Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help with Mozilla Firefox Hijack Malware


  • This topic is locked This topic is locked
14 replies to this topic

#1 nystinger

nystinger

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 07 July 2012 - 03:51 PM

It appears that I have some malware on my Windows 7 computer that hijacks only certain urls on Firefox. It specifically happens when I google or use yahoo to search and then click on certain urls in the search hit list. It seems to take me to "mcengine.com" and/or "newsfudge.com". I am attaching the DDS.txt, attach.txt, and hijackthis logs. I've tried a number of things already including malwarebytes (finds nothing), superantispyware, etc. Thanks in advance for your help.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:28 AM

Posted 07 July 2012 - 11:42 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 nystinger

nystinger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 08 July 2012 - 12:11 PM

The computer still behaves the same way - hijacking occurs in Mozilla Firefox.

Here is what you requested.

Results of screen317's Security Check version 0.99.42
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Symantec Endpoint Protection
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.61.0.1400
IBM 32-bit Runtime Environment for Java v6
IBM 64-bit Runtime Environment for Java v6
Java™ 6 Update 23
IBM 32-bit Runtime Environment for Java v6
Java version out of Date!
Adobe Reader X (10.1.3)
Mozilla Firefox (13.0.1)
Mozilla Thunderbird (13.0.1)
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````

ComboFix 12-07-08.01 - lsedels 07/08/2012 12:32:39.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8075.5389 [GMT -4:00]
Running from: c:\users\IBM_ADMIN\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PGPtray.exe.lnk
c:\programdata\Roaming
c:\users\IBM_ADMIN\a.a
c:\users\IBM_ADMIN\AppData\Local\Aspell\Apps\fqlkxe.dll
c:\windows\SysWow64\NeW
c:\windows\SysWow64\NeW\IBMMenu.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-08 to 2012-07-08 )))))))))))))))))))))))))))))))
.
.
2012-07-08 16:38 . 2012-07-08 16:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-08 16:38 . 2012-07-08 16:38 -------- d-----w- c:\users\db2admin\AppData\Local\temp
2012-07-07 20:29 . 2012-07-07 20:29 387584 ----a-w- C:\rescue2usb.exe
2012-07-07 20:13 . 2012-07-07 20:13 -------- d-----w- c:\program files\HitmanPro
2012-07-07 20:13 . 2012-07-07 20:13 -------- d-----w- c:\programdata\HitmanPro
2012-07-07 19:38 . 2012-07-07 19:38 -------- d-----w- c:\program files (x86)\ESET
2012-07-07 19:33 . 2012-07-07 19:33 -------- d-----w- c:\users\IBM_ADMIN\AppData\Roaming\Malwarebytes
2012-07-07 19:33 . 2012-07-07 19:33 -------- d-----w- c:\programdata\Malwarebytes
2012-07-07 19:33 . 2012-07-07 19:33 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-07 19:33 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-07 18:34 . 2012-07-07 18:34 388096 ----a-r- c:\users\IBM_ADMIN\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-07-07 18:34 . 2012-07-07 18:34 -------- d-----w- c:\program files (x86)\Trend Micro
2012-07-07 18:13 . 2012-07-07 18:47 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-07-07 18:13 . 2012-07-07 18:16 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-06-26 01:03 . 2004-02-12 05:10 44544 ----a-r- c:\windows\SysWow64\msxml4a.dll
2012-06-26 01:03 . 2004-02-12 05:09 1233920 ----a-r- c:\windows\SysWow64\msxml4.dll
2012-06-26 00:53 . 2012-06-26 00:53 -------- d-----w- c:\programdata\TDK
2012-06-21 17:37 . 2012-06-28 15:29 -------- d-----w- C:\Guardium-for-Reps
2012-06-21 02:02 . 2012-06-21 02:02 -------- d-----w- c:\programdata\TightVNC
2012-06-21 02:02 . 2012-06-21 02:02 -------- d-----w- c:\program files\TightVNC
2012-06-16 15:56 . 2012-05-15 04:01 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-06-16 14:44 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-16 14:00 . 2012-06-16 17:03 -------- d-----w- C:\hadr-pot
2012-06-15 21:45 . 2012-06-15 21:45 -------- d-----w- c:\users\IBM_ADMIN\AppData\Local\Macromedia
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-16 14:09 . 2012-04-18 21:40 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-16 14:09 . 2011-12-09 20:22 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-08 14:50 . 2012-06-08 14:50 40448 ----a-w- c:\windows\SysWow64\pdf995mon64.dll
2012-06-07 14:29 . 2012-06-08 14:50 2266624 ----a-w- c:\windows\system32\pdfmona64.dll
2012-05-24 18:15 . 2010-07-13 23:12 68920 ----a-w- c:\windows\isamunin.exe
2012-04-26 19:51 . 2012-06-08 14:50 40448 ----a-w- c:\windows\system32\pdf995mon64.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SymphonyPreLoad"="c:\program files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.symphony.standard.launcher.win32.x86_3.0.0.20101015-2340\IBM Lotus Symphony -nogui -nosplash" [X]
"NetSP - restore settings on power failure"="c:\program files (x86)\AT&T Network Client\NetSP.exe" [2010-09-09 53600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2011-03-24 115560]
"boincmgr"="c:\program files (x86)\BOINC\boincmgr.exe" [2010-09-23 4543232]
"boinctray"="c:\program files (x86)\BOINC\boinctray.exe" [2010-09-23 58112]
"ACWLIcon"="c:\program files (x86)\Lenovo\Access Connections\ACWLIcon.exe" [2011-04-14 193896]
"ACTray"="c:\program files (x86)\Lenovo\Access Connections\ACTray.exe" [2011-04-14 431464]
"C4EBReg"="c:\program files (x86)\C4ebreg\c4ebreg.exe" [2012-05-24 499000]
"Isamtray"="c:\program files (x86)\C4ebreg\isamtray.exe" [2012-05-24 314680]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"vmware-tray"="c:\program files (x86)\VMware\VMware Workstation\vmware-tray.exe" [2011-03-26 129648]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AT&T Global Network Client Monitor.lnk - c:\windows\Installer\{007AAB7C-E893-48BD-9DA2-7F417CA16322}\NetGM1_89563E53ECF44E868145468A128BDC83.exe [2011-12-9 91504]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2010-12-18 1202976]
IM Acceleration Zone.lnk - c:\program files (x86)\IM Acceleration Zone\imZone.exe [2012-1-6 241664]
InfoPrint Select Notification.lnk - c:\program files\IBM\Infoprint Select\ipnotify.exe [2011-12-9 409088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"FilterAdministratorToken"= 1 (0x1)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer6"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-16 257224]
R3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [2010-12-19 425000]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-12-19 39464]
R3 cstrcser;IBM Command Line Trace;c:\windows\SysWOW64\drivers\cstrcser.exe [2011-02-02 36864]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 71168]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k60x64.sys [2009-06-10 220672]
R3 ecnssndis; Mobile Broadband Driver;c:\windows\System32\Drivers\wwuss64.sys [2010-03-03 26664]
R3 ecnssndisfltr; Mobile Broadband Driver Filter;c:\windows\System32\Drivers\wwussf64.sys [2010-03-03 30248]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2010-07-27 117248]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\drivers\ew_usbenumfilter.sys [2010-03-20 13952]
R3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys [2010-10-19 56344]
R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\drivers\ew_jucdcacm.sys [2010-08-24 91648]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2010-07-27 86016]
R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\drivers\ew_juextctrl.sys [2010-07-27 29696]
R3 huawei_update;huawei_update;c:\windows\system32\drivers\ew_hwupgrade.sys [2010-05-04 22528]
R3 l36wgps; Mobile Broadband GPS Port;c:\windows\system32\drivers\l36wgps64.sys [2010-12-02 101416]
R3 Mbm3CBus;F3507g Mobile Broadband Device (WDM);c:\windows\system32\drivers\Mbm3CBus.sys [2010-10-31 411208]
R3 Mbm3DevMt; Mobile Broadband Device Management Driver (WDM);c:\windows\system32\drivers\Mbm3DevMt.sys [2010-10-31 419912]
R3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys [2010-10-19 56344]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2011-05-10 174184]
R3 rimspci;rimspci;c:\windows\system32\drivers\rimspe64.sys [2009-10-26 61952]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe64.sys [2009-09-28 55808]
R3 TRCTARGET;Tivoli Endpoint Manager for Remote Control - Target;c:\program files (x86)\IBM\Tivoli\Remote Control\Target\trc_base.exe [2012-02-09 745472]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-29 1255736]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [2011-06-01 25960]
S0 Pgpwdefs;Pgpwdefs;c:\windows\system32\DRIVERS\Pgpwdefs.sys [2011-06-17 14968]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2008-06-16 55024]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-01-13 23664]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [2010-09-07 15472]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2011-05-31 41320]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-04-04 45496]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2011-05-31 59240]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]
S2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\notes\nsd.exe [2010-09-30 3399680]
S2 NetClientSvc;AT&T Global Network Client Service;c:\program files (x86)\AT&T Network Client\NetClientSvc.exe [2010-09-09 349536]
S2 NetLogSvc;AT&T Global Network Client Logging Service;c:\program files (x86)\AT&T Network Client\NetLogSvc.exe [2010-09-09 79200]
S2 PGP RDD Service;PGP RDD Service;c:\program files (x86)\PGP Corporation\PGP Desktop\RDDService.exe [2011-06-17 166520]
S2 risdxc;risdxc;c:\windows\system32\drivers\risdxc64.sys [2010-12-15 98816]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-05-26 378472]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-04-20 144232]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-03-29 64952]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2011-03-26 81008]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-03-26 539248]
S2 WRTService;WRT Service;c:\windows\wrtService.exe [2008-09-18 122880]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2011-03-05 166016]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-06-30 292864]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2010-12-21 316080]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-05-31 138912]
S3 LenovoRd;LenovoRd;c:\windows\system32\Drivers\LenovoRd.sys [2009-05-11 118016]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [2010-12-21 8505856]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-12-10 80384]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-12-10 181248]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 14:09]
.
2012-06-27 c:\windows\Tasks\hpwebreg_CN12ABM1VQ.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\hpwebreg.exe [2010-11-17 02:29]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-11 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-11 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-11 418840]
"TpShocks"="TpShocks.exe" [2011-01-14 380776]
"AcWin7Hlpr"="c:\program files (x86)\Lenovo\Access Connections\AcTBenabler.exe" [2011-04-14 31592]
"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2011-05-31 40808]
"combofix"="c:\combofix\CF32591.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = messaging.ibm.com;<local>
uInternet Settings,ProxyServer = webcache.win.colpal.com:8080
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
LSP: c:\program files (x86)\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: ibm.com\w3-03
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{A651A640-B62E-44CF-93C9-B7D2135A88E4}: NameServer = 9.0.130.50,9.0.128.50
DPF: {1ACECAFE-0016-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} - hxxps://w3-113.ibm.com/transform/crm/americas/us/sales/21219/applets/SiebelAx_Desktop_Integration.cab
DPF: {A6F9E1F5-780D-42F6-9644-3FC630A7AB39} - hxxps://w3-113.ibm.com/transform/crm/americas/us/sales/21219/applets/SiebelAx_HI_Client.cab
DPF: {AD4EA0DC-8CC7-4F7B-B730-267823DCE9B7} - hxxps://w3-113.ibm.com/transform/crm/americas/us/sales/21219/applets/SiebelAx_OutBound_mail.cab
FF - ProfilePath - c:\users\IBM_ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\2ziq4yrx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-opencandyaolradio-chromesbox-en-us&tb_uuid=20111221130602240&tb_oid=21-12-2011&tb_mrud=21-12-2011
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&invocationType=tb50-ff-opencandyaolradio-ab-en-us&tb_uuid=20111221130602240&tb_oid=21-12-2011&tb_mrud=21-12-2011&query=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(general.useragent.extra.brc, BRI/1
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(extentions.y2layers.installId, c61ccab7-f8a0-468a-9f86-97417a6ce3d3
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Apps - c:\users\IBM_ADMIN\AppData\Local\Aspell\Apps\fqlkxe.dll
Wow6432Node-HKLM-Run-ALTOOLS - AccessL.exe
Wow6432Node-HKLM-Run-pmonmh - c:\program files (x86)\IBM\My Help\plugins\com.ibm.myhelp.common_1.5.8\pmonmh.exe
Wow6432Node-HKU-Default-Run-Apps - c:\users\IBM_ADMIN\AppData\Local\Aspell\Apps\fqlkxe.dll
SafeBoot-Symantec Antvirus
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
c:\sdwork\issimsvc.exe
c:\progra~1\LENOVO\VIRTSCRL\virtscrl.exe
c:\program files (x86)\AT&T Network Client\netcfgsvr.exe
c:\windows\SysWOW64\PGPserv.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\SysWOW64\vmnat.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
c:\program files (x86)\Lenovo\Access Connections\AcSvc.exe
c:\program files (x86)\VMware\VMware Workstation\vmware-authd.exe
c:\windows\SysWOW64\vmnetdhcp.exe
c:\progra~1\Lenovo\Zoom\TPSCREX.EXE
c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE
c:\program files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe
c:\program files (x86)\BigFix Enterprise\BES Client\BESClient.exe
c:\program files (x86)\BigFix Enterprise\BES Client\BESClientUI.exe
.
**************************************************************************
.
Completion time: 2012-07-08 12:46:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-08 16:46
.
Pre-Run: 259,042,639,872 bytes free
Post-Run: 259,506,999,296 bytes free
.
- - End Of File - - 2395A2DDFB7F20836028FD853DAF71BE

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:28 AM

Posted 08 July 2012 - 01:03 PM

Greetings

Have you checked to see if it happens in IE.

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 nystinger

nystinger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 08 July 2012 - 01:36 PM

No this does NOT occur with IE only with Firefox. Incidentally, I tried removing and reinstalling Firefox - same issue remains.

14:26:51.0619 1472 TDSS rootkit removing tool 2.7.44.0 Jul 2 2012 20:01:08
14:26:53.0631 1472 ============================================================
14:26:53.0631 1472 Current date / time: 2012/07/08 14:26:53.0631
14:26:53.0631 1472 SystemInfo:
14:26:53.0631 1472
14:26:53.0631 1472 OS Version: 6.1.7601 ServicePack: 1.0
14:26:53.0631 1472 Product type: Workstation
14:26:53.0631 1472 ComputerName: IBM-B2RE2TTCNJB
14:26:53.0631 1472 UserName: lsedels
14:26:53.0631 1472 Windows directory: C:\windows
14:26:53.0631 1472 System windows directory: C:\windows
14:26:53.0631 1472 Running under WOW64
14:26:53.0631 1472 Processor architecture: Intel x64
14:26:53.0631 1472 Number of processors: 8
14:26:53.0631 1472 Page size: 0x1000
14:26:53.0631 1472 Boot type: Normal boot
14:26:53.0631 1472 ============================================================
14:26:54.0224 1472 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
14:26:54.0240 1472 ============================================================
14:26:54.0240 1472 \Device\Harddisk0\DR0:
14:26:54.0240 1472 MBR partitions:
14:26:54.0240 1472 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3A385030
14:26:54.0240 1472 ============================================================
14:26:54.0240 1472 Initialize success
14:26:54.0240 1472 ============================================================
14:27:13.0615 6488 ============================================================
14:27:13.0615 6488 Scan started
14:27:13.0615 6488 Mode: Manual;
14:27:13.0615 6488 ============================================================
14:27:13.0724 6488 1394ohci - ok
14:27:13.0724 6488 5U877 - ok
14:27:13.0724 6488 ACPI - ok
14:27:13.0740 6488 AcpiPmi - ok
14:27:13.0740 6488 AcPrfMgrSvc - ok
14:27:13.0755 6488 AcSvc - ok
14:27:13.0771 6488 AdobeARMservice - ok
14:27:13.0787 6488 AdobeFlashPlayerUpdateSvc - ok
14:27:13.0787 6488 adp94xx - ok
14:27:13.0787 6488 adpahci - ok
14:27:13.0787 6488 adpu320 - ok
14:27:13.0802 6488 AeLookupSvc - ok
14:27:13.0802 6488 AFD - ok
14:27:13.0802 6488 agnfilt - ok
14:27:13.0802 6488 agp440 - ok
14:27:13.0818 6488 ALG - ok
14:27:13.0833 6488 aliide - ok
14:27:13.0833 6488 amdide - ok
14:27:13.0849 6488 AmdK8 - ok
14:27:13.0849 6488 AmdPPM - ok
14:27:13.0849 6488 amdsata - ok
14:27:13.0865 6488 amdsbs - ok
14:27:13.0865 6488 amdxata - ok
14:27:13.0865 6488 AppID - ok
14:27:13.0865 6488 AppIDSvc - ok
14:27:13.0880 6488 Appinfo - ok
14:27:13.0880 6488 AppMgmt - ok
14:27:13.0880 6488 arc - ok
14:27:13.0880 6488 arcsas - ok
14:27:13.0896 6488 AsyncMac - ok
14:27:13.0896 6488 atapi - ok
14:27:13.0896 6488 AudioEndpointBuilder - ok
14:27:13.0896 6488 AudioSrv - ok
14:27:13.0896 6488 avpnnic - ok
14:27:13.0911 6488 AxInstSV - ok
14:27:13.0911 6488 b06bdrv - ok
14:27:13.0911 6488 b57nd60a - ok
14:27:13.0927 6488 BDESVC - ok
14:27:13.0927 6488 Beep - ok
14:27:13.0943 6488 BESClient - ok
14:27:13.0958 6488 BFE - ok
14:27:13.0958 6488 BITS - ok
14:27:13.0958 6488 blbdrive - ok
14:27:13.0958 6488 bowser - ok
14:27:13.0958 6488 BrFiltLo - ok
14:27:13.0974 6488 BrFiltUp - ok
14:27:13.0974 6488 BridgeMP - ok
14:27:13.0974 6488 Browser - ok
14:27:13.0974 6488 Brserid - ok
14:27:13.0974 6488 BrSerWdm - ok
14:27:13.0989 6488 BrUsbMdm - ok
14:27:13.0989 6488 BrUsbSer - ok
14:27:13.0989 6488 BthEnum - ok
14:27:13.0989 6488 BTHMODEM - ok
14:27:14.0005 6488 BthPan - ok
14:27:14.0005 6488 BTHPORT - ok
14:27:14.0005 6488 bthserv - ok
14:27:14.0005 6488 BTHUSB - ok
14:27:14.0005 6488 BTWAMPFL - ok
14:27:14.0021 6488 btwaudio - ok
14:27:14.0021 6488 btwavdt - ok
14:27:14.0021 6488 btwdins - ok
14:27:14.0036 6488 btwl2cap - ok
14:27:14.0036 6488 btwrchid - ok
14:27:14.0052 6488 catchme - ok
14:27:14.0052 6488 CAXHWAZL - ok
14:27:14.0067 6488 ccEvtMgr - ok
14:27:14.0067 6488 ccSetMgr - ok
14:27:14.0083 6488 cdfs - ok
14:27:14.0083 6488 cdrom - ok
14:27:14.0083 6488 CertPropSvc - ok
14:27:14.0083 6488 circlass - ok
14:27:14.0083 6488 CLFS - ok
14:27:14.0099 6488 clr_optimization_v2.0.50727_32 - ok
14:27:14.0099 6488 clr_optimization_v2.0.50727_64 - ok
14:27:14.0114 6488 clr_optimization_v4.0.30319_32 - ok
14:27:14.0130 6488 clr_optimization_v4.0.30319_64 - ok
14:27:14.0130 6488 CmBatt - ok
14:27:14.0130 6488 cmdide - ok
14:27:14.0130 6488 CNG - ok
14:27:14.0145 6488 CnxtHdAudService - ok
14:27:14.0145 6488 Compbatt - ok
14:27:14.0145 6488 CompositeBus - ok
14:27:14.0145 6488 COMSysApp - ok
14:27:14.0161 6488 crcdisk - ok
14:27:14.0177 6488 CryptSvc - ok
14:27:14.0177 6488 CSC - ok
14:27:14.0177 6488 CscService - ok
14:27:14.0192 6488 cstrcser - ok
14:27:14.0192 6488 DcomLaunch - ok
14:27:14.0192 6488 defragsvc - ok
14:27:14.0192 6488 DfsC - ok
14:27:14.0223 6488 Dhcp - ok
14:27:14.0223 6488 discache - ok
14:27:14.0223 6488 Disk - ok
14:27:14.0239 6488 dmvsc - ok
14:27:14.0239 6488 Dnscache - ok
14:27:14.0239 6488 dot3svc - ok
14:27:14.0239 6488 DPS - ok
14:27:14.0239 6488 drmkaud - ok
14:27:14.0255 6488 DXGKrnl - ok
14:27:14.0255 6488 e1cexpress - ok
14:27:14.0270 6488 E1G60 - ok
14:27:14.0270 6488 e1kexpress - ok
14:27:14.0270 6488 EapHost - ok
14:27:14.0286 6488 ebdrv - ok
14:27:14.0286 6488 ecnssndis - ok
14:27:14.0301 6488 ecnssndisfltr - ok
14:27:14.0301 6488 eeCtrl - ok
14:27:14.0301 6488 EFS - ok
14:27:14.0317 6488 ehRecvr - ok
14:27:14.0317 6488 ehSched - ok
14:27:14.0317 6488 elxstor - ok
14:27:14.0333 6488 EraserUtilRebootDrv - ok
14:27:14.0333 6488 ErrDev - ok
14:27:14.0333 6488 EventSystem - ok
14:27:14.0348 6488 EvtEng - ok
14:27:14.0348 6488 ew_hwusbdev - ok
14:27:14.0348 6488 ew_usbenumfilter - ok
14:27:14.0364 6488 exfat - ok
14:27:14.0364 6488 fastfat - ok
14:27:14.0364 6488 Fax - ok
14:27:14.0364 6488 fdc - ok
14:27:14.0364 6488 fdPHost - ok
14:27:14.0379 6488 FDResPub - ok
14:27:14.0379 6488 FileInfo - ok
14:27:14.0379 6488 Filetrace - ok
14:27:14.0379 6488 flpydisk - ok
14:27:14.0379 6488 FltMgr - ok
14:27:14.0395 6488 FontCache - ok
14:27:14.0395 6488 FontCache3.0.0.0 - ok
14:27:14.0395 6488 FsDepends - ok
14:27:14.0395 6488 Fs_Rec - ok
14:27:14.0395 6488 fvevol - ok
14:27:14.0411 6488 gagp30kx - ok
14:27:14.0411 6488 gpsvc - ok
14:27:14.0411 6488 hcmon - ok
14:27:14.0411 6488 hcw85cir - ok
14:27:14.0411 6488 HDAudBus - ok
14:27:14.0411 6488 HECIx64 - ok
14:27:14.0426 6488 HidBatt - ok
14:27:14.0426 6488 HidBth - ok
14:27:14.0426 6488 HidIr - ok
14:27:14.0426 6488 hidserv - ok
14:27:14.0442 6488 HidUsb - ok
14:27:14.0442 6488 hkmsvc - ok
14:27:14.0442 6488 HomeGroupListener - ok
14:27:14.0442 6488 HomeGroupProvider - ok
14:27:14.0442 6488 HpSAMD - ok
14:27:14.0442 6488 HsfXAudioService - ok
14:27:14.0457 6488 HSF_DPV - ok
14:27:14.0457 6488 HTTP - ok
14:27:14.0457 6488 huawei_cdcacm - ok
14:27:14.0457 6488 huawei_enumerator - ok
14:27:14.0457 6488 huawei_ext_ctrl - ok
14:27:14.0457 6488 huawei_update - ok
14:27:14.0473 6488 hwdatacard - ok
14:27:14.0473 6488 hwpolicy - ok
14:27:14.0473 6488 i8042prt - ok
14:27:14.0473 6488 iastor - ok
14:27:14.0473 6488 iaStorV - ok
14:27:14.0489 6488 IBMPMDRV - ok
14:27:14.0489 6488 IBMPMSVC - ok
14:27:14.0489 6488 idsvc - ok
14:27:14.0489 6488 igfx - ok
14:27:14.0489 6488 iirsp - ok
14:27:14.0489 6488 IKEEXT - ok
14:27:14.0504 6488 intelide - ok
14:27:14.0504 6488 intelppm - ok
14:27:14.0504 6488 IPBusEnum - ok
14:27:14.0504 6488 IpFilterDriver - ok
14:27:14.0504 6488 iphlpsvc - ok
14:27:14.0504 6488 IPMIDRV - ok
14:27:14.0504 6488 IPNAT - ok
14:27:14.0520 6488 IRENUM - ok
14:27:14.0520 6488 ISAMSvc - ok
14:27:14.0520 6488 isapnp - ok
14:27:14.0520 6488 iScsiPrt - ok
14:27:14.0535 6488 ISSIMon - ok
14:27:14.0535 6488 kbdclass - ok
14:27:14.0535 6488 kbdhid - ok
14:27:14.0551 6488 KeyIso - ok
14:27:14.0551 6488 KSecDD - ok
14:27:14.0551 6488 KSecPkg - ok
14:27:14.0551 6488 ksthunk - ok
14:27:14.0551 6488 KtmRm - ok
14:27:14.0567 6488 l36wgps - ok
14:27:14.0567 6488 LanmanServer - ok
14:27:14.0567 6488 LanmanWorkstation - ok
14:27:14.0567 6488 LENOVO.CAMMUTE - ok
14:27:14.0567 6488 LENOVO.MICMUTE - ok
14:27:14.0582 6488 lenovo.smi - ok
14:27:14.0582 6488 LENOVO.TPKNRSVC - ok
14:27:14.0582 6488 Lenovo.VIRTSCRLSVC - ok
14:27:14.0582 6488 LenovoRd - ok
14:27:14.0598 6488 LiveUpdate - ok
14:27:14.0598 6488 lltdio - ok
14:27:14.0613 6488 lltdsvc - ok
14:27:14.0613 6488 lmhosts - ok
14:27:14.0613 6488 Lotus Notes Diagnostics - ok
14:27:14.0613 6488 LSI_FC - ok
14:27:14.0613 6488 LSI_SAS - ok
14:27:14.0629 6488 LSI_SAS2 - ok
14:27:14.0629 6488 LSI_SCSI - ok
14:27:14.0629 6488 luafv - ok
14:27:14.0629 6488 Mbm3CBus - ok
14:27:14.0629 6488 Mbm3DevMt - ok
14:27:14.0645 6488 Mcx2Svc - ok
14:27:14.0645 6488 mdmxsdk - ok
14:27:14.0645 6488 megasas - ok
14:27:14.0645 6488 MegaSR - ok
14:27:14.0645 6488 MEIx64 - ok
14:27:14.0676 6488 MMCSS - ok
14:27:14.0676 6488 Modem - ok
14:27:14.0676 6488 monitor - ok
14:27:14.0676 6488 mouclass - ok
14:27:14.0676 6488 mouhid - ok
14:27:14.0676 6488 mountmgr - ok
14:27:14.0691 6488 mpio - ok
14:27:14.0691 6488 mpsdrv - ok
14:27:14.0691 6488 MpsSvc - ok
14:27:14.0691 6488 MRxDAV - ok
14:27:14.0691 6488 mrxsmb - ok
14:27:14.0691 6488 mrxsmb10 - ok
14:27:14.0707 6488 mrxsmb20 - ok
14:27:14.0707 6488 msahci - ok
14:27:14.0707 6488 msdsm - ok
14:27:14.0707 6488 MSDTC - ok
14:27:14.0707 6488 Msfs - ok
14:27:14.0707 6488 mshidkmdf - ok
14:27:14.0707 6488 msisadrv - ok
14:27:14.0723 6488 MSiSCSI - ok
14:27:14.0723 6488 msiserver - ok
14:27:14.0723 6488 MSKSSRV - ok
14:27:14.0723 6488 MSPCLOCK - ok
14:27:14.0723 6488 MSPQM - ok
14:27:14.0738 6488 MsRPC - ok
14:27:14.0738 6488 mssmbios - ok
14:27:14.0738 6488 MSTEE - ok
14:27:14.0738 6488 MTConfig - ok
14:27:14.0738 6488 Mup - ok
14:27:14.0754 6488 napagent - ok
14:27:14.0754 6488 NativeWifiP - ok
14:27:14.0754 6488 NAVENG - ok
14:27:14.0754 6488 NAVEX15 - ok
14:27:14.0754 6488 NDIS - ok
14:27:14.0769 6488 NdisCap - ok
14:27:14.0769 6488 NdisTapi - ok
14:27:14.0769 6488 Ndisuio - ok
14:27:14.0769 6488 NdisWan - ok
14:27:14.0769 6488 NDProxy - ok
14:27:14.0769 6488 NetBIOS - ok
14:27:14.0785 6488 NetBT - ok
14:27:14.0785 6488 netcfgsvr - ok
14:27:14.0785 6488 NetClientSvc - ok
14:27:14.0785 6488 Netlogon - ok
14:27:14.0785 6488 NetLogSvc - ok
14:27:14.0785 6488 Netman - ok
14:27:14.0801 6488 netprofm - ok
14:27:14.0801 6488 NetTcpPortSharing - ok
14:27:14.0801 6488 NETwNs64 - ok
14:27:14.0801 6488 nfrd960 - ok
14:27:14.0816 6488 NlaSvc - ok
14:27:14.0816 6488 Npfs - ok
14:27:14.0816 6488 nsi - ok
14:27:14.0816 6488 nsiproxy - ok
14:27:14.0816 6488 Ntfs - ok
14:27:14.0816 6488 Null - ok
14:27:14.0832 6488 nusb3hub - ok
14:27:14.0832 6488 nusb3xhc - ok
14:27:14.0847 6488 NVHDA - ok
14:27:14.0847 6488 nvlddmkm - ok
14:27:14.0847 6488 nvpciflt - ok
14:27:14.0847 6488 nvraid - ok
14:27:14.0863 6488 nvstor - ok
14:27:14.0863 6488 NVSvc - ok
14:27:14.0863 6488 nv_agp - ok
14:27:14.0863 6488 ohci1394 - ok
14:27:14.0863 6488 ose - ok
14:27:14.0894 6488 p2pimsvc - ok
14:27:14.0894 6488 p2psvc - ok
14:27:14.0894 6488 Parport - ok
14:27:14.0894 6488 partmgr - ok
14:27:14.0894 6488 PcaSvc - ok
14:27:14.0910 6488 pci - ok
14:27:14.0910 6488 pciide - ok
14:27:14.0910 6488 pcmcia - ok
14:27:14.0910 6488 pcw - ok
14:27:14.0910 6488 PEAUTH - ok
14:27:14.0910 6488 PeerDistSvc - ok
14:27:14.0910 6488 PerfHost - ok
14:27:14.0925 6488 PGP RDD Service - ok
14:27:14.0925 6488 PGPdisk - ok
14:27:14.0925 6488 PGPsdkDriver - ok
14:27:14.0925 6488 PGPserv - ok
14:27:14.0925 6488 PGPwded - ok
14:27:14.0941 6488 Pgpwdefs - ok
14:27:14.0941 6488 pla - ok
14:27:14.0941 6488 PlugPlay - ok
14:27:14.0941 6488 PMEM - ok
14:27:14.0941 6488 PNRPAutoReg - ok
14:27:14.0957 6488 PNRPsvc - ok
14:27:14.0957 6488 PolicyAgent - ok
14:27:14.0957 6488 Power - ok
14:27:14.0957 6488 PptpMiniport - ok
14:27:14.0957 6488 Processor - ok
14:27:14.0972 6488 ProfSvc - ok
14:27:14.0972 6488 ProtectedStorage - ok
14:27:14.0972 6488 Psched - ok
14:27:14.0972 6488 PxHlpa64 - ok
14:27:14.0972 6488 ql2300 - ok
14:27:14.0972 6488 ql40xx - ok
14:27:14.0988 6488 QWAVE - ok
14:27:14.0988 6488 QWAVEdrv - ok
14:27:14.0988 6488 RasAcd - ok
14:27:14.0988 6488 RasAgileVpn - ok
14:27:14.0988 6488 RasAuto - ok
14:27:14.0988 6488 Rasl2tp - ok
14:27:15.0003 6488 RasMan - ok
14:27:15.0003 6488 RasPppoe - ok
14:27:15.0003 6488 RasSstp - ok
14:27:15.0003 6488 rdbss - ok
14:27:15.0003 6488 rdpbus - ok
14:27:15.0003 6488 RDPCDD - ok
14:27:15.0019 6488 RDPDR - ok
14:27:15.0019 6488 RDPENCDD - ok
14:27:15.0019 6488 RDPREFMP - ok
14:27:15.0019 6488 RDPWD - ok
14:27:15.0019 6488 rdyboost - ok
14:27:15.0035 6488 RegSrvc - ok
14:27:15.0035 6488 RemoteAccess - ok
14:27:15.0035 6488 RemoteRegistry - ok
14:27:15.0035 6488 RFCOMM - ok
14:27:15.0035 6488 rimmptsk - ok
14:27:15.0050 6488 rimspci - ok
14:27:15.0050 6488 rimsptsk - ok
14:27:15.0050 6488 RimUsb - ok
14:27:15.0066 6488 RimVSerPort - ok
14:27:15.0066 6488 risdxc - ok
14:27:15.0066 6488 rismxdp - ok
14:27:15.0066 6488 rixdpcie - ok
14:27:15.0066 6488 ROOTMODEM - ok
14:27:15.0081 6488 RpcEptMapper - ok
14:27:15.0081 6488 RpcLocator - ok
14:27:15.0081 6488 RpcSs - ok
14:27:15.0081 6488 rspndr - ok
14:27:15.0081 6488 s3cap - ok
14:27:15.0081 6488 SamSs - ok
14:27:15.0097 6488 sbp2port - ok
14:27:15.0097 6488 SCardSvr - ok
14:27:15.0097 6488 scfilter - ok
14:27:15.0097 6488 Schedule - ok
14:27:15.0097 6488 SCPolicySvc - ok
14:27:15.0113 6488 SDRSVC - ok
14:27:15.0128 6488 SeaPort - ok
14:27:15.0128 6488 secdrv - ok
14:27:15.0128 6488 seclogon - ok
14:27:15.0128 6488 SENS - ok
14:27:15.0128 6488 SensrSvc - ok
14:27:15.0128 6488 Serenum - ok
14:27:15.0144 6488 Serial - ok
14:27:15.0144 6488 sermouse - ok
14:27:15.0144 6488 SessionEnv - ok
14:27:15.0144 6488 sffdisk - ok
14:27:15.0144 6488 sffp_mmc - ok
14:27:15.0144 6488 sffp_sd - ok
14:27:15.0159 6488 sfloppy - ok
14:27:15.0159 6488 SharedAccess - ok
14:27:15.0159 6488 ShellHWDetection - ok
14:27:15.0159 6488 Shockprf - ok
14:27:15.0159 6488 SiSRaid2 - ok
14:27:15.0175 6488 SiSRaid4 - ok
14:27:15.0175 6488 Smb - ok
14:27:15.0175 6488 SmcService - ok
14:27:15.0175 6488 SNAC - ok
14:27:15.0175 6488 SNMPTRAP - ok
14:27:15.0191 6488 spldr - ok
14:27:15.0191 6488 Spooler - ok
14:27:15.0191 6488 sppsvc - ok
14:27:15.0191 6488 sppuinotify - ok
14:27:15.0191 6488 SRTSP - ok
14:27:15.0206 6488 SRTSPL - ok
14:27:15.0206 6488 SRTSPX - ok
14:27:15.0206 6488 srv - ok
14:27:15.0206 6488 srv2 - ok
14:27:15.0206 6488 srvnet - ok
14:27:15.0222 6488 SSDPSRV - ok
14:27:15.0222 6488 SstpSvc - ok
14:27:15.0222 6488 Stereo Service - ok
14:27:15.0222 6488 stexstor - ok
14:27:15.0237 6488 StillCam - ok
14:27:15.0237 6488 stisvc - ok
14:27:15.0237 6488 storflt - ok
14:27:15.0237 6488 StorSvc - ok
14:27:15.0237 6488 storvsc - ok
14:27:15.0253 6488 swenum - ok
14:27:15.0253 6488 swprv - ok
14:27:15.0253 6488 Symantec AntiVirus - ok
14:27:15.0269 6488 SymEvent - ok
14:27:15.0269 6488 SynTP - ok
14:27:15.0269 6488 SysMain - ok
14:27:15.0269 6488 TabletInputService - ok
14:27:15.0284 6488 TapiSrv - ok
14:27:15.0284 6488 TBS - ok
14:27:15.0284 6488 Tcpip - ok
14:27:15.0284 6488 TCPIP6 - ok
14:27:15.0300 6488 tcpipreg - ok
14:27:15.0300 6488 TDPIPE - ok
14:27:15.0300 6488 TDTCP - ok
14:27:15.0300 6488 tdx - ok
14:27:15.0300 6488 Teefer2 - ok
14:27:15.0300 6488 TermDD - ok
14:27:15.0315 6488 TermService - ok
14:27:15.0315 6488 Themes - ok
14:27:15.0315 6488 THREADORDER - ok
14:27:15.0315 6488 TPDIGIMN - ok
14:27:15.0315 6488 TPHDEXLGSVC - ok
14:27:15.0331 6488 TPHKLOAD - ok
14:27:15.0331 6488 TPHKSVC - ok
14:27:15.0331 6488 TPM - ok
14:27:15.0347 6488 TRCTARGET - ok
14:27:15.0347 6488 TrkWks - ok
14:27:15.0347 6488 TrustedInstaller - ok
14:27:15.0347 6488 tssecsrv - ok
14:27:15.0347 6488 TsUsbFlt - ok
14:27:15.0347 6488 TsUsbGD - ok
14:27:15.0362 6488 tunnel - ok
14:27:15.0362 6488 uagp35 - ok
14:27:15.0362 6488 udfs - ok
14:27:15.0362 6488 ufad-ws60 - ok
14:27:15.0362 6488 UI0Detect - ok
14:27:15.0378 6488 uliagpkx - ok
14:27:15.0378 6488 umbus - ok
14:27:15.0378 6488 UmPass - ok
14:27:15.0378 6488 UmRdpService - ok
14:27:15.0393 6488 upnphost - ok
14:27:15.0393 6488 usbccgp - ok
14:27:15.0393 6488 usbcir - ok
14:27:15.0393 6488 usbehci - ok
14:27:15.0393 6488 usbhub - ok
14:27:15.0393 6488 usbohci - ok
14:27:15.0409 6488 usbprint - ok
14:27:15.0409 6488 usbscan - ok
14:27:15.0409 6488 USBSTOR - ok
14:27:15.0409 6488 usbuhci - ok
14:27:15.0409 6488 UxSms - ok
14:27:15.0409 6488 VaultSvc - ok
14:27:15.0425 6488 vdrvroot - ok
14:27:15.0425 6488 vds - ok
14:27:15.0425 6488 vga - ok
14:27:15.0425 6488 VgaSave - ok
14:27:15.0425 6488 vhdmp - ok
14:27:15.0425 6488 viaide - ok
14:27:15.0456 6488 VMAuthdService - ok
14:27:15.0456 6488 vmbus - ok
14:27:15.0456 6488 VMBusHID - ok
14:27:15.0456 6488 vmci - ok
14:27:15.0456 6488 vmkbd - ok
14:27:15.0471 6488 VMnetAdapter - ok
14:27:15.0471 6488 VMnetBridge - ok
14:27:15.0471 6488 VMnetDHCP - ok
14:27:15.0471 6488 VMnetuserif - ok
14:27:15.0487 6488 VMUSBArbService - ok
14:27:15.0487 6488 VMware NAT Service - ok
14:27:15.0487 6488 vmx86 - ok
14:27:15.0487 6488 volmgr - ok
14:27:15.0487 6488 volmgrx - ok
14:27:15.0503 6488 volsnap - ok
14:27:15.0503 6488 vsmraid - ok
14:27:15.0503 6488 VSS - ok
14:27:15.0503 6488 vstor2-ws60 - ok
14:27:15.0518 6488 vwifibus - ok
14:27:15.0518 6488 vwififlt - ok
14:27:15.0518 6488 W32Time - ok
14:27:15.0518 6488 WacomPen - ok
14:27:15.0534 6488 WANARP - ok
14:27:15.0534 6488 Wanarpv6 - ok
14:27:15.0534 6488 WatAdminSvc - ok
14:27:15.0534 6488 wbengine - ok
14:27:15.0534 6488 WbioSrvc - ok
14:27:15.0549 6488 wcncsvc - ok
14:27:15.0549 6488 WcsPlugInService - ok
14:27:15.0549 6488 Wd - ok
14:27:15.0549 6488 Wdf01000 - ok
14:27:15.0549 6488 WdiServiceHost - ok
14:27:15.0565 6488 WdiSystemHost - ok
14:27:15.0565 6488 WebClient - ok
14:27:15.0565 6488 Wecsvc - ok
14:27:15.0565 6488 wercplsupport - ok
14:27:15.0565 6488 WerSvc - ok
14:27:15.0581 6488 WfpLwf - ok
14:27:15.0581 6488 WIMMount - ok
14:27:15.0581 6488 winachsf - ok
14:27:15.0581 6488 WinDefend - ok
14:27:15.0596 6488 WinHttpAutoProxySvc - ok
14:27:15.0596 6488 Winmgmt - ok
14:27:15.0596 6488 WinRM - ok
14:27:15.0612 6488 WinUsb - ok
14:27:15.0612 6488 Wlansvc - ok
14:27:15.0612 6488 WmiAcpi - ok
14:27:15.0612 6488 wmiApSrv - ok
14:27:15.0627 6488 WMPNetworkSvc - ok
14:27:15.0627 6488 WPCSvc - ok
14:27:15.0627 6488 WPDBusEnum - ok
14:27:15.0627 6488 WPS - ok
14:27:15.0627 6488 WpsHelper - ok
14:27:15.0643 6488 WRTService - ok
14:27:15.0643 6488 ws2ifsl - ok
14:27:15.0659 6488 wscsvc - ok
14:27:15.0659 6488 WSearch - ok
14:27:15.0659 6488 wuauserv - ok
14:27:15.0659 6488 WudfPf - ok
14:27:15.0674 6488 WUDFRd - ok
14:27:15.0674 6488 wudfsvc - ok
14:27:15.0674 6488 WwanSvc - ok
14:27:15.0674 6488 XAudio - ok
14:27:15.0705 6488 MBR (0x1B8) (05ccab3e21cd0153efedd8797308e20e) \Device\Harddisk0\DR0
14:27:16.0158 6488 \Device\Harddisk0\DR0 - ok
14:27:16.0158 6488 Boot (0x1200) (30381e03bcb3fee56b4f87d6d60d9c85) \Device\Harddisk0\DR0\Partition0
14:27:16.0158 6488 \Device\Harddisk0\DR0\Partition0 - ok
14:27:16.0173 6488 ============================================================
14:27:16.0173 6488 Scan finished
14:27:16.0173 6488 ============================================================
14:27:16.0173 4648 Detected object count: 0
14:27:16.0173 4648 Actual detected object count: 0

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-08 14:29:55
-----------------------------
14:29:55.202 OS Version: Windows x64 6.1.7601 Service Pack 1
14:29:55.202 Number of processors: 8 586 0x2A07
14:29:55.202 ComputerName: IBM-B2RE2TTCNJB UserName: lsedels
14:29:56.606 Initialize success
14:30:25.766 AVAST engine defs: 12070800
14:30:33.816 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:30:33.816 Disk 0 Vendor: ST950042 0003 Size: 476940MB BusType: 3
14:30:33.816 Disk 0 MBR read successfully
14:30:33.816 Disk 0 MBR scan
14:30:33.831 Disk 0 unknown MBR code
14:30:33.831 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS 476938 MB offset 2048
14:30:33.847 Disk 0 scanning C:\windows\system32\drivers
14:30:33.847 Service scanning
14:30:59.041 Modules scanning
14:30:59.041 Disk 0 trace - called modules:
14:30:59.088 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
14:30:59.103 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80095ea790]
14:30:59.103 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa8007b48e40]
14:30:59.103 5 ACPI.sys[fffff88000f9b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007b4c050]
14:30:59.852 AVAST engine scan C:\windows
14:30:59.852 AVAST engine scan C:\windows\system32
14:30:59.852 AVAST engine scan C:\windows\system32\drivers
14:30:59.868 AVAST engine scan C:\Users\IBM_ADMIN
14:30:59.868 AVAST engine scan C:\ProgramData
14:30:59.868 Scan finished successfully
14:31:13.284 Disk 0 MBR has been saved successfully to "C:\Users\IBM_ADMIN\Downloads\MBR.dat"
14:31:13.300 The log file has been saved successfully to "C:\Users\IBM_ADMIN\Downloads\aswMBR.txt"


Firefox is still redirecting.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:28 AM

Posted 08 July 2012 - 05:34 PM

Greetings


I want you to uninstall firefox again but it has to be done this way

Uninstall firefox and if asked about user data or settings these have to be removed also (Bookmarks may be backed up only)

RESTART the computer and reinstall firefox - check for redirects and let me know



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 nystinger

nystinger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 10 July 2012 - 09:53 PM

It would appear that your last recommended action resolved the issue. It's been behaving normally for about 48 hours now. Thank you very very much. I really appreciate it.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:28 AM

Posted 10 July 2012 - 10:14 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

Edited by gringo_pr, 10 July 2012 - 10:14 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:28 AM

Posted 13 July 2012 - 12:02 AM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 nystinger

nystinger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 13 July 2012 - 07:33 AM

Thank you.

I am not going to risk running combofix again. I did receive the error message about the registry every time I tried to do anything on my desktop and it scared the daylights out of me. I cannot afford to take a risk like that again with this machine. I really appreciate your help.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:28 AM

Posted 13 July 2012 - 12:45 PM

That is a normal windows error and to clear it all that needs to be done is restart the computer - it is so normal I even tell you what to do before you run combofix


we are on our way to finishing so lets run this other program so you will not be scared



Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo

Edited by gringo_pr, 13 July 2012 - 12:46 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:28 AM

Posted 15 July 2012 - 11:24 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 nystinger

nystinger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 15 July 2012 - 11:35 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo


Again, I thank you for the help. No problems thus far. I will NOT run combofix again. I cannot afford to take the risk. You should use tools that incur less risk or at least come up from a reboot clean instead of with an error msg on everything that one tries to execute with implications that the registry is damaged. Sorry, I cannot afford to take that chance with this machine. I'd prefer to risk that I might still be infected and deal with it if that should resurface. Thanks again.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:28 AM

Posted 16 July 2012 - 12:07 AM

Greetings


I did give you another option (check my responce above) and as I tried to explain that error is not from combofix it is from windows and it is a common one




:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wrong time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standard today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.


  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:28 AM

Posted 19 July 2012 - 12:15 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users