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\3US20IL9.txt [ /adtech.de ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\AUT60T2A.txt [ /youngbucks.rotator.hadj7.adjuggler.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\QROJB51B.txt [ /invitemedia.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\N6H0JZVK.txt [ /tribalfusion.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\8ZA81T2N.txt [ /zedo.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\998I2X0Q.txt [ /questionmarket.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\4JSU4C7F.txt [ /ads.gamersmedia.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\SV0UL9B1.txt [ /pappasgroup.rotator.hadj7.adjuggler.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\S2CPNNG7.txt [ /ads.undertone.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\2DV8PR7A.txt [ /ads.pointroll.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\RR1TAC4X.txt [ /fastclick.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\WMR1D8Q6.txt [ /chimeraadvertising.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\XAJTGU0Q.txt [ /tmobile.db.advertising.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\6XEEVRPS.txt [ /in.getclicky.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\7M6LGMWF.txt [ /burstnet.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\X0JXOQDG.txt [ /click.scour.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\C26MVCQ1.txt [ /d.mediadakine.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\E82VNRRW.txt [ /specificclick.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\3BMMXPNP.txt [ /ar.atwola.com ]
C:\USERS\LISA\AppData\Roaming\Microsoft\Windows\Cookies\1FWWLGEI.txt [ Cookie:lisa@adsonar.com/adserving ]
C:\USERS\LISA\Cookies\ET6JF1BO.txt [ Cookie:lisa@rotator.adjuggler.com/ ]
C:\USERS\LISA\Cookies\VUFFRBJ3.txt [ Cookie:lisa@adxpose.com/ ]
C:\USERS\LISA\Cookies\6JFGEBVW.txt [ Cookie:lisa@c.atdmt.com/ ]
C:\USERS\LISA\Cookies\MLR30HRE.txt [ Cookie:lisa@ru4.com/ ]
C:\USERS\LISA\Cookies\CJJ24GXU.txt [ Cookie:lisa@enhance.com/ ]
C:\USERS\LISA\Cookies\9BC911OA.txt [ Cookie:lisa@liveperson.net/hc/71097838 ]
C:\USERS\LISA\Cookies\2LPZ0MXS.txt [ Cookie:lisa@yieldmanager.net/ ]
C:\USERS\LISA\Cookies\A0A3VENV.txt [ Cookie:lisa@counter.surfcounters.com/ ]
C:\USERS\LISA\Cookies\TNI1XXC6.txt [ Cookie:lisa@imrworldwide.com/cgi-bin ]
C:\USERS\LISA\Cookies\6HLSJZAR.txt [ Cookie:lisa@mediaplex.com/ ]
C:\USERS\LISA\Cookies\0CBB2YJG.txt [ Cookie:lisa@a1.interclick.com/ ]
C:\USERS\LISA\Cookies\TON2BW5H.txt [ Cookie:lisa@advertise.com/ ]
C:\USERS\LISA\Cookies\6PC3WX6E.txt [ Cookie:lisa@sales.liveperson.net/ ]
C:\USERS\LISA\Cookies\2IY6Z8AQ.txt [ Cookie:lisa@martiniadnetwork.com/ ]
C:\USERS\LISA\Cookies\1MDN92MP.txt [ Cookie:lisa@linksynergy.com/ ]
C:\USERS\LISA\Cookies\XJ5ZS6L2.txt [ Cookie:lisa@trafficmp.com/ ]
C:\USERS\LISA\Cookies\36TV33QJ.txt [ Cookie:lisa@network.realmedia.com/ ]
C:\USERS\LISA\Cookies\KDFA3SFP.txt [ Cookie:lisa@adbrite.com/ ]
C:\USERS\LISA\Cookies\9ZS0EP4E.txt [ Cookie:lisa@at.atwola.com/ ]
C:\USERS\LISA\Cookies\EQXOHWGN.txt [ Cookie:lisa@microsoftwlsearchcrm.112.2o7.net/ ]
C:\USERS\LISA\Cookies\26F16JU7.txt [ Cookie:lisa@interclick.com/ ]
C:\USERS\LISA\Cookies\1FWWLGEI.txt [ Cookie:lisa@adsonar.com/adserving ]
C:\USERS\LISA\Cookies\O590MRTZ.txt [ Cookie:lisa@akamai.interclickproxy.com/ ]
C:\USERS\LISA\Cookies\XYHAGRWE.txt [ Cookie:lisa@ads.bridgetrack.com/ ]
C:\USERS\LISA\Cookies\M0P0W2LO.txt [ Cookie:lisa@bs.serving-sys.com/ ]
C:\USERS\LISA\Cookies\JDSW3GXE.txt [ Cookie:lisa@doubleclick.net/ ]
C:\USERS\LISA\Cookies\4OFBTVE2.txt [ Cookie:lisa@avgtechnologies.112.2o7.net/ ]
C:\USERS\LISA\Cookies\CMUIJZUI.txt [ Cookie:lisa@marchex.bafind.com/ ]
C:\USERS\LISA\Cookies\34Z0F8O1.txt [ Cookie:lisa@statcounter.com/ ]
C:\USERS\LISA\Cookies\A2THQWVR.txt [ Cookie:lisa@xml.prostreammedia.com/ ]
C:\USERS\LISA\Cookies\AIEY1Q1N.txt [ Cookie:lisa@atdmt.com/ ]
C:\USERS\LISA\Cookies\L88HC4OJ.txt [ Cookie:lisa@collective-media.net/ ]
C:\USERS\LISA\Cookies\5X30S8RK.txt [ Cookie:lisa@legolas-media.com/ ]
C:\USERS\LISA\Cookies\253CNWO7.txt [ Cookie:lisa@pro-market.net/ ]
C:\USERS\LISA\Cookies\JBHVV417.txt [ Cookie:lisa@pointroll.com/ ]
C:\USERS\LISA\Cookies\GZZIYWKZ.txt [ Cookie:lisa@casalemedia.com/ ]
C:\USERS\LISA\Cookies\6RGGEYWW.txt [ Cookie:lisa@c1.atdmt.com/ ]
C:\USERS\LISA\Cookies\2QRZ230W.txt [ Cookie:lisa@adserver.adtechus.com/ ]
C:\USERS\LISA\Cookies\8M5N32MI.txt [ Cookie:lisa@realmedia.com/ ]
C:\USERS\LISA\Cookies\L5E2LYZQ.txt [ Cookie:lisa@insightexpressai.com/ ]
C:\USERS\LISA\Cookies\ES1JYJZG.txt [ Cookie:lisa@serving-sys.com/ ]
C:\USERS\LISA\Cookies\YE35GIZE.txt [ Cookie:lisa@2o7.net/ ]
C:\USERS\LISA\Cookies\T9VL1I03.txt [ Cookie:lisa@lucidmedia.com/ ]
C:\USERS\LISA\Cookies\R2JNA6M7.txt [ Cookie:lisa@eyewonder.com/ ]
C:\USERS\LISA\Cookies\WAP7JEM2.txt [ Cookie:lisa@liveperson.net/ ]
C:\USERS\LISA\Cookies\3US20IL9.txt [ Cookie:lisa@adtech.de/ ]
C:\USERS\LISA\Cookies\N6H0JZVK.txt [ Cookie:lisa@tribalfusion.com/ ]
C:\USERS\LISA\Cookies\8ZA81T2N.txt [ Cookie:lisa@zedo.com/ ]
C:\USERS\LISA\Cookies\998I2X0Q.txt [ Cookie:lisa@questionmarket.com/ ]
C:\USERS\LISA\Cookies\SV0UL9B1.txt [ Cookie:lisa@pappasgroup.rotator.hadj7.adjuggler.net/ ]
C:\USERS\LISA\Cookies\2DV8PR7A.txt [ Cookie:lisa@ads.pointroll.com/ ]
C:\USERS\LISA\Cookies\WMR1D8Q6.txt [ Cookie:lisa@chimeraadvertising.com/ ]
C:\USERS\LISA\Cookies\XAJTGU0Q.txt [ Cookie:lisa@tmobile.db.advertising.com/ ]
C:\USERS\LISA\Cookies\6XEEVRPS.txt [ Cookie:lisa@in.getclicky.com/ ]
C:\USERS\LISA\Cookies\7M6LGMWF.txt [ Cookie:lisa@burstnet.com/ ]
C:\USERS\LISA\Cookies\C26MVCQ1.txt [ Cookie:lisa@d.mediadakine.com/ ]
C:\USERS\LISA\Cookies\E82VNRRW.txt [ Cookie:lisa@specificclick.net/ ]
C:\USERS\LISA\Cookies\3BMMXPNP.txt [ Cookie:lisa@ar.atwola.com/ ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\0LGEV2TS.txt [ /media6degrees.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\1A0MPG2T.txt [ /xml.prostreammedia.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\9JQGAYDH.txt [ /revsci.net ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\3F8R65MK.txt [ /ad.yieldmanager.com ]
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\JBA8H7QS.txt [ /zedo.com ]
C:\USERS\LISA\AppData\Roaming\Microsoft\Windows\Cookies\TF8C1L75.txt [ Cookie:lisa@littlebluesearch.com/click/ ]
C:\USERS\LISA\Cookies\1A0MPG2T.txt [ Cookie:lisa@xml.prostreammedia.com/ ]
C:\USERS\LISA\Cookies\TF8C1L75.txt [ Cookie:lisa@littlebluesearch.com/click/ ]

=============================================================================================


MalwareBytes Log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8350

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

12/10/2011 10:18:30 PM
mbam-log-2011-12-10 (22-18-30).txt

Scan type: Quick scan
Objects scanned: 179426
Time elapsed: 6 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AH (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CLASSES_ROOT\ah\Content Type (Rogue.MultipleAV) -> Value: Content Type -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

=============================================================================================
DDS result log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Lisa at 22:56:29 on 2011-12-10
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3999.2400 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxefcoms.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\RUNDLL32.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer, optimized for Bing and MSN
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files (x86)\IncrediMail_MediaBar_2\tbIncr.dll
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: hpBHO Class: {abd3b5e1-b268-407b-a150-2641dab8d898} - C:\Program Files (x86)\Common Files\Homepage Protection\HomepageProtection.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files (x86)\IncrediMail_MediaBar_2\tbIncr.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files (x86)\IncrediMail_MediaBar_2\tbIncr.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
mRun: [<NO NAME>]
mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
StartupFolder: C:\Users\Lisa\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
uPolicies-system: WallpaperStyle = 2
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: WallpaperStyle = 2
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://downloads.freehandmusic.com/soleromusiccontrol.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3DC90021-B8C9-42BC-B7FB-B45A8BA8812E} : DhcpNameServer = 65.32.1.65 65.32.1.70
TCP: Interfaces\{899F07E1-9A05-4B55-8570-6585EF303001} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{899F07E1-9A05-4B55-8570-6585EF303001}\05A4532513 : DhcpNameServer = 192.168.1.1 68.238.112.12
TCP: Interfaces\{899F07E1-9A05-4B55-8570-6585EF303001}\140707C65602E4564777F627B602735323831373 : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{899F07E1-9A05-4B55-8570-6585EF303001}\5494854543 : DhcpNameServer = 192.168.1.1 68.238.112.12
TCP: Interfaces\{899F07E1-9A05-4B55-8570-6585EF303001}\7355743473 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{899F07E1-9A05-4B55-8570-6585EF303001}\B6678683032303 : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{899F07E1-9A05-4B55-8570-6585EF303001}\C494748343 : DhcpNameServer = 65.32.5.111 65.32.5.112
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files (x86)\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: hpBHO Class: {ABD3B5E1-B268-407B-A150-2641DAB8D898} - C:\Program Files (x86)\Common Files\Homepage Protection\HomepageProtection.dll
BHO-X64: HelloWorldBHO - No File
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files (x86)\IncrediMail_MediaBar_2\tbIncr.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB-X64: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files (x86)\IncrediMail_MediaBar_2\tbIncr.dll
TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [(Default)]
mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 VWiFiFlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-8-31 89600]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-6-15 249648]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 lxef_device;lxef_device;C:\Windows\system32\lxefcoms.exe -service --> C:\Windows\system32\lxefcoms.exe -service [?]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-9-14 136176]
S2 lxefCATSCustConnectService;lxefCATSCustConnectService;C:\Windows\System32\spool\DRIVERS\x64\3\lxefserv.exe [2011-9-1 45224]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-7-7 195336]
S3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-8-15 227896]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-9-14 136176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 NETw1v64;Intel® Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw1v64.sys --> C:\Windows\system32\DRIVERS\NETw1v64.sys [?]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
.
=============== Created Last 30 ================
.
2011-12-11 03:12:57 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-11 03:12:42 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3D311B4C-04E3-4774-B886-F57A44F1A12B}\offreg.dll
2011-12-11 03:12:35 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3D311B4C-04E3-4774-B886-F57A44F1A12B}\mpengine.dll
2011-12-11 03:08:51 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-10 23:13:26 -------- d-----w- C:\Users\Lisa\AppData\Roaming\SUPERAntiSpyware.com
2011-12-10 23:12:37 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-12-10 23:12:37 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-12-10 15:14:48 -------- d-----w- C:\Windows\System32\SPReview
2011-12-10 14:59:16 -------- d--h--w- C:\Windows\msdownld.tmp
2011-12-10 02:38:30 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E068A3C3-D4B7-4C7C-A73C-F9F0DAB2B1EE}\gapaengine.dll
2011-12-10 02:31:15 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-12-10 02:30:42 374664 ----a-w- C:\Windows\System32\drivers\netio.sys
2011-12-10 01:30:06 -------- d-----w- C:\Users\Lisa\AppData\Roaming\AVG
2011-12-09 20:40:41 -------- d-----w- C:\LISA MUSIC
2011-12-09 18:00:49 -------- d-----w- C:\Users\Lisa\AppData\Roaming\Malwarebytes
2011-12-09 17:06:31 -------- d-----w- C:\ProgramData\Recovery
2011-12-08 21:17:03 -------- d-----we C:\Windows\system64
2011-12-08 20:56:42 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-12-08 20:55:55 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2011-12-08 15:08:43 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-12-08 15:06:22 -------- d-----w- C:\a5e99c7bbeb5ae557a6cbcd350c7
2011-12-08 07:28:17 -------- d-----w- C:\Windows\System32\EventProviders
2011-12-08 07:10:33 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-08 05:54:12 -------- d-----w- C:\ProgramData\AVG2012
2011-12-08 05:48:48 -------- d-----w- C:\ProgramData\MFAData
2011-12-06 18:57:22 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CD252C92-EBB7-4A8A-BF5F-8F48725FAC4C}\mpengine.dll
2011-12-01 22:57:13 200976 ---ha-w- C:\Windows\SysWow64\drivers\tmcomm.sys
2011-12-01 21:35:08 -------- d--h--w- C:\ProgramData\Malwarebytes
.
==================== Find3M ====================
.
2011-12-10 16:01:03 152064 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-12-10 16:01:02 175104 ----a-w- C:\Windows\System32\msclmd.dll
2011-10-24 18:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2011-10-24 18:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2011-09-29 16:24:44 1897328 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-09-29 04:09:30 3141120 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 23:05:35.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JMK2012

JMK2012
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 11 December 2011 - 03:26 PM

Ok, I don't know if this means anything, but I've had this "clean laptop" (still laden with browser redirect problems...) just sitting on the desk, with no programs or web pages open, just running... I come back to find:

"Message from webpage" "? You need Adobe Flash Player 8 (or above) to view the charts. It is a free and lightweight installation from Adobe.com. Please click on OK to install the same."

The first (most obvious) question is, why would I get any pop-up messages with no web pages opened? (the wireless is turned on)

Secondly, I've run a web search on the word string and I can see others are getting unsolicited attempts to install Adobe 8 (or above) such as this:

http://www.franzone.com/2010/06/28/mashables-iphone-app-flash-what/

Mashable’s iPhone App – Flash What?
// June 28th, 2010 // Blog Babble

I just opened up the Mashable app on my iPhone to view an article and received the error below stating, “You need Adobe Flash Player 8 (or above) to view the charts. It is a free and lightweight installation from Adobe.com. Please click on Ok to install the same.” Hey guys… are you aware of the whole Apple / Flash controversy? I’m guessing your iPhone app shouldn’t be prompting me to install Flash.



Here's another mention of the same word string...

http://forum.fusioncharts.com/topic/7717-invalidate-autoinstallredirect/

And another...

http://forums.mozillazine.org/viewtopic.php?f=7&t=1842065


So, my guess is that this is also part of the whole exploit/trojan/virus problem with this laptop, that has not been eradicated by all of the standard methods I've accomplished already... Is that right? It would be so easy for someone to see this type of message and click OK without thinking they were continuing to infect their own machine.

I've since shut down the wireless connection to keep the internet from trying to contact the laptop...

Joe

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:24 PM

Posted 14 December 2011 - 09:52 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 JMK2012

JMK2012
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 14 December 2011 - 11:39 PM

Hi Gringo,

I had previously removed all antispyware and antivirus programs through Control Panel add/remove Progams and Features, leaving only a new install of Microsoft Security Essentials running since.

To run ComboFix, I disabled MSE, but ComboFix reports that AVG Anti-Virus Free Edition 2012 (antivirus) and AVG Anti-Virus Free Edition 2012 (anti-spyware) are both running. I thought that was weird when I saw them listed in the logs above, because I know I had removed them. The AVG Free program was previously completely removed through Control Panel and to my knowledge, they are not on the computer and they are not running. Could it be that whatever is affecting this laptop is spoofing those programs to keep control? I've looked for them in the Task Manager under processes & applications and they are not listed. What do I do next to find and eradicate whatever program is pretending to be AVG Free, or do I run ComboFix anyway, even with the warnings of unpredicatable results?

Also, at this roadblock, I thought I had stopped running CombFix at the AVG Free warning by closing the warning window (instead of telling it to proceed), but as soon as I did that, the AVG warning popped back up with two loud beeps and told me that ComboFix was going to continue to run anyway, regardless of the results... I didn't see any choice but to power down from that point, which I did...

Should I have tried running ComboFix from SafeMode? I'll await your further instructions.

Thanks,

Joe

Edited by JMK2012, 14 December 2011 - 11:48 PM.


#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:24 PM

Posted 14 December 2011 - 11:48 PM

Hello


Go ahead and run combofix even with the warning about AVG


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 JMK2012

JMK2012
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 15 December 2011 - 10:23 AM

Hi Gringo,

This is the first run of ComboFix on this machine. During the program running, a Windows Update pop-up opened. I told it to postpone for 4 hours and closed the window. During the ComboFic reboot, I noticed the compueter saying it was processing the updates... Not sure if that makes a difference or not...


Thanks,

Joe


ComboFix 11-12-13.03 - Lisa 12/15/2011 9:09.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3999.2415 [GMT -5:00]
Running from: c:\users\Lisa\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Lisa\AppData\Roaming\Microsoft\Windows\Templates\527073h8b231n437w374b1qwo5d6
c:\users\Lisa\AppData\Roaming\Microsoft\Windows\Templates\cpagpn0q7nea6bud8fft8t064n5s
.
.
((((((((((((((((((((((((( Files Created from 2011-11-15 to 2011-12-15 )))))))))))))))))))))))))))))))
.
.
2011-12-15 14:47 . 2011-12-15 14:47 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{448376FA-DD3F-4046-BE81-4E808E49B12E}\offreg.dll
2011-12-15 14:43 . 2011-12-15 14:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-15 04:29 . 2011-11-21 08:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{448376FA-DD3F-4046-BE81-4E808E49B12E}\mpengine.dll
2011-12-15 04:29 . 2011-10-15 06:25 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 04:29 . 2011-10-15 05:48 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-15 04:29 . 2011-11-05 05:17 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 04:29 . 2011-11-05 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-11 03:12 . 2011-11-21 08:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-10 23:13 . 2011-12-10 23:13 -------- d-----w- c:\users\Lisa\AppData\Roaming\SUPERAntiSpyware.com
2011-12-10 23:12 . 2011-12-10 23:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-10 23:12 . 2011-12-10 23:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-12-10 15:14 . 2011-12-10 15:14 -------- d-----w- c:\windows\system32\SPReview
2011-12-10 14:59 . 2011-12-10 14:59 -------- d--h--w- c:\windows\msdownld.tmp
2011-12-10 02:38 . 2011-10-04 22:22 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E068A3C3-D4B7-4C7C-A73C-F9F0DAB2B1EE}\gapaengine.dll
2011-12-10 02:31 . 2011-12-10 02:31 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-12-10 02:30 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2011-12-10 01:30 . 2011-12-10 01:31 -------- d-----w- c:\users\Lisa\AppData\Roaming\AVG
2011-12-09 20:40 . 2011-12-09 20:42 -------- d-----w- C:\LISA MUSIC
2011-12-09 18:00 . 2011-12-09 18:00 -------- d-----w- c:\users\Lisa\AppData\Roaming\Malwarebytes
2011-12-09 17:06 . 2011-12-09 22:49 -------- d-----w- c:\programdata\Recovery
2011-12-08 21:17 . 2011-12-08 21:17 -------- d-----we c:\windows\system64
2011-12-08 21:15 . 2011-12-08 21:15 -------- d-----w- c:\windows\Sun
2011-12-08 20:56 . 2011-12-09 16:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-08 20:55 . 2011-12-10 02:17 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2011-12-08 15:08 . 2011-12-10 02:31 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-08 15:06 . 2011-12-09 23:14 -------- d-----w- C:\a5e99c7bbeb5ae557a6cbcd350c7
2011-12-08 07:28 . 2011-12-09 23:01 -------- d-----w- c:\windows\system32\EventProviders
2011-12-08 07:10 . 2011-12-11 03:08 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-08 05:54 . 2011-12-10 02:09 -------- d-----w- c:\programdata\AVG2012
2011-12-08 05:48 . 2011-12-10 02:08 -------- d-----w- c:\programdata\MFAData
2011-12-06 18:57 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CD252C92-EBB7-4A8A-BF5F-8F48725FAC4C}\mpengine.dll
2011-12-01 22:57 . 2011-06-21 04:09 200976 ---ha-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-12-01 21:35 . 2011-12-09 22:58 -------- d--h--w- c:\programdata\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 16:01 . 2009-07-14 02:36 152064 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-12-10 16:01 . 2009-07-14 02:36 175104 ----a-w- c:\windows\system32\msclmd.dll
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2011-09-29 16:24 . 2011-11-08 19:45 1897328 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-29 04:09 . 2011-11-08 19:45 3141120 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-09-12 19:02 3863136 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ABD3B5E1-B268-407B-A150-2641DAB8D898}]
2009-06-08 21:41 120104 ----a-w- c:\program files (x86)\Common Files\Homepage Protection\HomepageProtection.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
2010-09-12 19:02 3863136 ----a-w- c:\program files (x86)\IncrediMail_MediaBar_2\tbIncr.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files (x86)\IncrediMail_MediaBar_2\tbIncr.dll" [2010-09-12 3863136]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-09-12 3863136]
.
[HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
c:\users\Lisa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"WallpaperStyle"= 2
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-14 136176]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
R2 lxefCATSCustConnectService;lxefCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxefserv.exe [2010-09-09 45224]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 227896]
R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-14 136176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NETw1v64;Intel® Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw1v64.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-03-02 89600]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 lxef_device;lxef_device;c:\windows\system32\lxefcoms.exe [2010-09-09 1070760]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-01-22 15:06 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-14 21:47]
.
2011-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-14 21:47]
.
2011-12-01 c:\windows\Tasks\HPCeeScheduleForLisa.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 09:22]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://downloads.freehandmusic.com/soleromusiccontrol.cab
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
.
**************************************************************************
.
Completion time: 2011-12-15 10:16:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-15 15:16
.
Pre-Run: 198,406,324,224 bytes free
Post-Run: 197,583,003,648 bytes free
.
- - End Of File - - 23C8DA650CB38C410D53122AD539AF76

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:24 PM

Posted 15 December 2011 - 11:46 AM

Hello

How are the redirects??

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 JMK2012

JMK2012
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 15 December 2011 - 05:09 PM

#1 - The redirects are still occuring.

#2 - I downloaded and ran TDSSKILLER and nothing happened. No menu - no scan button - no result -- no nothing. The first time I did it, the desktop went black again (did this before...). I rebooted and tried again - same thing, but no blank window. There is a new taskbar icon that says "Open New Side Note" that I've never seen before and didn't invoke the program myself...

If TDSSKILLER is supposed to run a program window telling you it's running & giving you a SCAN button, and a logfile at the end, I didn't get any of that, yet.

I double click it and get nothing... Should I be running in Safe Mode or should I run rkill first? Is it ok to have the wireless turned on during the scan?

Thanks,

Joe


BTW, Windows Update keeps trying to run, or do some portion of updating when the machine is rebooted, but I think I saw it say it failed and was reverting back... Not sure if this is helping or hurting the proces...

Another thing just popped up that I was suspicious of before - (HS Support Assistant)
"HPSF.exe has stopped working - This application has encountered a serious problem and must close. Click OK to automatically restart this application." Since nothing is really running on this computer, I'm not sure what tried to start this program, but when I was having all the virus problems, I suspected everything, including this file that keeps trying to get you to click OK... I keep closing it and up pops a window saynig HP SUPPORT ASSISTANT: We are sorry! HP Support Assistant can only be run by one user at a time. Please switch ot the user who is currently running HS Support ASsistant and close the program before you start HP Support Assistant on the other user you choose. Click OK

I am not exactly sure if this is a real HP message, or another spoof trying to get you to click OK. At this point, all I've done is closed these messages. Still waiting for a response from you regarding it all...

Edited by JMK2012, 16 December 2011 - 11:31 AM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:24 PM

Posted 16 December 2011 - 11:43 AM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 JMK2012

JMK2012
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 16 December 2011 - 01:05 PM

Hi Gringo,

Ran fixTDSS and after rebooting it said ***Infected MBR detected - Clicked on REPAIR and it said REPAIR SUCCESSFUL.

I just rebooted, and got a Windows Recovery Error, but while typing this it moved on to run STARTUP REPAIR which is asking me if I want to run System Restore and get to an earlier Restore Point. It says "This repair will not change personal data, but it might remove some programs that were installed recently. You cannot undo this restoration."

I'm holding at that point (Restore vs Cancel), waiting to hear back... I assume I'll need to do a restore to a previous point, but that's gonna negate all of the logs I've already posted (I think...)

Let me know how to proceed.

Joe

Edited by JMK2012, 16 December 2011 - 01:06 PM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:24 PM

Posted 16 December 2011 - 01:29 PM

Hello

go with startup repair and if that does not work do this

System Recovery Environment

To access the System Recovery Environment , simply boot your PC,

  • just before the system loads the Windows operating system, hit the [F8] Function 8 key on your keyboard which will launch the Advanced Boot Options menu.
  • There you will see a new option 'Repair Your Computer', select this option and hit 'Enter' on your keyboard.
  • Now, from the System Recovery Options dialog, select the "Operating System" you want to repair, then click Next:
  • From the "Choose a Recovery Tool" dialog menu, select "Command Prompt":
  • Type the following into the "Command Prompt Window": and press enter

    bootrec.exe /fixmbr

If you have problems booting the computer after you have run that command boot back into the System Recovery Environment and Type the following into the "Command Prompt Window": and press enter

bootrec.exe /fixboot
gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 JMK2012

JMK2012
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 16 December 2011 - 07:23 PM

I was able to get to the command prompt and run bootrec.exe /fixmbr

When it tried to restart, it won't boot. Now says "bootmgr is missing" - Press ctrl-alt-del to restart.

The only boot option now is to press ESC to get into the Startup Menu

F1 - System Information
F2 - System Diagnostics
F9 - Boot Device Options
F10 - Bios Setup
F11 - System Recovery

F11 Brings you right back to the "bootmgr is missing"

It seems to be stuck and going nowhere...

Edited by JMK2012, 16 December 2011 - 07:38 PM.


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:24 PM

Posted 16 December 2011 - 09:48 PM

Hello

This is what we need to do

System Recovery Environment

To access the System Recovery Environment, simply boot your PC,

  • just before the system loads the Windows operating system, hit the [F8] Function 8 key on your keyboard which will launch the Advanced Boot Options menu.
  • There you will see a new option 'Repair Your Computer', select this option and hit 'Enter' on your keyboard.
  • Now, from the System Recovery Options dialog, select the "Operating System" you want to repair, then click Next:

    when you get to the "Choose a Recovery Tool" menu you will see at the top

    Operating System: Win 7 on (D:) OS

    Take note of the drive letter in red If it is not C then the commands below need to reflect the difference - change THe C: that are in below to what it shows above
  • From the "Choose a Recovery Tool" dialog menu, select "Command Prompt":
  • Type the following into the "Command Prompt Window": and press enter After Each line


    CD X:
    C:
    cd boot
    attrib bcd -s -h -r
    ren c:\boot\bcd bcd.old
    bootrec /RebuildBcd

restart the computer and let me know if it booted ok

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 JMK2012

JMK2012
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 17 December 2011 - 12:16 AM

Gringo,

There does not seem to be a way to get back into the System Recovery Equipment. When you boot, and hit the F8, you get the same error message that BOOTMGR is missing, Press Ctrl + Alt + Del to restart... Same problem applies if I hit the ESC and got into startup options and then F11 for System Recovery. As soon as I hit F11, I'm right back to the same message about BOOTMGR being missing.

It won't go beyond that point.

Joe

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:24 PM

Posted 17 December 2011 - 12:19 AM

Do you have the install disk?

if so boot from it and choose repair


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users