Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect issues


  • This topic is locked This topic is locked
16 replies to this topic

#1 bobby83

bobby83

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 12 July 2012 - 03:02 AM

Hi. This only appears to have started happening the last day or so. Sometimes I click on a link and redirects me to another link. click get answers fast was the most common one, but after I ran malware bytes I seem to get a whole bunch of different ones now. I can't find it on the virus scan and don't know what I need to get rid of it.

I have internet explorer, chrome and firefox on this computer and it happens in all 3. It doesn't happen every time I click a link, but a lot of the time to be annoying. When I enter something in the address bar, it lags sometimes, and my computer has been generally slower.

My computer is Windows 7 home premium service pack 1
Proccesor is AMD athlon™ II x2 220 processor 2.80 GHz. 64 bit operating system

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.3.1
Run by bobby71983 at 3:03:54 on 2012-07-12
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1791.276 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Users\bobby71983\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\bobby71983\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\bobby71983\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\bobby71983\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\bobby71983\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\bobby71983\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Users\bobby71983\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\bobby71983\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Users\bobby71983\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\bobby71983\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://emachines.msn.com
mDefault_Page_URL = hxxp://emachines.msn.com
mStart Page = hxxp://emachines.msn.com
uInternet Settings,ProxyServer = 127.0.0.1:8118
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Google Update] "C:\Users\bobby71983\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
uRun: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [PMB Files] rundll32.exe "C:\Users\bobby71983\AppData\Local\Temp\PMB Files\gqqpr.dll",CreateInstance
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Hotkey Utility] C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [<NO NAME>]
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{068BA458-B45C-47FE-A520-7FA3691B0CDC} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Hotkey Utility] C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [(Default)]
mRun-x64: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\bobby71983\AppData\Roaming\Mozilla\Firefox\Profiles\7r96rlt0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2956045&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.experienceproject.com/profile.php
FF - prefs.js: keyword.URL - hxxp://serp.freecause.com/?ourmark=3&sid=100275&q=
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\coFFPlgn\components\coFFPlgn.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\IPSFFPlgn\components\IPSFFPl.dll
FF - component: C:\Users\bobby71983\AppData\Roaming\Mozilla\Firefox\Profiles\7r96rlt0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: C:\Users\bobby71983\AppData\Roaming\Mozilla\Firefox\Profiles\7r96rlt0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Virtools\3D Life Player\npvirtools.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\bobby71983\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Users\bobby71983\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\system32\npdeployJava1.dll
FF - plugin: C:\Windows\system32\npmproxy.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-7-8 42184]
R2 GREGService;GREGService;C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [2010-1-8 23584]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-11 654408]
R2 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2010-8-30 243232]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-5 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-8 250056]
S3 AVEO;STARTEC UVC Driver;C:\Windows\system32\DRIVERS\AVEOdcnt.sys --> C:\Windows\system32\DRIVERS\AVEOdcnt.sys [?]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;\??\C:\Windows\system32\drivers\BVRPMPR5a64.SYS --> C:\Windows\system32\drivers\BVRPMPR5a64.SYS [?]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 LVUSBS64;Logitech USB Monitor Filter;C:\Windows\system32\DRIVERS\LVUSBS64.sys --> C:\Windows\system32\DRIVERS\LVUSBS64.sys [?]
S3 ManyCam;ManyCam Virtual Webcam;C:\Windows\system32\DRIVERS\mcvidrv_x64.sys --> C:\Windows\system32\DRIVERS\mcvidrv_x64.sys [?]
S3 mcaudrv_simple;ManyCam Virtual Microphone;C:\Windows\system32\drivers\mcaudrv_x64.sys --> C:\Windows\system32\drivers\mcaudrv_x64.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-30 113120]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-07-12 06:51:42 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{026928BA-DBF7-4E79-85F9-4CA3C07D1147}\mpengine.dll
2012-07-11 17:45:31 -------- d-----w- C:\Users\bobby71983\AppData\Roaming\Malwarebytes
2012-07-11 17:44:25 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-11 17:44:24 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-07-11 17:44:24 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-10 13:02:55 -------- d-----w- C:\Windows\SysWow64\Adobe
2012-07-01 17:57:35 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-01 17:57:35 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-29 09:52:18 -------- d--h--w- C:\Windows\msdownld.tmp
2012-06-29 09:52:11 -------- d-----w- C:\Windows\SysWow64\directx
2012-06-29 08:24:08 49664 ----a-w- C:\Windows\System32\CamCodec.dll
2012-06-29 08:24:08 -------- d-----w- C:\Program Files (x86)\CamStudio 2.6b
2012-06-24 05:13:12 -------- d-----w- C:\Users\bobby71983\AppData\Local\Macromedia
2012-06-19 05:57:46 -------- d-----w- C:\Users\bobby71983\AppData\Roaming\Paltalk
2012-06-19 05:20:30 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-19 05:20:12 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-19 05:19:44 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-19 05:19:44 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-18 23:48:26 -------- d-----w- C:\ProgramData\WeCareReminder
2012-06-18 23:47:59 -------- d-----w- C:\Users\bobby71983\AppData\Roaming\OpenCandy
2012-06-18 23:47:51 -------- d-----w- C:\Program Files (x86)\Veetle
2012-06-14 05:04:41 -------- d-----w- C:\Program Files (x86)\Ask.com
2012-06-14 05:04:26 -------- d-----w- C:\Users\bobby71983\AppData\Local\APN
2012-06-14 05:04:12 -------- d-----w- C:\ProgramData\Ask
2012-06-13 11:16:57 1462272 ----a-w- C:\Windows\System32\crypt32.dll
2012-06-13 11:16:55 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-06-13 11:16:55 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-06-13 11:16:55 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-06-13 11:16:54 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-06-13 11:16:54 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
.
==================== Find3M ====================
.
2012-07-12 06:48:32 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 06:48:32 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-05-15 04:01:31 1188864 ----a-w- C:\Windows\System32\wininet.dll
2012-05-15 03:03:54 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-15 01:32:33 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40:20 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-04-26 12:48:02 71680 ----a-w- C:\Windows\System32\frapsv64.dll
2012-04-26 12:48:00 65536 ----a-w- C:\Windows\SysWow64\frapsvid.dll
2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-04-20 03:45:41 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-04-20 03:16:44 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 3:07:21.20 ===============


only services, registry and files were checked. It wouldn't let me check the other ones(as it says in the sticky)


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-12 04:01:06
Windows 6.1.7601 Service Pack 1
Running: gmer.exe


---- Files - GMER 1.0.15 ----

File C:\Windows\Temp\TMP0000017FA65885A77F51EDCF 524288 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:03:41 AM

Posted 12 July 2012 - 03:56 PM

Hello bobby83 and welcome to Bleeping Computer!

I am D-FRED-BROWN and I will be helping you. :)


Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.


----------Step 1----------------
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


----------Step 3----------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 4----------------
In your next reply, please include the following:
  • TDSSKiller's logfile
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#3 bobby83

bobby83
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 13 July 2012 - 07:41 AM

tdsskiller showed nothing, so i closed as it said in the instructions.

combofix:

ComboFix 12-07-13.01 - bobby71983 07/13/2012 7:39.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1791.862 [GMT -4:00]
Running from: c:\users\bobby71983\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\BOBBY7~1\AppData\Local\Temp\PMB Files\gqqpr.dll
c:\users\bobby71983\AppData\Local\Temp\PMB Files\gqqpr.dll
c:\users\bobby71983\AppData\Roaming\Mozilla\Firefox\Profiles\7r96rlt0.default\searchplugins\bing-zugo.xml
c:\windows\isRS-000.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-06-13 to 2012-07-13 )))))))))))))))))))))))))))))))
.
.
2012-07-12 07:04 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-12 06:51 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{026928BA-DBF7-4E79-85F9-4CA3C07D1147}\mpengine.dll
2012-07-11 17:45 . 2012-07-11 17:45 -------- d-----w- c:\users\bobby71983\AppData\Roaming\Malwarebytes
2012-07-11 17:44 . 2012-07-11 17:44 -------- d-----w- c:\programdata\Malwarebytes
2012-07-11 17:44 . 2012-07-12 22:31 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-11 17:44 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-11 11:43 . 2012-06-06 06:05 1499136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 11:43 . 2012-06-06 05:05 1019904 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2012-07-11 11:43 . 2012-06-06 06:05 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-07-11 11:43 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-07-11 11:43 . 2012-06-06 06:05 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-07-11 11:43 . 2012-06-06 05:03 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-07-11 11:43 . 2012-06-06 06:05 61440 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
2012-07-11 11:43 . 2012-06-06 05:05 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2012-07-11 11:43 . 2012-06-06 05:05 143360 ----a-w- c:\program files (x86)\Common Files\System\ado\msjro.dll
2012-07-11 11:43 . 2012-06-06 05:05 57344 ----a-w- c:\program files (x86)\Common Files\System\ado\msador15.dll
2012-07-11 11:43 . 2012-06-06 05:05 212992 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
2012-07-11 11:43 . 2012-06-06 06:02 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-07-11 11:43 . 2012-06-06 05:05 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
2012-07-10 13:02 . 2012-07-10 13:02 -------- d-----w- c:\windows\SysWow64\Adobe
2012-07-01 17:57 . 2012-07-01 17:57 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-01 17:57 . 2012-07-01 17:57 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-29 09:52 . 2012-06-29 09:52 -------- d--h--w- c:\windows\msdownld.tmp
2012-06-29 08:24 . 2012-06-29 08:24 -------- d-----w- c:\program files (x86)\CamStudio 2.6b
2012-06-29 08:24 . 2010-10-24 04:56 49664 ----a-w- c:\windows\system32\CamCodec.dll
2012-06-24 05:13 . 2012-06-24 05:13 -------- d-----w- c:\users\bobby71983\AppData\Local\Macromedia
2012-06-19 05:57 . 2012-06-19 06:51 -------- d-----w- c:\users\bobby71983\AppData\Roaming\Paltalk
2012-06-19 05:20 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-19 05:20 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-19 05:20 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-19 05:20 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-19 05:20 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-19 05:20 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-19 05:20 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-19 05:19 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-19 05:19 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-18 23:48 . 2012-06-26 03:41 -------- d-----w- c:\programdata\WeCareReminder
2012-06-18 23:47 . 2012-06-18 23:48 -------- d-----w- c:\users\bobby71983\AppData\Roaming\OpenCandy
2012-06-18 23:47 . 2012-06-18 23:47 -------- d-----w- c:\program files (x86)\Veetle
2012-06-14 05:04 . 2012-07-03 06:39 -------- d-----w- c:\program files (x86)\Ask.com
2012-06-14 05:04 . 2012-06-14 05:04 -------- d-----w- c:\users\bobby71983\AppData\Local\APN
2012-06-14 05:04 . 2012-06-14 05:04 -------- d-----w- c:\programdata\Ask
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 07:49 . 2012-04-08 13:31 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 07:49 . 2011-07-22 16:51 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-15 04:01 . 2012-06-13 11:17 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:03 . 2012-06-13 11:17 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-04 11:06 . 2012-06-13 11:17 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-13 11:17 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-13 11:17 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40 . 2012-06-13 11:17 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:55 . 2012-06-13 11:17 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 12:48 . 2012-04-26 12:48 71680 ----a-w- c:\windows\system32\frapsv64.dll
2012-04-26 12:48 . 2012-04-26 12:48 65536 ----a-w- c:\windows\SysWow64\frapsvid.dll
2012-04-26 05:41 . 2012-06-13 11:17 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 05:41 . 2012-06-13 11:17 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 05:34 . 2012-06-13 11:17 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-24 05:37 . 2012-06-13 11:16 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-24 05:37 . 2012-06-13 11:16 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-04-24 05:37 . 2012-06-13 11:16 1462272 ----a-w- c:\windows\system32\crypt32.dll
2012-04-24 04:36 . 2012-06-13 11:16 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-04-24 04:36 . 2012-06-13 11:16 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-04-24 04:36 . 2012-06-13 11:16 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-04-20 03:45 . 2012-06-13 11:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-20 03:16 . 2012-06-13 11:17 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-06-07 01:33 1519304 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-06-07 1519304]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-08-03 1242448]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2011-06-16 6276408]
"Xvid"="c:\program files (x86)\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-06-05 17344176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Hotkey Utility"="c:\program files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe" [2010-08-04 611872]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-06-07 1564872]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-05 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056]
R3 ALSysIO;ALSysIO;c:\users\BOBBY7~1\AppData\Local\Temp\ALSysIO64.sys [x]
R3 AVEO;STARTEC UVC Driver;c:\windows\system32\DRIVERS\AVEOdcnt.sys [2011-10-24 305920]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2009-08-19 35840]
R3 LVUSBS64;Logitech USB Monitor Filter;c:\windows\system32\DRIVERS\LVUSBS64.sys [2007-10-12 50072]
R3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv_x64.sys [2012-01-11 34304]
R3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv_x64.sys [2012-02-22 28160]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-01 113120]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-16 1255736]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 64856]
S2 GREGService;GREGService;c:\program files (x86)\eMachines\Registration\GREGsvc.exe [2010-01-08 23584]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2010-01-28 243232]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 07:49]
.
2012-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4283568787-1490190065-636510216-1001Core.job
- c:\users\bobby71983\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-30 14:10]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4283568787-1490190065-636510216-1001UA.job
- c:\users\bobby71983\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-30 14:10]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-09 10060320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://emachines.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = 127.0.0.1:8118
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\bobby71983\AppData\Roaming\Mozilla\Firefox\Profiles\7r96rlt0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2956045&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.experienceproject.com/profile.php
FF - prefs.js: keyword.URL - hxxp://serp.freecause.com/?ourmark=3&sid=100275&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
.
**************************************************************************
.
Completion time: 2012-07-13 08:26:08 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-13 12:26
.
Pre-Run: 434,950,066,176 bytes free
Post-Run: 436,598,824,960 bytes free
.
- - End Of File - - CB16EC107D937AB1E687EF98B46B37E2

























security check:

Results of screen317's Security Check version 0.99.42
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
JavaFX 2.0.3
Java™ 6 Update 31
Java™ 7 Update 3
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (13.0.1)
Google Chrome 20.0.1132.47
Google Chrome 20.0.1132.57
Google Chrome plugins...
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````










There doesn't seem to be much change, and I still have the click get answers fast redirect.

Edited by bobby83, 13 July 2012 - 07:44 AM.


#4 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:03:41 AM

Posted 13 July 2012 - 01:39 PM

Let's try this:

----------Step 1----------------
Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:

http://ad13.geekstogo.com/MBRCheck.exe
http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe
http://www.kernelmode.info/MBRCheck.exe

Close all opened programs/ windows and double-click on MBRCheck.exe.
It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.


----------Step 2----------------
Please Launch Malwarebytes' Anti-Malware.
  • Please click Check for Updates to see if any updates are found. If so, please allow MBAM to download and install them.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a location you will remember.
  • Copy and Paste that log into your next reply.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK for either of the prompts and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


----------Step 3----------------
In your next reply, please include the following:
  • MBRCheck logfile
  • Malwarebytes scan report
How is your computer running now?

Edited by D-FRED-BROWN, 13 July 2012 - 01:39 PM.

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#5 bobby83

bobby83
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 13 July 2012 - 03:19 PM

Nothing showed up on malware bytes, but I posted it anyway.

I don't understand why nothing is showing up when I am still getting the redirect. No changes to my computer because nothing has been removed.


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: eMachines
BIOS Manufacturer: American Megatrends, Inc.
System Manufacturer: eMachines
System Product Name: EL1352G
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 180):
0x02A03000 \SystemRoot\system32\ntoskrnl.exe
0x02FEB000 \SystemRoot\system32\hal.dll
0x00BAA000 \SystemRoot\system32\kdcom.dll
0x00CB2000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
0x00CBF000 \SystemRoot\system32\PSHED.dll
0x00CD3000 \SystemRoot\system32\CLFS.SYS
0x00D31000 \SystemRoot\system32\CI.dll
0x00C00000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00DF1000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00E82000 \SystemRoot\system32\drivers\ACPI.sys
0x00ED9000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00EE2000 \SystemRoot\system32\drivers\msisadrv.sys
0x00EEC000 \SystemRoot\system32\drivers\pci.sys
0x00F1F000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00F2C000 \SystemRoot\System32\drivers\partmgr.sys
0x00F41000 \SystemRoot\system32\drivers\volmgr.sys
0x00F56000 \SystemRoot\System32\drivers\volmgrx.sys
0x00FB2000 \SystemRoot\system32\drivers\pciide.sys
0x00FB9000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x00FC9000 \SystemRoot\System32\drivers\mountmgr.sys
0x00FE3000 \SystemRoot\system32\drivers\atapi.sys
0x00E00000 \SystemRoot\system32\drivers\ataport.SYS
0x00E2A000 \SystemRoot\system32\DRIVERS\nvstor64.sys
0x0107E000 \SystemRoot\system32\DRIVERS\storport.sys
0x010E1000 \SystemRoot\system32\drivers\amdxata.sys
0x010EC000 \SystemRoot\system32\drivers\fltmgr.sys
0x01138000 \SystemRoot\system32\drivers\fileinfo.sys
0x01210000 \SystemRoot\System32\Drivers\Ntfs.sys
0x0114C000 \SystemRoot\System32\Drivers\msrpc.sys
0x013B3000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01000000 \SystemRoot\System32\Drivers\cng.sys
0x013CE000 \SystemRoot\System32\drivers\pcw.sys
0x013DF000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x0144E000 \SystemRoot\system32\drivers\ndis.sys
0x01541000 \SystemRoot\system32\drivers\NETIO.SYS
0x015A1000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x0163C000 \SystemRoot\System32\drivers\tcpip.sys
0x0183F000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01889000 \SystemRoot\system32\drivers\volsnap.sys
0x018D5000 \SystemRoot\System32\Drivers\spldr.sys
0x018DD000 \SystemRoot\System32\drivers\rdyboost.sys
0x01917000 \SystemRoot\System32\Drivers\mup.sys
0x01929000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01932000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x0196C000 \SystemRoot\system32\DRIVERS\disk.sys
0x01982000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x01600000 \SystemRoot\system32\drivers\cdrom.sys
0x02CBE000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x02D56000 \SystemRoot\System32\Drivers\Null.SYS
0x02D5F000 \SystemRoot\System32\Drivers\Beep.SYS
0x02D66000 \SystemRoot\System32\drivers\vga.sys
0x02D74000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02D99000 \SystemRoot\System32\drivers\watchdog.sys
0x02DA9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x02DB2000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02DBB000 \SystemRoot\system32\drivers\rdprefmp.sys
0x02DC4000 \SystemRoot\System32\Drivers\Msfs.SYS
0x02DCF000 \SystemRoot\System32\Drivers\Npfs.SYS
0x02C00000 \SystemRoot\system32\DRIVERS\tdx.sys
0x02C22000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02C2F000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x03A02000 \SystemRoot\system32\drivers\afd.sys
0x03A8B000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x03A95000 \SystemRoot\System32\DRIVERS\netbt.sys
0x03ADA000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x03AE5000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03AEE000 \SystemRoot\system32\DRIVERS\pacer.sys
0x03B14000 \SystemRoot\system32\DRIVERS\netbios.sys
0x03B23000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x03B3E000 \SystemRoot\system32\drivers\termdd.sys
0x03B52000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03BA3000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03BAF000 \SystemRoot\system32\drivers\mssmbios.sys
0x03BBA000 \SystemRoot\System32\drivers\discache.sys
0x03BC9000 \SystemRoot\System32\Drivers\dfsc.sys
0x03BE7000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x02C3D000 \SystemRoot\System32\Drivers\aswSP.SYS
0x02C8A000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x02DE0000 \SystemRoot\system32\DRIVERS\amdppm.sys
0x019DD000 \SystemRoot\system32\drivers\i8042prt.sys
0x0162A000 \SystemRoot\system32\drivers\kbdclass.sys
0x0143F000 \SystemRoot\system32\drivers\mouclass.sys
0x02DF5000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x011AA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x015CB000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x015DC000 \SystemRoot\system32\drivers\HDAudBus.sys
0x040AD000 \SystemRoot\system32\DRIVERS\nvmf6264.sys
0x0F057000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x0FD6E000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x040FF000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0FD70000 \SystemRoot\System32\drivers\dxgmms1.sys
0x0FDB6000 \SystemRoot\system32\drivers\wmiacpi.sys
0x0FDBF000 \SystemRoot\system32\drivers\CompositeBus.sys
0x0FDCF000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x0F000000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x0F024000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04000000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x0F030000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0402F000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0FDE5000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0F04B000 \SystemRoot\system32\drivers\swenum.sys
0x04050000 \SystemRoot\system32\drivers\ks.sys
0x04093000 \SystemRoot\system32\drivers\umbus.sys
0x03EA4000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x03EFE000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x0486C000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x04A95000 \SystemRoot\system32\drivers\portcls.sys
0x04AD2000 \SystemRoot\system32\drivers\drmk.sys
0x04AF4000 \SystemRoot\system32\drivers\ksthunk.sys
0x00060000 \SystemRoot\System32\win32k.sys
0x04AFA000 \SystemRoot\System32\drivers\Dxapi.sys
0x04B06000 \SystemRoot\System32\Drivers\crashdmp.sys
0x04B14000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x04B1E000 \SystemRoot\System32\Drivers\dump_nvstor64.sys
0x04B5D000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x04B70000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00430000 \SystemRoot\System32\TSDDD.dll
0x04B7E000 \SystemRoot\system32\drivers\USBSTOR.SYS
0x04B99000 \SystemRoot\system32\drivers\USBD.SYS
0x007D0000 \SystemRoot\System32\cdd.dll
0x04B9B000 \SystemRoot\system32\drivers\luafv.sys
0x04BBE000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x04800000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x04809000 \SystemRoot\system32\drivers\WudfPf.sys
0x0482A000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x0483F000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x03F20000 \SystemRoot\system32\drivers\HTTP.sys
0x03E00000 \SystemRoot\system32\DRIVERS\bowser.sys
0x03E1E000 \SystemRoot\System32\drivers\mpsdrv.sys
0x03E36000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x034DF000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x0352D000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x03551000 \SystemRoot\system32\drivers\peauth.sys
0x03400000 \SystemRoot\System32\Drivers\secdrv.SYS
0x0340B000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x0343C000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0344E000 \SystemRoot\System32\DRIVERS\srv2.sys
0x0466D000 \SystemRoot\System32\DRIVERS\srv.sys
0x04705000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x04736000 \??\C:\Windows\system32\drivers\mbam.sys
0x77690000 \Windows\System32\ntdll.dll
0x48320000 \Windows\System32\smss.exe
0xFF9B0000 \Windows\System32\apisetschema.dll
0xFF1F0000 \Windows\System32\autochk.exe
0x77590000 \Windows\System32\user32.dll
0xFF740000 \Windows\System32\iertutil.dll
0x77860000 \Windows\System32\normaliz.dll
0xFF720000 \Windows\System32\sechost.dll
0xFF6C0000 \Windows\System32\Wldap32.dll
0x77470000 \Windows\System32\kernel32.dll
0xFF5B0000 \Windows\System32\msctf.dll
0xFF5A0000 \Windows\System32\lpk.dll
0xFF580000 \Windows\System32\imagehlp.dll
0xFF400000 \Windows\System32\urlmon.dll
0xFF320000 \Windows\System32\advapi32.dll
0xFF2A0000 \Windows\System32\difxapi.dll
0xFF170000 \Windows\System32\wininet.dll
0xFE3E0000 \Windows\System32\shell32.dll
0xFE340000 \Windows\System32\clbcatq.dll
0xFE260000 \Windows\System32\oleaut32.dll
0xFE230000 \Windows\System32\imm32.dll
0xFE020000 \Windows\System32\ole32.dll
0xFDF80000 \Windows\System32\comdlg32.dll
0xFDE50000 \Windows\System32\rpcrt4.dll
0x77850000 \Windows\System32\psapi.dll
0xFDE40000 \Windows\System32\nsi.dll
0xFDC60000 \Windows\System32\setupapi.dll
0xFDBC0000 \Windows\System32\msvcrt.dll
0xFDB40000 \Windows\System32\shlwapi.dll
0xFDAD0000 \Windows\System32\gdi32.dll
0xFDA80000 \Windows\System32\ws2_32.dll
0xFD9B0000 \Windows\System32\usp10.dll
0xFD970000 \Windows\System32\wintrust.dll
0xFD950000 \Windows\System32\devobj.dll
0xFD7E0000 \Windows\System32\crypt32.dll
0xFD740000 \Windows\System32\comctl32.dll
0xFD700000 \Windows\System32\cfgmgr32.dll
0xFD690000 \Windows\System32\KernelBase.dll
0xFD680000 \Windows\System32\msasn1.dll
0x75BC0000 \Windows\SysWOW64\normaliz.dll

Processes (total 56):
0 System Idle Process
4 System
300 C:\Windows\System32\smss.exe
428 csrss.exe
480 C:\Windows\System32\wininit.exe
500 csrss.exe
544 C:\Windows\System32\services.exe
556 C:\Windows\System32\lsass.exe
564 C:\Windows\System32\lsm.exe
624 C:\Windows\System32\winlogon.exe
724 C:\Windows\System32\svchost.exe
800 C:\Windows\System32\nvvsvc.exe
836 C:\Windows\System32\svchost.exe
892 C:\Windows\System32\svchost.exe
968 C:\Windows\System32\svchost.exe
1000 C:\Windows\System32\svchost.exe
740 C:\Windows\System32\svchost.exe
1096 C:\Windows\System32\nvvsvc.exe
1240 C:\Windows\System32\svchost.exe
1300 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1616 C:\Windows\System32\spoolsv.exe
1656 C:\Windows\System32\svchost.exe
1760 C:\Windows\System32\svchost.exe
1804 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
1836 C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe
1976 C:\Windows\System32\svchost.exe
1132 C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
1216 C:\Windows\System32\svchost.exe
348 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
1856 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
2060 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2308 C:\Windows\System32\taskhost.exe
2480 C:\Windows\System32\dwm.exe
2520 C:\Windows\explorer.exe
2700 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
2796 C:\Windows\System32\svchost.exe
2856 C:\Program Files\Windows Sidebar\sidebar.exe
2876 C:\Program Files (x86)\Steam\Steam.exe
2928 WUDFHost.exe
3280 C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe
3296 C:\Program Files\AVAST Software\Avast\AvastUI.exe
3304 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
3320 C:\Program Files (x86)\Ask.com\Updater\Updater.exe
3372 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
3528 C:\Windows\System32\SearchIndexer.exe
3828 C:\Program Files\Windows Media Player\wmpnetwk.exe
2656 C:\Program Files (x86)\Common Files\Steam\SteamService.exe
3660 C:\Windows\System32\svchost.exe
4064 C:\Program Files (x86)\Yahoo!\Messenger\Ymsgr_tray.exe
4460 dllhost.exe
4212 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
5004 C:\Windows\System32\taskeng.exe
336 C:\Windows\System32\audiodg.exe
4188 C:\Users\bobby71983\Downloads\MBRCheck.exe
3720 C:\Windows\System32\conhost.exe
3648 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`86500000 (NTFS)

PhysicalDrive0 Model Number: ST3500418AS, Rev: CC44

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

















Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.13.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
bobby71983 :: BOBBY71983-PC [administrator]

Protection: Enabled

7/13/2012 3:25:26 PM
mbam-log-2012-07-13 (15-25-26).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 351989
Time elapsed: 50 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#6 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:03:41 AM

Posted 14 July 2012 - 11:55 AM

Please do the following:
  • Please download aswMBR.exe from here and save it to your Desktop.
  • Double click aswMBR.exe to start the tool. (Vista - Win 7 Rt click to run as Administrator)
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your Desktop, and post that log in your next reply. Do NOT attempt any Fix at this time!
  • This will also create a file on your Desktop named MBR.dat. Right click that file and select Send To->Compressed (zipped) folder. Attach that zipped folder in your next reply as well.

Note: you can opt out of the optional Avast! antivirus scan.
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#7 bobby83

bobby83
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 14 July 2012 - 12:54 PM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-14 13:32:30
-----------------------------
13:32:30.387 OS Version: Windows x64 6.1.7601 Service Pack 1
13:32:30.387 Number of processors: 2 586 0x603
13:32:30.388 ComputerName: BOBBY71983-PC UserName: bobby71983
13:32:34.998 Initialize success
13:32:36.571 AVAST engine defs: 12071401
13:33:33.993 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000057
13:33:34.003 Disk 0 Vendor: ST350041 CC44 Size: 476940MB BusType: 3
13:33:34.017 Disk 0 MBR read successfully
13:33:34.020 Disk 0 MBR scan
13:33:34.025 Disk 0 Windows 7 default MBR code
13:33:34.031 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 14336 MB offset 2048
13:33:34.047 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 29362176
13:33:34.055 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 462502 MB offset 29566976
13:33:34.085 Disk 0 scanning C:\Windows\system32\drivers
13:33:44.263 Service scanning
13:34:00.716 Modules scanning
13:34:00.724 Disk 0 trace - called modules:
13:34:00.763 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
13:34:00.776 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80026ac410]
13:34:01.021 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa800236be40]
13:34:01.031 5 ACPI.sys[fffff88000f847a1] -> nt!IofCallDriver -> \Device\00000057[0xfffffa8002142060]
13:34:02.127 AVAST engine scan C:\Windows
13:34:04.788 AVAST engine scan C:\Windows\system32
13:36:49.221 AVAST engine scan C:\Windows\system32\drivers
13:36:59.311 AVAST engine scan C:\Users\bobby71983
13:40:43.791 AVAST engine scan C:\ProgramData
13:43:27.820 Scan finished successfully
13:51:45.356 Disk 0 MBR has been saved successfully to "C:\Users\bobby71983\Desktop\MBR.dat"
13:51:45.363 The log file has been saved successfully to "C:\Users\bobby71983\Desktop\aswMBR.txt"


Malware bytes stopped something called trojan.bho on launch of firefox this morning(the home page had not even loaded yet) Firefox has been very laggy lately.

I get the redirect in both chrome and firefox, but I use chrome almost exclusively.

Attached Files

  • Attached File  MBR.zip   565bytes   0 downloads

Edited by bobby83, 14 July 2012 - 01:17 PM.


#8 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:03:41 AM

Posted 14 July 2012 - 03:25 PM

Malware bytes stopped something called trojan.bho on launch of firefox this morning(the home page had not even loaded yet) Firefox has been very laggy lately.

I get the redirect in both chrome and firefox, but I use chrome almost exclusively.

As Malwarebytes pointed out, it appears that a Browser Helper Object is the cause of your redirects, instead of a rootkit (this is good news... rootkits are much worse <_< :wink:).

The quickest and way to fix this issue is to simply reinstall both Firefox and Chrome.

Firefox

Chrome
  • Instructions for uninstalling Google Chrome are found here (under Windows instructions)
  • Note: If you want to delete your user profile information, like your browser preferences, bookmarks, and history, select the "Also delete browser data" checkbox. I suggest you leave it unchecked.
  • After that, you an download and reinstall Chrome from here.

Online Scan
  • Next, please run this ESET scan:
  • Please run a free online scan with the ESET Online Scanner
  • Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Let me know how things go.
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#9 bobby83

bobby83
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 14 July 2012 - 08:14 PM

C:\Qoobox\Quarantine\C\Users\BOBBY7~1\AppData\Local\Temp\PMB Files\gqqpr.dll.vir a variant of Win32/Kryptik.AIGL trojan
C:\Users\bobby71983\AppData\Roaming\Mozilla\Firefox\Profiles\7r96rlt0.default\extensions\lmadghfxsx@lmadghfxsx.org.xpi JS/Redirector.NCA trojan

It does appear to be going a little faster.

I chose the not remove option as you said..should I remove these?

#10 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:03:41 AM

Posted 14 July 2012 - 08:27 PM

I chose the not remove option as you said..should I remove these?

Sure. You can do that by running the scan again, and making sure that Remove found threats and Scan unwanted applications are both checked. :thumbup2:

Let me know how it all goes.
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#11 bobby83

bobby83
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 15 July 2012 - 02:21 PM

It does seem to be a bit faster and I am not getting redirected now.

Sorry that it was something that simple. I had done a bunch of google searches before I posted on here and the term "browser helper object" was never mentioned anywhere.

Thanks for your help.

#12 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:03:41 AM

Posted 15 July 2012 - 05:33 PM

Glad things are running smoothly!

If it's alright with you, I will follow up with a few basic steps to ensure that your system is safe and protected from malware. Please let me know if you'd like to continue. :)
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#13 bobby83

bobby83
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 15 July 2012 - 05:37 PM

Yeah, I'd like to continue.

Edited by bobby83, 15 July 2012 - 05:37 PM.


#14 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:03:41 AM

Posted 15 July 2012 - 07:24 PM

Cool :). Do you have the ESET log from the scan you just ran?
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#15 bobby83

bobby83
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 19 July 2012 - 04:56 AM

I dunno why the 2 things did not show up on another scan, but it shows as no infected files.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users