Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Default Search engine has changed from Google to Goonsearch


  • This topic is locked This topic is locked
14 replies to this topic

#1 MsMariee

MsMariee

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:59 AM

Posted 14 January 2012 - 03:14 AM

Sadly, I could not download the DDS tool but I was able to download & run GMER below is the log: http://www.filedropper.com/gmer
UPDATE: I was able to find a working link for the DDS tool. The log is below.

Edited by MsMariee, 14 January 2012 - 03:41 AM.


BC AdBot (Login to Remove)

 


#2 MsMariee

MsMariee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:59 AM

Posted 14 January 2012 - 03:40 AM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Dyisha at 3:32:44 on 2012-01-14
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2814.1036 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\ProgramData\bProtector\bProtect.exe
C:\ProgramData\bProtector\bProtect.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\SafeConnect\scManager.sys
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Windows\System32\StikyNot.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SafeConnect\scClient.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Users\Dyisha\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dyisha\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dyisha\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dyisha\AppData\Local\Google\Chrome\Application\chrome.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Dyisha\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dyisha\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Dyisha\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111230160925.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\safeco~1.lnk - c:\program files\safeconnect\scClient.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{8D1A39EF-1B50-473C-AFC2-4A1C7E99658E} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{ED03A2EC-973B-421C-8EC1-DE3BB04DDB75} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{ED03A2EC-973B-421C-8EC1-DE3BB04DDB75}\035324430353434393036393 : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{ED03A2EC-973B-421C-8EC1-DE3BB04DDB75}\0484F6D65643144413 : DhcpNameServer = 68.87.73.246 68.87.71.230 0.0.0.0
TCP: Interfaces\{ED03A2EC-973B-421C-8EC1-DE3BB04DDB75}\16C6C64346A6A6 : DhcpNameServer = 208.59.247.45 208.59.247.46
TCP: Interfaces\{ED03A2EC-973B-421C-8EC1-DE3BB04DDB75}\E4544574541425 : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-11-26 464176]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-11-26 64880]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-11-26 165680]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 bProtector;bProtector;c:\programdata\bprotector\bProtect.exe [2011-12-30 803328]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-10-20 821664]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-8 652872]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-26 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-11-26 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-11-26 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-11-26 150856]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-20 365952]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-1-4 1153368]
R2 SCManager;SafeConnect Manager;c:\program files\safeconnect\scmanager.sys servicestart --> c:\program files\safeconnect\scManager.sys servicestart [?]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-9-14 508264]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-20 193840]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-8 20464]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-11-26 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-11-26 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-11-26 338176]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2010-9-14 577384]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2010-9-14 194408]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2010-9-14 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2010-9-14 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-9-14 219496]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-1 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-11-26 57600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-1 133104]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-11-26 87656]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-5 52224]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
.
=============== Created Last 30 ================
.
2012-01-14 06:03:31 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e2941e12-40ae-4db7-9f91-e815489c49f7}\offreg.dll
2012-01-14 06:03:25 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e2941e12-40ae-4db7-9f91-e815489c49f7}\mpengine.dll
2012-01-14 06:02:20 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-14 06:02:18 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-14 06:02:18 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-09 01:01:40 100864 ----a-w- C:\axdcakob.sys
2012-01-09 00:04:47 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-05 05:34:17 -------- d-s---w- C:\ComboFix
2012-01-05 04:44:26 -------- d-sh--w- C:\$RECYCLE.BIN
2012-01-05 04:23:13 98816 ----a-w- c:\windows\sed.exe
2012-01-05 04:23:13 518144 ----a-w- c:\windows\SWREG.exe
2012-01-05 04:23:13 256000 ----a-w- c:\windows\PEV.exe
2012-01-05 04:23:13 208896 ----a-w- c:\windows\MBR.exe
2012-01-04 22:56:26 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-01-04 22:56:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-04 20:33:44 -------- d-----w- c:\users\dyisha\appdata\roaming\AVG
2012-01-04 00:32:27 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2012-01-04 00:31:37 -------- d-----w- c:\programdata\Hitman Pro
2011-12-30 20:38:01 -------- d-----w- c:\users\dyisha\appdata\roaming\SUPERAntiSpyware.com
2011-12-30 20:38:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-12-30 19:16:13 -------- d-----w- c:\windows\system32\Extensions
2011-12-30 19:16:08 748544 ----a-w- c:\windows\system32\protector.dll
2011-12-30 19:16:07 -------- d-----w- c:\programdata\bProtector
2011-12-30 19:15:02 -------- d-----w- c:\users\dyisha\appdata\roaming\PerformerSoft
2011-12-30 19:15:01 17464 ----a-w- c:\windows\system32\roboot.exe
2011-12-30 16:38:03 -------- d--h--w- c:\programdata\Common Files
2011-12-30 16:24:17 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-30 16:24:03 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-30 16:23:33 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-30 16:23:31 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-30 16:23:25 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-30 16:23:25 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-30 16:17:25 -------- d-----w- c:\programdata\MFAData
2011-12-30 16:13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-27 20:23:57 -------- d-----w- c:\users\dyisha\appdata\local\VS Revo Group
2011-12-27 19:45:59 -------- d-----w- c:\users\dyisha\appdata\roaming\Malwarebytes
2011-12-27 19:45:02 -------- d-----w- c:\programdata\Malwarebytes
.
==================== Find3M ====================
.
2011-12-10 02:59:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-15 19:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-18 19:32:30 150856 ----a-w- c:\windows\system32\mfevtps.exe
.
============= FINISH: 3:35:03.46 ===============

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:59 AM

Posted 14 January 2012 - 02:22 PM

Hi MsMariee and :welcome: to the Virus/Trojan/Spyware/Malware Removal forum.

I am Oh My! and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Watch this topic. Click on this then choose Immediate E-Mail notification and then Proceed and you will be advised when I respond to your topic by email.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.


===================================================


Please allow me a little bit of time to review your logs. I will post back as soon as I can.

Regards,
Oh My!
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:59 AM

Posted 15 January 2012 - 05:00 PM

Hi MsMariee,


Are all of your browsers affected by "Goonsearch" or is it just certain ones?


===================================================


In reviewing your logs I notice ComboFix was run on your computer on January 5th. I would like to see that log to determine what has been removed from your machine already. Please copy/paste that information in your reply. The file should be located at:

  • C:\combofix.txt

===================================================


Uninstalling a Program thru Add/Remove Program

--------------------

Spybot Search and Destroy is known to interfere with efforts to deal with malware. Therefore I would like you to uninstall it while we are working on your machine. We can certainly reinstall it once we are done.

  • Type appwiz.cpl and press enter
  • A list of programs installed will be displayed
  • Uninstall the following by clicking on program(s) below and selecting "remove":

    Spybot Search and Destroy


===================================================


Things I would like to see in your next reply :thumbsup2:

  • Which browsers are affected?
  • Combofix.txt
  • Any behavior changes with your computer since your last post?


Oh My!
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#5 MsMariee

MsMariee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:59 AM

Posted 15 January 2012 - 11:32 PM

Even though I have Internet Explorer on my computer I only use Google Chrome. And so I've only been aware of it's affect on it.
My computer's behavior has not changed at all.

Below is the ComboFix log:

ComboFix 12-01-04.03 - Dyisha 01/04/2012 23:26:39.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2814.1607 [GMT -5:00]
Running from: c:\users\Dyisha\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\service
c:\windows\system32\service\21122009_TIS17_SfFniAU.log
c:\windows\system32\service\25122009_TIS17_SfFniAU.log
.
.
((((((((((((((((((((((((( Files Created from 2011-12-05 to 2012-01-05 )))))))))))))))))))))))))))))))
.
.
2012-01-05 04:39 . 2012-01-05 04:39 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-01-05 04:39 . 2012-01-05 04:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-05 03:55 . 2010-06-10 06:30 5588304 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{538438BD-174A-4A52-B346-FFD79E4F9D7F}\mpengine.dll
2012-01-04 22:56 . 2012-01-05 02:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-01-04 22:56 . 2012-01-04 22:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-04 20:33 . 2012-01-04 20:39 -------- d-----w- c:\users\Dyisha\AppData\Roaming\AVG
2012-01-04 00:32 . 2012-01-04 00:32 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2012-01-04 00:31 . 2012-01-04 00:31 -------- d-----w- c:\programdata\Hitman Pro
2011-12-30 20:38 . 2011-12-30 20:38 -------- d-----w- c:\users\Dyisha\AppData\Roaming\SUPERAntiSpyware.com
2011-12-30 20:38 . 2011-12-30 20:38 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-12-30 19:16 . 2011-12-30 19:16 -------- d-----w- c:\windows\system32\Extensions
2011-12-30 19:16 . 2011-12-30 19:16 748544 ----a-w- c:\windows\system32\protector.dll
2011-12-30 19:16 . 2011-12-30 19:16 -------- d-----w- c:\programdata\bProtector
2011-12-30 19:15 . 2012-01-04 01:32 -------- d-----w- c:\users\Dyisha\AppData\Roaming\PerformerSoft
2011-12-30 19:15 . 2011-12-02 23:04 17464 ----a-w- c:\windows\system32\roboot.exe
2011-12-30 16:38 . 2011-12-30 16:38 -------- d--h--w- c:\programdata\Common Files
2011-12-30 16:24 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-30 16:24 . 2011-11-05 04:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-30 16:23 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-30 16:23 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-30 16:23 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-30 16:23 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-30 16:17 . 2012-01-05 04:06 -------- d-----w- c:\programdata\MFAData
2011-12-30 16:13 . 2011-12-30 20:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-27 20:23 . 2011-12-27 20:23 -------- d-----w- c:\users\Dyisha\AppData\Local\VS Revo Group
2011-12-27 19:45 . 2011-12-27 19:45 -------- d-----w- c:\users\Dyisha\AppData\Roaming\Malwarebytes
2011-12-27 19:45 . 2011-12-27 19:45 -------- d-----w- c:\programdata\Malwarebytes
2011-12-27 15:28 . 2011-12-27 15:28 -------- d-----w- c:\users\Dyisha\AppData\Roaming\GTek
2011-12-10 02:59 . 2011-12-10 02:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-18 19:32 . 2011-11-27 03:10 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-10-15 18:16 . 2011-11-27 03:11 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 18:16 . 2011-11-27 03:10 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 18:16 . 2011-11-27 03:10 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-10-15 18:16 . 2011-11-27 03:10 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 18:16 . 2011-11-27 03:10 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 18:16 . 2011-11-27 03:10 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 18:16 . 2011-11-27 03:10 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 18:16 . 2011-11-27 03:10 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 18:16 . 2011-11-27 03:10 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-10-15 18:16 . 2011-11-27 03:10 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2011-7-20 296088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart Photo Import]
2010-05-11 23:06 330752 ----a-w- c:\program files\NWSoftware\Smart Photo Import 1.0\SI_drivesense.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 133104]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-10-15 57600]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 133104]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-15 87656]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-28 1343400]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-10-15 64880]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-10-15 165680]
S1 SASDIFSV;SASDIFSV;c:\users\Dyisha\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\users\Dyisha\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 bProtector;bProtector;c:\programdata\bProtector\bProtect.exe [2011-12-30 803328]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 160608]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-18 150856]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart [x]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-10-15 338176]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-09-14 577384]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-09-14 194408]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-09-14 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-09-14 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ccHP
*Deregistered* - eeCtrl
*Deregistered* - EraserUtilRebootDrv
*Deregistered* - IDSVix86
*Deregistered* - SRTSPX
*Deregistered* - SymDS
*Deregistered* - SymEFA
*Deregistered* - SymIRON
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 20:29]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 20:29]
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1341619398-3127247566-1123186869-1003Core.job
- c:\users\Dyisha\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-23 02:57]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1341619398-3127247566-1123186869-1003UA.job
- c:\users\Dyisha\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-23 02:57]
.
2011-12-30 c:\windows\Tasks\HPCeeScheduleForDyisha.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-20 18:34]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{c23b756a-bd9f-4ca6-aded-17ab8ccf3e8b} - c:\program files\file2linkib\file2linkibX.dll
Toolbar-{c23b756a-bd9f-4ca6-aded-17ab8ccf3e8b} - c:\program files\file2linkib\file2linkibX.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-04 23:44:08
ComboFix-quarantined-files.txt 2012-01-05 04:44
.
Pre-Run: 245,056,864,256 bytes free
Post-Run: 244,802,998,272 bytes free
.
- - End Of File - - D7768515D1119640357845D9D9920534

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:59 AM

Posted 16 January 2012 - 10:01 PM

MsMariee,


:exclame: Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!!:exclame:


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the all of the text in the quotebox below (including the hyperlink if present) into it:

4. Combofix might upload a few suspicious files. Please allow this!!

http://www.bleepingcomputer.com/forums/topic438019.html/page__p__2556434#entry2556434

Suspect::[89]
c:\windows\system32\protector.dll
c:\programdata\bProtector\bProtect.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


===================================================


Setting Chrome Search Provider

--------------------

  • Click the wrench icon Posted Image on the browser toolbar in the upper right hand corner.
  • On the dropdown list select Options, and that should bring you to the "Basics" page
  • In the Search section click on Manage search engines.
  • Please note all the items listed under Default search options including which search engine is identified as (Default)
  • Please include this information in your next reply.

===================================================


Things I would like to see in your next reply :thumbsup2:

  • Combofix.txt
  • List of Default Search Options (including default)
  • What problems remain?


Oh My!

Edited by thcbytes, 17 January 2012 - 12:05 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#7 MsMariee

MsMariee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:59 AM

Posted 17 January 2012 - 01:53 AM

Under the default serach engine I have the following:

Bing,Yahoo,Google & Search the web default (GoonSearch)

I've deleted the last option (GoonSearch) from my search engines list.
Below is my combofix log:



ComboFix 12-01-16.05 - Dyisha 01/17/2012 1:29.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2814.1420 [GMT -5:00]
Running from: c:\users\Dyisha\Desktop\ComboFix.exe
Command switches used :: c:\users\Dyisha\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
file zipped: c:\programdata\bProtector\bProtect.exe
file zipped: c:\windows\System32\protector.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-12-17 to 2012-01-17 )))))))))))))))))))))))))))))))
.
.
2012-01-17 06:39 . 2012-01-17 06:39 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-01-17 06:39 . 2012-01-17 06:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-14 06:03 . 2012-01-17 05:49 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E2941E12-40AE-4DB7-9F91-E815489C49F7}\offreg.dll
2012-01-14 06:03 . 2011-11-30 07:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E2941E12-40AE-4DB7-9F91-E815489C49F7}\mpengine.dll
2012-01-14 06:02 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-14 06:02 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-14 06:02 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-14 06:02 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-09 01:01 . 2012-01-09 01:01 100864 ----a-w- C:\axdcakob.sys
2012-01-09 00:04 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-04 22:56 . 2012-01-16 04:28 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-01-04 22:56 . 2012-01-16 04:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-04 20:33 . 2012-01-04 20:39 -------- d-----w- c:\users\Dyisha\AppData\Roaming\AVG
2012-01-04 00:32 . 2012-01-04 00:32 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2012-01-04 00:31 . 2012-01-04 00:31 -------- d-----w- c:\programdata\Hitman Pro
2011-12-30 20:38 . 2011-12-30 20:38 -------- d-----w- c:\users\Dyisha\AppData\Roaming\SUPERAntiSpyware.com
2011-12-30 20:38 . 2011-12-30 20:38 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-12-30 19:16 . 2011-12-30 19:16 -------- d-----w- c:\windows\system32\Extensions
2011-12-30 19:16 . 2011-12-30 19:16 748544 ----a-w- c:\windows\system32\protector.dll
2011-12-30 19:16 . 2012-01-17 06:28 -------- d-----w- c:\programdata\bProtector
2011-12-30 19:15 . 2012-01-04 01:32 -------- d-----w- c:\users\Dyisha\AppData\Roaming\PerformerSoft
2011-12-30 19:15 . 2011-12-02 23:04 17464 ----a-w- c:\windows\system32\roboot.exe
2011-12-30 16:38 . 2011-12-30 16:38 -------- d--h--w- c:\programdata\Common Files
2011-12-30 16:24 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-30 16:24 . 2011-11-05 04:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-30 16:23 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-30 16:23 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-30 16:23 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-30 16:23 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-30 16:17 . 2012-01-05 04:06 -------- d-----w- c:\programdata\MFAData
2011-12-30 16:13 . 2012-01-09 00:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-27 20:23 . 2011-12-27 20:23 -------- d-----w- c:\users\Dyisha\AppData\Local\VS Revo Group
2011-12-27 19:45 . 2011-12-27 19:45 -------- d-----w- c:\users\Dyisha\AppData\Roaming\Malwarebytes
2011-12-27 19:45 . 2011-12-27 19:45 -------- d-----w- c:\programdata\Malwarebytes
2011-12-27 15:28 . 2011-12-27 15:28 -------- d-----w- c:\users\Dyisha\AppData\Roaming\GTek
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 02:59 . 2011-12-10 02:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-09 22:47 . 2011-12-09 22:47 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-12-09 22:47 . 2011-12-09 22:47 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-12-09 22:47 . 2011-12-09 22:47 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-12-09 22:47 . 2011-12-09 22:47 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-12-09 22:47 . 2011-12-09 22:47 161792 ----a-w- c:\windows\system32\msls31.dll
2011-12-09 22:47 . 2011-12-09 22:47 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-12-09 22:47 . 2011-12-09 22:47 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-12-09 22:47 . 2011-12-09 22:47 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-12-09 22:47 . 2011-12-09 22:47 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-12-09 22:47 . 2011-12-09 22:47 367104 ----a-w- c:\windows\system32\html.iec
2011-12-09 22:47 . 2011-12-09 22:47 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-12-09 22:47 . 2011-12-09 22:47 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-09 22:47 . 2011-12-09 22:47 152064 ----a-w- c:\windows\system32\wextract.exe
2011-12-09 22:47 . 2011-12-09 22:47 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-12-09 22:47 . 2011-12-09 22:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-12-09 22:47 . 2011-12-09 22:47 11776 ----a-w- c:\windows\system32\mshta.exe
2011-12-09 22:47 . 2011-12-09 22:47 101888 ----a-w- c:\windows\system32\admparse.dll
2011-11-15 19:29 . 2009-10-29 06:39 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2011-7-20 296088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart Photo Import]
2010-05-11 23:06 330752 ----a-w- c:\program files\NWSoftware\Smart Photo Import 1.0\SI_drivesense.exe
.
R1 SASDIFSV;SASDIFSV;c:\users\Dyisha\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Dyisha\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 133104]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-10-15 57600]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 133104]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-15 87656]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-28 1343400]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-10-15 64880]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-10-15 165680]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 bProtector;bProtector;c:\programdata\bProtector\bProtect.exe [2011-12-30 803328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 160608]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-18 150856]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart [x]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-10-15 338176]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-09-14 577384]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-09-14 194408]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-09-14 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-09-14 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ccHP
*Deregistered* - eeCtrl
*Deregistered* - EraserUtilRebootDrv
*Deregistered* - IDSVix86
*Deregistered* - SRTSPX
*Deregistered* - SymDS
*Deregistered* - SymEFA
*Deregistered* - SymIRON
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 20:29]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 20:29]
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1341619398-3127247566-1123186869-1003Core.job
- c:\users\Dyisha\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-23 02:57]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1341619398-3127247566-1123186869-1003UA.job
- c:\users\Dyisha\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-23 02:57]
.
2011-12-30 c:\windows\Tasks\HPCeeScheduleForDyisha.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-20 18:34]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-17 01:42:51
ComboFix-quarantined-files.txt 2012-01-17 06:42
ComboFix2.txt 2012-01-17 06:23
ComboFix3.txt 2012-01-05 04:44
.
Pre-Run: 245,016,236,032 bytes free
Post-Run: 244,723,318,784 bytes free
.
- - End Of File - - 47FCFE0C4A039B1C98C594B287D801FB
Upload was successful

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:59 AM

Posted 17 January 2012 - 10:32 PM

Hello MsMariee,

Excellent progress. Nice work on your part.

However, it is important for me to know how your machine is running. :thumbup2:

There are some other things we need to address so please follow the below instructions.


===================================================


Viewpoint Manager Caution

--------------------

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

"To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously."

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware. I recommend that you remove the Viewpoint products; however, decide for yourself. If you decided to uninstall it please see the "Add/Remove Program" section below.


===================================================


UPDATE JAVA

-------------------

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.

To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

===================================================


Uninstalling a Program thru Add/Remove Program

--------------------

It is very possible "Goonsearch" was inserted into your machine by downloading PC Performer. As with Viewpoint I would recommend removal of this program but it is up to you. If you want to delete either or both of these programs please do the following:

  • Press windows key Posted Image + r on your keyboard at the same time
  • Type appwiz.cpl and press Enter
  • A list of programs installed will be displayed
  • Uninstall the following by clicking on the program(s) below and selecting Remove or Uninstall

PC Performer
Viewpoint


===================================================


Things I would like to see in your next reply :thumbsup2:

  • How is your computer running?


Oh My!
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#9 MsMariee

MsMariee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:59 AM

Posted 18 January 2012 - 12:44 AM

I've updated my java and I've previously thought that I deleted the PC performer. When I went to uninstall the program it was not listed. So I'm confused. And I deleted Viewpoint from my computer. Other than that it seems as though my computer is running fine.

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:59 AM

Posted 18 January 2012 - 10:56 AM

Hello MsMariee,

No need to worry about PC Performer not being in your Add/Remove list. That program may have delivered your troubles upon its download but the actual trouble has been removed.

Please see below for some more instructions. We are getting closer to delcaring victory :)

Thanks for you patience.


===================================================


Spybot S&D No Longer Recommended

--------------------

mvps.org is no longer recommending Spybot S&D due to poor testing results. (scroll down and read under Freeware Antispyware Products)

Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and even prevent disinfection of malware by those tools.

I strongly recommend uninstalling Spybot Search & Destroy. Should you decide to do that, please follow the previous instructions in the last post regarding Add/Remove a program.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

    Posted Image

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

===================================================


Rerun Malwarebytes

--------------------

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Please locate your Malwarebytes icon Posted Image and launch the program
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


Things I would like to see in your next reply :thumbsup2:

  • ESET report
  • Malwarebytes log
  • Machine still running OK?


Oh My!
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#11 MsMariee

MsMariee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:59 AM

Posted 19 January 2012 - 01:22 AM

ESET report:
C:\Users\Dyisha\Downloads\cnet_SI1_setup_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Users\Dyisha\Downloads\SoftonicDownloader_for_photofiltre.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
C:\Users\Dyisha\Downloads\SoftonicDownloader_for_photoscape.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantine



Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.19.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Dyisha :: PRETTY-N-PINK [administrator]

Protection: Enabled

1/19/2012 1:01:04 AM
mbam-log-2012-01-19 (01-01-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191855
Time elapsed: 15 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
My computer is running fine.

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:59 AM

Posted 19 January 2012 - 10:59 AM

Hello MsMariee,

Looks like we did it!


All Clean

--------------

Your machine appears to be clean :thumbsup:. Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:

  • Press windows key Posted Image + r on your keyboard at the same time. In the run box type combofix /uninstall, press OK.

    Posted Image
  • This will remove Combofix and other tools we used from your computer.

Please read the following in order to prevent reinfecting your PC:

  • Install and update the following programs regularly:

    • Outbound firewall.
      If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!

    • I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    • Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well

    • Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!

    • The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:


If your computer is still running as it should please let me know so that we may close out this thread. Thank you for placing your trust in BleepingComputer.

Posted Image
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#13 MsMariee

MsMariee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:59 AM

Posted 19 January 2012 - 04:53 PM

My computer is running fine. Thank you ever so much for your help & time.

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:59 AM

Posted 19 January 2012 - 05:35 PM

It is our pleasure. Should you need help again in the future we are always here.

Oh My!
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:59 AM

Posted 19 January 2012 - 06:14 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users