Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.gameplaylab? Live Security Platinum?


  • This topic is locked This topic is locked
46 replies to this topic

#1 CherryCoke

CherryCoke

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:12 AM

Posted 23 July 2012 - 05:49 PM

Hi. I need help! I hope this is where I post this...
Earlier today my computer was acting funny, I kept getting messages that my computer was infected with a virus and had the Live Security Platinum popup, saying I need to purchase it so it will remove the virus. I DID NOT purchase but I wasn't able to uninstall or close it down, it was blocking me from opening up any programs. I shut the pc down and restarted, right away, I opened my malware program and did a scan. It found the Live security, and I was able to quarantine and delete it. It seemed to be gone, but when I open a window, using Firefox, another tab will open up on it's own to some other site, and it is a different site sometimes. I tried to check my email and can't even open an email! I also tried to enable my firewall, but it won't let me.

I appreciate any help, Thank you =)


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_33
Run by Owner at 16:26:05 on 2012-07-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2815.1553 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\PSIService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3184201
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {687578B9-7132-4A7A-80E4-30EE31099E03} - No File
TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [Google Update] "c:\users\owner\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRun: [Facebook Update] "c:\users\owner\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel PhotoDownloader.exe" -startup
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4FC79EE7-3DF5-4F52-BCF6-63848D99729A} : DhcpNameServer = 192.168.1.254
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: avgrsstx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\x6sbi6ys.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3184201&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?src_id=31154&client_id=7804ea4ba87b98e80386ef48&camp_id=5105&install_time=2012-07-22T06:59:42Z&pr=auto&tb_version=1.0.19000(G)&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\owner\appdata\local\facebook\messenger\2.1.4570.0\npFbDesktopPlugin.dll
FF - plugin: c:\users\owner\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\users\owner\appdata\local\roblox\versions\version-037c042a4c1b49fd\NPRobloxProxy.dll
FF - plugin: c:\users\owner\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6Oyt63yFie&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - 48d92e3d000000000000e0cb4e671b5c
FF - user.js: extensions.incredibar_i.hardId - 48d92e3d000000000000e0cb4e671b5c
FF - user.js: extensions.incredibar_i.instlDay - 15386
FF - user.js: extensions.incredibar_i.vrsn - 1.5.3.27
FF - user.js: extensions.incredibar_i.vrsni - 1.5.3.27
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.3.2716:14:48
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6Oyt63yFie
FF - user.js: extensions.incredibar_i.upn2n - 92260912209657006
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10606
FF - user.js: extensions.incredibar_i.ppd - 62
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2012-1-12 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2012-1-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2012-1-12 108552]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2012-1-12 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2012-1-12 297752]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-7-23 655944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-26 22344]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-7-23 40776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-16 250056]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-5-4 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-3 113120]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-5-23 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-5-24 1343400]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-07-23 21:17:29 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-07-23 18:20:36 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-07-23 18:07:16 -------- d-----w- c:\programdata\036E1BA600547533004500F3E56C34E5
2012-07-23 17:50:30 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-23 17:37:48 -------- d-----w- c:\programdata\036E1BA600547533004500F3F875F020
2012-07-22 20:23:24 -------- d-----w- c:\users\owner\appdata\local\Microsoft Games
2012-07-20 13:48:44 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ee53b586-1b4e-422e-b054-6f0c6bfc185e}\mpengine.dll
2012-07-11 08:02:03 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-08 19:31:24 -------- d-----w- c:\users\owner\appdata\local\{F43F4DFC-733A-4195-8451-89EA251B5581}
2012-07-08 19:31:11 -------- d-----w- c:\users\owner\appdata\local\{6A220DCC-42A2-4311-8F70-32DF8607E0EB}
2012-06-28 22:26:38 -------- d-----w- c:\users\owner\appdata\local\{C6F44858-0227-4BB5-AE90-6A69AD0D3A57}
2012-06-28 22:26:26 -------- d-----w- c:\users\owner\appdata\local\{C583AE0B-9D7B-4AC2-B2D2-2DE011286F04}
2012-06-28 22:26:03 -------- d-----w- c:\users\owner\appdata\local\{670B9ECE-8744-493E-B8A7-F4631BAA9E86}
2012-06-28 02:42:25 -------- d-----w- c:\users\owner\appdata\roaming\EasyDuplicateFinder
2012-06-28 02:42:20 -------- d-----w- c:\program files\EasyDuplicateFinder
2012-06-27 19:10:07 -------- d-----w- c:\users\owner\appdata\local\Facebook
.
==================== Find3M ====================
.
2012-07-23 18:25:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-23 18:25:01 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-23 18:20:28 472880 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-17 18:46:03 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2012-07-03 18:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-31 17:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-26 06:04:56 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-05-04 09:59:54 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-05-01 04:44:12 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:17:07 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:45:55 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:45:54 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41:16 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
============= FINISH: 16:26:38.48 ===============

Attached Files


Edited by CherryCoke, 23 July 2012 - 05:50 PM.


BC AdBot (Login to Remove)

 


#2 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:02:12 PM

Posted 24 July 2012 - 10:56 AM

Hi CherryCoke,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Regards,
M-K-D-B

#3 CherryCoke

CherryCoke
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:12 AM

Posted 24 July 2012 - 08:09 PM

Thank you! I appreciate it!

#4 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:02:12 PM

Posted 25 July 2012 - 12:09 AM

Hi CherryCoke,


:welcome: to BleepingComputer.

My name is M-K-D-B and I'll help you with the cleanup of your computer.

Please be aware of the following:
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 3 days, I am assuming that you don't need help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all malware. Formatting is usually faster and always the safest way.
  • If you decide to clean your PC, work with us until a team member tells you that you are clean.
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.





Backdoor Warning!
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
If you decide to clean your machine, please follow the instructions below.





Step 1
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.





Step 2
Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.





What you should post with your next answer:
  • the logfile from ComboFix,
  • the logfile from AdwCleaner,
  • any further information that seems to be important in your eyes.

Regards,
M-K-D-B

#5 CherryCoke

CherryCoke
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:12 AM

Posted 25 July 2012 - 04:56 PM

Thank you for taking the time to help. I was thinking about just wiping my computer..again. But I have to much stuff on here to save and all that. I will go ahead and try to clean it out this way =)

I have been trying to get the ComboFix to work but it won't..I disabled my antivirus program and did the update on the ComboFix, but it opens to this samll window, the background is black and the text is the bright green..then it stops and does..nothing else.

I also, on accident, uninstalled FB Messenger, I know I read somewhere I am not suppose to uninstall anything. Sorry, hope that doesn't mess anything up.

Here is the AdwCleaner log:

# AdwCleaner v1.703 - Logfile created 07/25/2012 at 16:50:17
# Updated 20/07/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Owner - DEBBIE
# Running from : C:\Users\Owner\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\Owner\AppData\Local\Conduit
Folder Found : C:\Users\Owner\AppData\Local\Temp\avg@toolbar
Folder Found : C:\Users\Owner\AppData\LocalLow\Conduit
Folder Found : C:\ProgramData\InstallMate
Folder Found : C:\ProgramData\WeCareReminder
Folder Found : C:\Program Files\Conduit
Folder Found : C:\Program Files\Free Offers from Freeze.com
Folder Found : C:\Program Files\Common Files\FreeCause
Folder Found : C:\Program Files\Common Files\Software Update Utility
File Found : C:\Users\Owner\AppData\Local\Temp\Uninstall.exe
File Found : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\x6sbi6ys.default\searchplugins\Conduit.xml
File Found : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\x6sbi6ys.default\searchplugins\MyStart Search.xml
File Found : C:\Program Files\Mozilla Firefox\plugins\npdnu.dll
File Found : C:\Program Files\Mozilla Firefox\plugins\npdnu.xpt
File Found : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll
File Found : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.xpt
File Found : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml

***** [Registry] *****

[*] Key Found : HKLM\SOFTWARE\FCSB000063123
[*] Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2790392
[*] Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
[*] Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3184201
Key Found : HKCU\Software\AppDataLow\Software\Freecause
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\Cr_Installer
Key Found : HKCU\Software\IGearSettings
Key Found : HKCU\Software\IM
Key Found : HKCU\Software\ImInstaller
Key Found : HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\dnUpdate
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Found : HKLM\SOFTWARE\Classes\Incredibar.IncredibarHlpr
Key Found : HKLM\SOFTWARE\Classes\Incredibar.IncredibarHlpr.1
Key Found : HKLM\SOFTWARE\Conduit
Key Found : HKLM\SOFTWARE\Freeze.com
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\IncredibarToolbar_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\IncredibarToolbar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Value Found : HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Found : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxps://isearch.avg.com/?cid={B37E2A7A-6113-43FF-A4CF-80096760BA2E}&mid=aab2f05d838a1bcd67d920dd9f586b55-58cfbf5b977472e91523181647b4c7cc352a96ef&lang=en&ds=gl011&pr=sa&d=2012-07-25 16:41:23&v=12.1.0.21&sap=hp

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\x6sbi6ys.default\prefs.js

Found : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Found : user_pref("browser.search.defaultthis.engineName", "midicairus Customized Web Search");
Found : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3184201&Sea[...]
Found : user_pref("browser.search.selectedEngine", "AVG Secure Search");
Found : user_pref("extensions.4fd686f815226.scode", "\n(function(){var bdomains={\"premiumreports.info\":1,\[...]
Found : user_pref("extensions.incredibar_i.aflt", "orgnl");
Found : user_pref("extensions.incredibar_i.dfltLng", "");
Found : user_pref("extensions.incredibar_i.did", "10606");
Found : user_pref("extensions.incredibar_i.excTlbr", "false");
Found : user_pref("extensions.incredibar_i.hardId", "48d92e3d000000000000e0cb4e671b5c");
Found : user_pref("extensions.incredibar_i.id", "48d92e3d000000000000e0cb4e671b5c");
Found : user_pref("extensions.incredibar_i.installerproductid", "26");
Found : user_pref("extensions.incredibar_i.instlDay", "15386");
Found : user_pref("extensions.incredibar_i.instlRef", "");
Found : user_pref("extensions.incredibar_i.ms_url_id", "");
Found : user_pref("extensions.incredibar_i.newTab", false);
Found : user_pref("extensions.incredibar_i.ppd", "62");
Found : user_pref("extensions.incredibar_i.prdct", "incredibar");
Found : user_pref("extensions.incredibar_i.productid", "26");
Found : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
Found : user_pref("extensions.incredibar_i.smplGrp", "none");
Found : user_pref("extensions.incredibar_i.tlbrId", "base");
Found : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6Oyt63yFie&loc=IB[...]
Found : user_pref("extensions.incredibar_i.upn2", "6Oyt63yFie");
Found : user_pref("extensions.incredibar_i.upn2n", "92260912209657006");
Found : user_pref("extensions.incredibar_i.vrsn", "1.5.3.27");
Found : user_pref("extensions.incredibar_i.vrsnTs", "1.5.3.2716:14:48");
Found : user_pref("extensions.incredibar_i.vrsni", "1.5.3.27");

-\\ Google Chrome v20.0.1132.57

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [7921 octets] - [25/07/2012 16:50:17]

########## EOF - C:\AdwCleaner[R1].txt - [8049 octets] ##########

#6 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:02:12 PM

Posted 27 July 2012 - 10:52 AM

Hi CherryCoke,



Step 1
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.





Step 2
Now reboot into Safe Mode with networking.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.



Now delete the ComboFix.exe from your desktop!




Step 3
Download a new version of ComboFix from here and safe it to your desktop!
  • Press the "windows key" + "R"
  • Copy/paste the following text into the run box & click OK
    "%userprofile%\desktop\combofix.exe" /killall
    
  • When finished, it shall produce a log for you. Post that log in your next reply.





What you should post with your next answer:
  • the logfile from AdwCleaner,
  • the logfile from ComboFix.

Regards,
M-K-D-B

#7 CherryCoke

CherryCoke
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:12 AM

Posted 30 July 2012 - 11:51 AM

Sorry, it's taken me so long to respond. I hope I haven't messed anything up. My son has recently downloaded a program and I uninstalled them right away. Here are the logs you requested. Thanks again.

# AdwCleaner v1.703 - Logfile created 07/28/2012 at 11:35:24
# Updated 20/07/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Owner - DEBBIE
# Running from : C:\Users\Owner\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Owner\AppData\Local\Conduit
Folder Deleted : C:\Users\Owner\AppData\Local\Temp\avg@toolbar
Folder Deleted : C:\Users\Owner\AppData\LocalLow\Conduit
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\WeCareReminder
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Free Offers from Freeze.com
Folder Deleted : C:\Program Files\Common Files\FreeCause
Folder Deleted : C:\Program Files\Common Files\Software Update Utility
File Deleted : C:\Users\Owner\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\x6sbi6ys.default\searchplugins\Conduit.xml
File Deleted : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\x6sbi6ys.default\searchplugins\MyStart Search.xml
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.dll
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.xpt
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.xpt
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml

***** [Registry] *****

[*] Key Deleted : HKLM\SOFTWARE\FCSB000063123
[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2790392
[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3184201
Key Deleted : HKCU\Software\AppDataLow\Software\Freecause
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\Incredibar.IncredibarHlpr
Key Deleted : HKLM\SOFTWARE\Classes\Incredibar.IncredibarHlpr.1
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\IncredibarToolbar_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\IncredibarToolbar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxps://isearch.avg.com/?cid={B37E2A7A-6113-43FF-A4CF-80096760BA2E}&mid=aab2f05d838a1bcd67d920dd9f586b55-58cfbf5b977472e91523181647b4c7cc352a96ef&lang=en&ds=gl011&pr=sa&d=2012-07-25 16:41:23&v=12.1.0.21&sap=hp --> hxxp://www.google.com

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\x6sbi6ys.default\prefs.js

C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\x6sbi6ys.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("browser.search.defaultthis.engineName", "midicairus Customized Web Search");
Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3184201&Sea[...]
Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");
Deleted : user_pref("extensions.4fd686f815226.scode", "\n(function(){var bdomains={\"premiumreports.info\":1,\[...]
Deleted : user_pref("extensions.incredibar_i.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar_i.dfltLng", "");
Deleted : user_pref("extensions.incredibar_i.did", "10606");
Deleted : user_pref("extensions.incredibar_i.excTlbr", "false");
Deleted : user_pref("extensions.incredibar_i.hardId", "48d92e3d000000000000e0cb4e671b5c");
Deleted : user_pref("extensions.incredibar_i.id", "48d92e3d000000000000e0cb4e671b5c");
Deleted : user_pref("extensions.incredibar_i.installerproductid", "26");
Deleted : user_pref("extensions.incredibar_i.instlDay", "15386");
Deleted : user_pref("extensions.incredibar_i.instlRef", "");
Deleted : user_pref("extensions.incredibar_i.ms_url_id", "");
Deleted : user_pref("extensions.incredibar_i.newTab", false);
Deleted : user_pref("extensions.incredibar_i.ppd", "62");
Deleted : user_pref("extensions.incredibar_i.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar_i.productid", "26");
Deleted : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar_i.smplGrp", "none");
Deleted : user_pref("extensions.incredibar_i.tlbrId", "base");
Deleted : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6Oyt63yFie&loc=IB[...]
Deleted : user_pref("extensions.incredibar_i.upn2", "6Oyt63yFie");
Deleted : user_pref("extensions.incredibar_i.upn2n", "92260912209657006");
Deleted : user_pref("extensions.incredibar_i.vrsn", "1.5.3.27");
Deleted : user_pref("extensions.incredibar_i.vrsnTs", "1.5.3.2716:14:48");
Deleted : user_pref("extensions.incredibar_i.vrsni", "1.5.3.27");

-\\ Google Chrome v20.0.1132.57

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [8050 octets] - [25/07/2012 16:50:17]
AdwCleaner[S1].txt - [8081 octets] - [28/07/2012 11:35:24]

########## EOF - C:\AdwCleaner[S1].txt - [8209 octets] ##########




ComboFix 12-07-30.01 - Owner 07/30/2012 11:01:35.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2815.2008 [GMT -5:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\100
c:\windows\$NtUninstallKB26457$
c:\windows\$NtUninstallKB26457$\2346117108
c:\windows\$NtUninstallKB26457$\3689331903\@
c:\windows\$NtUninstallKB26457$\3689331903\Desktop.ini
c:\windows\$NtUninstallKB26457$\3689331903\L\00000004.@
c:\windows\$NtUninstallKB26457$\3689331903\L\201d3dde
c:\windows\$NtUninstallKB26457$\3689331903\L\xadqgnnk
c:\windows\$NtUninstallKB26457$\3689331903\U\00000004.@
c:\windows\$NtUninstallKB26457$\3689331903\U\00000008.@
c:\windows\$NtUninstallKB26457$\3689331903\U\000000cb.@
c:\windows\$NtUninstallKB26457$\3689331903\U\80000000.@
c:\windows\$NtUninstallKB26457$\3689331903\U\80000032.@
c:\windows\svcs.exe
c:\windows\system32\DEBUG.log
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-30 )))))))))))))))))))))))))))))))
.
.
2012-07-30 16:07 . 2012-07-30 16:08 -------- d-----w- c:\users\Owner\AppData\Local\temp
2012-07-30 16:07 . 2012-07-30 16:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-29 22:49 . 2012-07-29 22:49 -------- d-----w- c:\users\Owner\AppData\Local\Wajam
2012-07-29 22:49 . 2012-07-29 22:49 -------- d-----w- c:\programdata\Babylon
2012-07-29 22:49 . 2012-07-29 22:49 -------- d-----w- c:\users\Owner\AppData\Roaming\Babylon
2012-07-23 20:23 . 2012-07-23 20:23 -------- d-----w- c:\windows\Sun
2012-07-23 18:20 . 2012-07-23 18:20 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-07-23 18:19 . 2012-07-23 18:19 -------- d-----w- c:\programdata\McAfee
2012-07-23 18:07 . 2012-07-23 18:07 -------- d-----w- c:\programdata\036E1BA600547533004500F3E56C34E5
2012-07-23 17:50 . 2012-07-23 17:50 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-23 17:37 . 2012-07-23 17:39 -------- d-----w- c:\programdata\036E1BA600547533004500F3F875F020
2012-07-22 20:23 . 2012-07-22 20:23 -------- d-----w- c:\users\Owner\AppData\Local\Microsoft Games
2012-07-20 13:48 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EE53B586-1B4E-422E-B054-6F0C6BFC185E}\mpengine.dll
2012-07-11 08:02 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-26 22:49 . 2012-04-16 22:02 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-26 22:49 . 2012-01-12 21:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-23 18:20 . 2012-02-09 00:58 472880 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-03 18:46 . 2012-05-26 23:48 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-19 10:12 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 10:12 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 10:12 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 10:12 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-19 10:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-19 10:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-19 10:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-19 10:11 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12 . 2012-06-19 10:11 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 17:25 . 2012-01-12 21:26 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-26 06:04 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-05-04 15:48 . 2011-03-28 23:36 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-05-04 09:59 . 2012-06-21 13:02 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-07-18 23:16 . 2012-01-22 17:07 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2012-05-30 4331392]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2012-01-12 2042208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-31 16200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [x]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 22:49]
.
2012-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-929496565-1938193534-301810670-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-04 18:35]
.
2012-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-929496565-1938193534-301810670-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-04 18:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/?affID=109935&tt=3012_5&babsrc=HP_ss&mntrId=48d92e3d000000000000e0cb4e671b5c
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\x6sbi6ys.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?src_id=31154&client_id=7804ea4ba87b98e80386ef48&camp_id=5105&install_time=2012-07-22T06:59Z&pr=auto&tb_version=1.0.19000(G)&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935&tt=3012_5
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://www.google.com/search?babsrc=TB_ggl&q=
FF - user.js: extensions.BabylonToolbar.id - 48d92e3d000000000000e0cb4e671b5c
FF - user.js: extensions.BabylonToolbar.instlDay - 15550
FF - user.js: extensions.BabylonToolbar.vrsn - 1.5.29.1
FF - user.js: extensions.BabylonToolbar.vrsni - 1.5.29.1
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.29.117:49
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{efb1e45a-148d-40f9-a3f0-09d5577f9970} - (no file)
URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKLM-Run-Corel Photo Downloader - c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}\bm_installer.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
c:\windows\system32\conhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2012-07-30 11:11:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-30 16:11
.
Pre-Run: 357,832,609,792 bytes free
Post-Run: 358,226,726,912 bytes free
.
- - End Of File - - 129D2B08DABE8C082E3E0F42E5739755

#8 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:02:12 PM

Posted 31 July 2012 - 09:06 AM

Hi CherryCoke,



My son has recently downloaded a program and I uninstalled them right away. Here are the logs you requested. Thanks again.

Which program are you talking about? Maybe it was Babylon Toolbar?





Step 1
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Folder::
c:\programdata\Babylon
c:\users\Owner\AppData\Roaming\Babylon
c:\users\Owner\AppData\Local\Wajam

Dirlook::
c:\programdata\036E1BA600547533004500F3E56C34E5
c:\programdata\036E1BA600547533004500F3F875F020

DDS::
uStart Page = hxxp://search.babylon.com/?affID=109935&tt=3012_5&babsrc=HP_ss&mntrId=48d92e3d000000000000e0cb4e671b5c

Firefox::
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\x6sbi6ys.default\
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?src_id=31154&client_id=7804ea4ba87b98e80386ef48&camp_id=5105&install_time=2012-07-22T06:59Z&pr=auto&tb_version=1.0.19000(G)&q=
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935&tt=3012_5
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://www.google.com/search?babsrc=TB_ggl&q=
FF - user.js: extensions.BabylonToolbar.id - 48d92e3d000000000000e0cb4e671b5c
FF - user.js: extensions.BabylonToolbar.instlDay - 15550
FF - user.js: extensions.BabylonToolbar.vrsn - 1.5.29.1
FF - user.js: extensions.BabylonToolbar.vrsni - 1.5.29.1
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.29.117:49
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.





What you should post with your next answer:
  • an answer to my questions,
  • the logfile from ComboFix.

Edited by M-K-D-B, 31 July 2012 - 09:07 AM.

Regards,
M-K-D-B

#9 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:02:12 PM

Posted 03 August 2012 - 08:00 AM

Hi CherryCoke,


do you still need help with you computer?
If you don't respond within the next 48 hours, your topic will be closed.
Regards,
M-K-D-B

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:12 AM

Posted 05 August 2012 - 08:33 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:12 AM

Posted 24 August 2012 - 09:22 AM

This topic has been re-opened at the request of the person who originally posted.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:12 AM

Posted 24 August 2012 - 09:23 AM

Hi CherryCoke-

Due to the time lapse, please post a fresh DDS log, a new GMER scan log; and a description of the current issues.

Thanks!
-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 CherryCoke

CherryCoke
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:12 AM

Posted 28 August 2012 - 11:00 AM

I am getting this pop-up that says I am not running Genuine Windows. And I am not able to do any Windows Updates. I am no longer getting the redirects(YAY). Thanks for the help!! And I hope I posted the Gamer log right =)

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_33
Run by Owner at 9:29:48 on 2012-08-28
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2815.2095 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Disabled/Outdated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Outdated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Users\Owner\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
C:\Program Files\DefaultTab\DefaultTabSearch.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0EtD0C0ByE0EyCyBtC0ByD0CtB0EtA0DtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1074014504
mStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0EtD0C0ByE0EyCyBtC0ByD0CtB0EtA0DtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1074014504
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Qwiklinx: {3e7c8b5a-96ab-438f-bf9b-782400655440} - c:\users\owner\appdata\roaming\qwiklinx\Qwiklinx.dll
BHO: VideoFileDownload: {625f420e-a4a9-4b40-bc23-716c1c43893a} - c:\program files\oapps\bho.dll
BHO: Funmoods Helper Object: {75ebb0aa-4214-4cb4-90ec-e3e07ecd04f7} - c:\progra~1\funmoods\1.5.23.22\bh\escort.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: DefaultTab Browser Helper: {7f6afbf1-e065-4627-a2fd-810366367d01} - c:\users\owner\appdata\roaming\defaulttab\defaulttab\DefaultTabBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Funmoods Toolbar: {a4c272ec-ed9e-4ace-a6f2-9558c7f29ef3} - c:\progra~1\funmoods\1.5.23.22\escorTlbr.dll
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4FC79EE7-3DF5-4F52-BCF6-63848D99729A} : DhcpNameServer = 192.168.1.254
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\x6sbi6ys.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?src_id=31154&client_id=7804ea4ba87b98e80386ef48&camp_id=5105&install_time=2012-07-22T06:59:42Z&pr=auto&tb_version=1.0.19000(G)&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\roblox\versions\version-1bebb2d1460c4423\NPRobloxProxy.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\owner\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\users\owner\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935&tt=3012_5
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://www.google.com/search?babsrc=TB_ggl&q=
FF - user.js: extensions.BabylonToolbar.id - 48d92e3d000000000000e0cb4e671b5c
FF - user.js: extensions.BabylonToolbar.instlDay - 15550
FF - user.js: extensions.BabylonToolbar.vrsn - 1.5.29.1
FF - user.js: extensions.BabylonToolbar.vrsni - 1.5.29.1
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.29.117:49:38
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0EtD0C0ByE0EyCyBtC0ByD0CtB0EtA0DtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1074014504
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0EtD0C0ByE0EyCyBtC0ByD0CtB0EtA0DtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1074014504
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0EtD0C0ByE0EyCyBtC0ByD0CtB0EtA0DtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1074014504&q=
FF - user.js: extensions.funmoods.id - E0CB4E671B5C2E3D
FF - user.js: extensions.funmoods.instlDay - 15577
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.228:3:46
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - adknlg
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - adknlg
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2012-1-12 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2012-1-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2012-1-12 108552]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2012-1-12 297752]
R2 DefaultTabSearch;DefaultTabSearch;c:\program files\defaulttab\DefaultTabSearch.exe [2012-5-18 563200]
R2 DefaultTabUpdate;DefaultTabUpdate;c:\users\owner\appdata\roaming\defaulttab\defaulttab\DTUpdate.exe [2012-8-25 107520]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-7-23 655944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-26 22344]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2012-1-12 908056]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-16 250568]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-5-4 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-3 113120]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-5-23 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-5-24 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-08-25 13:05:47 662288 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2012-08-25 13:05:47 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2012-08-25 13:05:47 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2012-08-25 13:05:46 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2012-08-25 13:05:45 -------- d-----w- c:\program files\PDFCreator
2012-08-25 13:05:27 -------- d-----w- c:\program files\DefaultTab
2012-08-25 13:05:23 -------- d-----w- c:\users\owner\appdata\roaming\DefaultTab
2012-08-25 13:04:58 317288 ----a-w- c:\windows\system32\Sendori.dll.old.hck
2012-08-25 13:04:58 317288 ----a-w- c:\windows\system32\Sendori.dll
2012-08-25 13:04:10 -------- d-----w- c:\users\owner\appdata\roaming\Qwiklinx
2012-08-25 13:04:10 -------- d-----w- c:\program files\Qwiklinx
2012-08-25 13:04:05 -------- d-----w- c:\program files\Shop To Win
2012-08-25 13:03:54 -------- d-----w- c:\program files\OApps
2012-08-24 13:04:47 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ee53b586-1b4e-422e-b054-6f0c6bfc185e}\offreg.dll
2012-08-02 23:37:47 -------- d-----w- c:\programdata\Roblox
2012-08-02 23:37:47 -------- d-----w- c:\program files\Roblox
2012-07-30 16:11:02 -------- d-sh--w- C:\$RECYCLE.BIN
2012-07-30 16:07:02 -------- d-----w- c:\users\owner\appdata\local\temp
2012-07-29 22:49:47 -------- d-----w- c:\users\owner\appdata\local\Wajam
2012-07-29 22:49:20 -------- d-----w- c:\programdata\Babylon
2012-07-29 22:49:19 -------- d-----w- c:\users\owner\appdata\roaming\Babylon
.
==================== Find3M ====================
.
2012-08-24 13:04:20 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-24 13:04:20 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-03 05:39:28 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2012-07-23 18:20:28 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-07-23 18:20:28 472880 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-03 18:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-12 02:40:48 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-31 17:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 9:30:36.16 ===============





GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-28 10:53:58
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\00000054 ST350041 rev.HP34
Running: pr0tffx3.exe; Driver: C:\Users\Owner\AppData\Local\Temp\pwldapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82C8D3C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CC6D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? C:\Users\Owner\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000041 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\7971f918-a847-4430-9279-4a52d1efe18d@FlushCacheFiles ?????????2f??????v?????????????????????????Fil??????????????????????????????????????????????????????????????????????????C:\Program Files\Windows Media Player\wmplayer.exe??????????????????????http://talkback.winamp.com??ht????:??????l??????????????????http://talkback.evip.aol.com?t????<??????c??????????????m???????????????????????????%CommonProgramFiles%\Software Update Utility????????D??????????A????????D??????????????????????????????????A???@???B???B?@??????D????=???????m??????????????????????????????]0??????????????????????????????????????????? ????????????????????????????(?"?or????????????????ILauncher???????LowDateTime:324910336,HighDateTime:30016509***Binary mof failed, see WMIPROV.LOG?????????????0???????E??? ???????0?????3?d??????????????????????????????????????????????????????????8???<?????????????????????up??????????????????????????????????????????????????'?????mapi://{S-1-5-21-929496565-1938193534-301810670-1000}/?p?????????????0?????????8B7???????????D?????e???????????????????????????????????????

---- EOF - GMER 1.0.15 ----

#14 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:02:12 PM

Posted 29 August 2012 - 09:03 AM

Hi CherryCoke,



Step 1
You have installed some Adware and PUP (potentially unwanted programs) on your computer.
I highly recommend you to uninstall them.
Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Funmoods
Qwiklinx
DefaultTab
BabylonToolbar
ShopToWin
OApps


Additional instructions can be found here if needed.





Step 2
If AdwCleaner is still on your desktop, please uninstall the old version first:
  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall
  • Confirm with yes





Step 3
Please download a new version of AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.





Step 4
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.





What you should post with your next answer:
  • the logfile from AdwCleaner,
  • the logfile from FSS.

Regards,
M-K-D-B

#15 CherryCoke

CherryCoke
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:12 AM

Posted 29 August 2012 - 11:39 AM

Uninstalled the unwanted programs. Here are the logs::


# AdwCleaner v1.801 - Logfile created 08/29/2012 at 11:30:36
# Updated 14/08/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Owner - DEBBIE
# Boot Mode : Normal
# Running from : C:\Users\Owner\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\Owner\AppData\Local\Wajam
Folder Found : C:\Users\Owner\AppData\LocalLow\Funmoods
Folder Found : C:\Users\Owner\AppData\Roaming\Babylon
Folder Found : C:\Users\Owner\Documents\ShopToWin
Folder Found : C:\ProgramData\Babylon
Folder Found : C:\Program Files\Shop To Win
Folder Found : C:\ProgramData\Premium
File Found : C:\Users\Owner\AppData\Local\funmoods.crx
File Found : C:\Users\Owner\AppData\Local\funmoods-speeddial.crx
File Found : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
File Found : C:\user.js

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Freecause
Key Found : HKCU\Software\Default Tab
Key Found : HKLM\SOFTWARE\Babylon
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\SOFTWARE\Classes\escort.escortIEPane
Key Found : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
Key Found : HKLM\SOFTWARE\Classes\f
Key Found : HKLM\SOFTWARE\Classes\funmoods.dskBnd
Key Found : HKLM\SOFTWARE\Classes\funmoods.dskBnd.1
Key Found : HKLM\SOFTWARE\Classes\funmoods.funmoodsHlpr
Key Found : HKLM\SOFTWARE\Classes\funmoods.funmoodsHlpr.1
Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore
Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore.1
Key Found : HKLM\SOFTWARE\Default Tab
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Key Found : HKLM\SOFTWARE\Google\chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Found : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Found : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Found : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0EtD0C0ByE0EyCyBtC0ByD0CtB0EtA0DtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1074014504
[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0EtD0C0ByE0EyCyBtC0ByD0CtB0EtA0DtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1074014504
[HKCU\Software\Microsoft\Internet Explorer\Main - Backup.Old.Start Page] = hxxp://search.babylon.com/?affID=109935&tt=3012_5&babsrc=HP_ss&mntrId=48d92e3d000000000000e0cb4e671b5c

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\x6sbi6ys.default\prefs.js

Found : user_pref("extensions.BabylonToolbar.admin", false);
Found : user_pref("extensions.BabylonToolbar.aflt", "babsst");
Found : user_pref("extensions.BabylonToolbar.dfltLng", "en");
Found : user_pref("extensions.BabylonToolbar.excTlbr", false);
Found : user_pref("extensions.BabylonToolbar.id", "48d92e3d000000000000e0cb4e671b5c");
Found : user_pref("extensions.BabylonToolbar.instlDay", "15550");
Found : user_pref("extensions.BabylonToolbar.instlRef", "sst");
Found : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
Found : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
Found : user_pref("extensions.BabylonToolbar.tlbrId", "tb9");
Found : user_pref("extensions.BabylonToolbar.tlbrSrchUrl", "hxxp://www.google.com/search?babsrc=TB_ggl&q=");
Found : user_pref("extensions.BabylonToolbar.vrsn", "1.5.29.1");
Found : user_pref("extensions.BabylonToolbar.vrsni", "1.5.29.1");
Found : user_pref("extensions.BabylonToolbar_i.babExt", "");
Found : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=109935&tt=3012_5");
Found : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Found : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Found : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.29.117:49:38");
Found : user_pref("extensions.funmoods.aflt", "adknlg");
Found : user_pref("extensions.funmoods.autoRvrt", false);
Found : user_pref("extensions.funmoods.cntry", "US");
Found : user_pref("extensions.funmoods.cv", "cv5");
Found : user_pref("extensions.funmoods.dfltLng", "");
Found : user_pref("extensions.funmoods.dfltSrch", true);
Found : user_pref("extensions.funmoods.dnsErr", true);
Found : user_pref("extensions.funmoods.envrmnt", "production");
Found : user_pref("extensions.funmoods.excTlbr", false);
Found : user_pref("extensions.funmoods.hdrMd5", "2C71B8F04B9EDA824D71745887B9DB47");
Found : user_pref("extensions.funmoods.hmpg", true);
Found : user_pref("extensions.funmoods.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2Xz[...]
Found : user_pref("extensions.funmoods.id", "E0CB4E671B5C2E3D");
Found : user_pref("extensions.funmoods.instlDay", "15577");
Found : user_pref("extensions.funmoods.instlRef", "adknlg");
Found : user_pref("extensions.funmoods.isdcmntcmplt", true);
Found : user_pref("extensions.funmoods.lastVrsnTs", "1.5.23.228:3:46");
Found : user_pref("extensions.funmoods.mntrvrsn", "1.3.0");
Found : user_pref("extensions.funmoods.newTab", true);
Found : user_pref("extensions.funmoods.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2[...]
Found : user_pref("extensions.funmoods.prdct", "funmoods");
Found : user_pref("extensions.funmoods.prtnrId", "funmoods");
Found : user_pref("extensions.funmoods.sg", "none");
Found : user_pref("extensions.funmoods.smplGrp", "none");
Found : user_pref("extensions.funmoods.srchPrvdr", "Search");
Found : user_pref("extensions.funmoods.tlbrId", "base");
Found : user_pref("extensions.funmoods.tlbrSrchUrl", "hxxp://start.funmoods.com/?f=3&a=adknlg&chnl=adknlg&cd[...]
Found : user_pref("extensions.funmoods.vrsn", "1.5.23.22");
Found : user_pref("extensions.funmoods.vrsnTs", "1.5.23.228:3:46");
Found : user_pref("extensions.funmoods.vrsni", "1.5.23.22");
Found : user_pref("extensions.funmoods_i.newTab", true);
Found : user_pref("extensions.funmoods_i.smplGrp", "none");
Found : user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.228:3:46");
Found : user_pref("extensions.wajam.affiliate_id", "6447");
Found : user_pref("extensions.wajam.firstrun", "false");
Found : user_pref("extensions.wajam.log_send_info", "false");
Found : user_pref("extensions.wajam.mappingListJsonString", "{\"version\":\"0.21083\",\"supported_sites\":{\[...]
Found : user_pref("extensions.wajam.no_trace", "false");
Found : user_pref("extensions.wajam.server_current_mapping_version", "0.21083");
Found : user_pref("extensions.wajam.trace_log", "1343610513796 - processInstallationUpgrade - version set to[...]
Found : user_pref("extensions.wajam.unique_id", "E7C36346D8440A0A43334C56A8C11FD4");
Found : user_pref("extensions.wajam.user_current_mapping_version", "0");
Found : user_pref("extensions.wajam.version", "1.25");

-\\ Google Chrome v21.0.1180.83

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found : {"homepage": "hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0EtD0C0ByE0EyCy[...]
Found : "backup":{"_version":1,"homepage":true,"homepage_is_newtabpage":false,"session":{"restore_on_startup[...]
Found : "name": "Web Search",
Found : "search_url": "hxxp://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&[...]
Found : "ahfgeienlihckogmohjhadlkjgocpleb":{"app_launcher_ordinal":"n","page_ordinal":"n"},"mhfdcmehmjccl[...]

*************************

AdwCleaner[R1].txt - [10917 octets] - [29/08/2012 11:30:36]

########## EOF - C:\AdwCleaner[R1].txt - [11046 octets] ##########




Farbar Service Scanner Version: 06-08-2012
Ran by Owner (administrator) on 29-08-2012 at 11:32:45
Running from "C:\Users\Owner\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Edited by CherryCoke, 29 August 2012 - 11:41 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users