Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with DoubleClick virus


  • This topic is locked This topic is locked
19 replies to this topic

#1 stbutt01

stbutt01

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 05 August 2012 - 05:12 PM

The virus causes my cursor to click uncontrollably and can only be prevented by running spybot S&D 24/7. It will always detect the same tracking cookie that is titled "DoubleClick". I know this virus is more than a tracking cookie because every time I "remove" it, it is always detected again and my computer will go back into the uncontrollable clicking of the cursor if I just let it be. There is no rhyme or reason, nothing to trigger the clicking; it appears to come and go completely randomly and the only way to stop it is to run spybot the entire time I'm using the computer, removing the DoubleClick virus every time it is detected. Please help and thanks in advance!

Sean

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 AM

Posted 10 August 2012 - 09:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

#3 stbutt01

stbutt01
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 14 August 2012 - 01:24 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Sean at 13:21:10 on 2012-08-14
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2972.1493 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Sean\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Users\Sean\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Users\Sean\AppData\Local\Facebook\Update\FacebookUpdate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Codecv Class: {6761b6f7-301d-4950-b76f-1c3e004c46f0} - c:\programdata\codecv\bhoclass.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Facebook Update] "c:\users\sean\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Spotify Web Helper] "c:\users\sean\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_3_300_265_Plugin.exe -update plugin
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [QuickTime Plugin Install] c:\program files\quicktime\plugins\DeleteMe1.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Nikon Message Center 2] c:\program files\nikon\nikon message center 2\NkMC2.exe -s
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
StartupFolder: c:\users\sean\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\sean\appdata\roaming\dropbox\bin\Dropbox.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} - hxxps://nac-4.cca-mitc.louisville.edu/auth/CCALogin.CAB
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{71CBDA75-CF36-4186-AC68-203DA2C3EDF0} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{71CBDA75-CF36-4186-AC68-203DA2C3EDF0}\3445F475E454 : DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{71CBDA75-CF36-4186-AC68-203DA2C3EDF0}\96E63796768647F577966696F583635373 : DhcpNameServer = 192.168.2.1 74.128.17.114 74.128.19.102
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sean\appdata\roaming\mozilla\firefox\profiles\yptcxw8k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\sean\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-18 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-30 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-21 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-18 301248]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-13 193288]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-7-16 26168]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-17 1153368]
R3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-12-3 625224]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-1-13 6755840]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-10-2 136176]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-5-3 158856]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-10-2 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-5 113120]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-17 1343400]
.
=============== Created Last 30 ================
.
2012-07-17 20:11:43 2344448 ----a-w- c:\windows\system32\win32k.sys
2012-07-16 03:10:10 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-16 03:10:10 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-16 03:10:10 225280 ----a-w- c:\windows\system32\schannel.dll
2012-07-16 03:10:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-16 03:10:10 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-16 03:10:05 1389568 ----a-w- c:\windows\system32\msxml6.dll
2012-07-16 03:10:05 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-07-16 03:10:02 987136 ----a-w- c:\program files\common files\system\ado\msado15.dll
.
==================== Find3M ====================
.
2012-07-17 20:22:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-17 20:22:01 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 13:22:50.87 ===============

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 AM

Posted 15 August 2012 - 07:12 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
===

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know if the problem persists.

#5 stbutt01

stbutt01
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 16 August 2012 - 06:19 PM

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.16.10

Windows 7 x86 NTFS
Internet Explorer 9.0.8112.16421
Sean :: SEAN-SCHOOL [administrator]

8/16/2012 5:34:05 PM
mbam-log-2012-08-16 (17-34-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200172
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKCR\CLSID\{6761B6F7-301D-4950-B76F-1C3E004C46F0} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6761B6F7-301D-4950-B76F-1C3E004C46F0} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{6761B6F7-301D-4950-B76F-1C3E004C46F0} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6761B6F7-301D-4950-B76F-1C3E004C46F0} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} (PUP.DownloadnSave) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\ProgramData\Codecv\bhoclass.dll (PUP.DownloadnSave) -> Quarantined and deleted successfully.

(end)

# AdwCleaner v1.801 - Logfile created 08/16/2012 at 19:16:40
# Updated 14/08/2012 by Xplode
# Operating system : Windows 7 Professional (32 bits)
# User : Sean - SEAN-SCHOOL
# Boot Mode : Normal
# Running from : C:\Users\Sean\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\Sean\AppData\Local\AskToolbar
Folder Found : C:\Users\Sean\AppData\LocalLow\AskToolbar
Folder Found : C:\ProgramData\InstallMate
Folder Found : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Folder Found : C:\ProgramData\Premium

***** [Registry] *****

Key Found : HKCU\Software\APN
Key Found : HKCU\Software\AppDataLow\AskToolbarInfo
Key Found : HKCU\Software\AppDataLow\Software\AskToolbar
Key Found : HKCU\Software\Ask.com
Key Found : HKCU\Software\AskToolbar
Key Found : HKCU\Software\Cr_Installer
Key Found : HKLM\SOFTWARE\APN
Key Found : HKLM\SOFTWARE\AskToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Found : HKLM\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho
Key Found : HKLM\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0
Key Found : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\yptcxw8k.default\prefs.js

Found : user_pref("extensions.asktb.InstallDir", "C:\\Program Files\\Ask.com\\");
Found : user_pref("extensions.asktb.abar-war-timeout", "4000");
Found : user_pref("extensions.asktb.autofill-competitor-query-enabled", true);
Found : user_pref("extensions.asktb.autofill-text-highlight-enabled", true);
Found : user_pref("extensions.asktb.cbid", "UF");
Found : user_pref("extensions.asktb.config-updated", true);
Found : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}[...]
Found : user_pref("extensions.asktb.displaybehavior", "");
Found : user_pref("extensions.asktb.displaytext", "");
Found : user_pref("extensions.asktb.dyn-weather-do-locid-lookup-weatherWidget", true);
Found : user_pref("extensions.asktb.first-restart-after-config-update", true);
Found : user_pref("extensions.asktb.fresh-install", false);
Found : user_pref("extensions.asktb.guid", "5C201612-690B-4A4D-B45B-B17CC5C239A0");
Found : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...]
Found : user_pref("extensions.asktb.if", "su");
Found : user_pref("extensions.asktb.l", "dis");
Found : user_pref("extensions.asktb.last-config-req", "1322708145573");
Found : user_pref("extensions.asktb.last-v", "3.12.2.100006");
Found : user_pref("extensions.asktb.locale", "en_US");
Found : user_pref("extensions.asktb.lstation", "");
Found : user_pref("extensions.asktb.news-native-on", false);
Found : user_pref("extensions.asktb.o", "15150");
Found : user_pref("extensions.asktb.options-lang", "en");
Found : user_pref("extensions.asktb.options-locale", "UK");
Found : user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
Found : user_pref("extensions.asktb.pstate", "");
Found : user_pref("extensions.asktb.qsrc", "2871");
Found : user_pref("extensions.asktb.r", "7");
Found : user_pref("extensions.asktb.sa", "NO");
Found : user_pref("extensions.asktb.search-suggestions-enabled", true);
Found : user_pref("extensions.asktb.silent-upgrade", true);
Found : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", true);
Found : user_pref("extensions.asktb.socialmini-first", true);
Found : user_pref("extensions.asktb.socialmini-interval", "1200000");
Found : user_pref("extensions.asktb.socialmini-max-char-ticker", "33");
Found : user_pref("extensions.asktb.socialmini-max-items", "30");
Found : user_pref("extensions.asktb.socialmini-native-on", true);
Found : user_pref("extensions.asktb.socialmini-speed", "5000");
Found : user_pref("extensions.asktb.socialmini-transition-first-open", false);
Found : user_pref("extensions.asktb.themeid", "");
Found : user_pref("extensions.asktb.timeinstalled", "9/13/2011 5:14:18 PM");
Found : user_pref("extensions.asktb.version", "5.13.1.18107");
Found : user_pref("extensions.asktb.volume", "");
Found : user_pref("extensions.crossriderapp435.435.InstallationThankYouPage", true);
Found : user_pref("extensions.crossriderapp435.435.InstallationTime", 1333483105);
Found : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.searchUserConifrmation", false);
Found : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.setHomepage", false);
Found : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.setNewTab", false);
Found : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.setSearch", false);
Found : user_pref("extensions.crossriderapp435.435.active", true);
Found : user_pref("extensions.crossriderapp435.435.addressbar", "");
Found : user_pref("extensions.crossriderapp435.435.affid", "0");
Found : user_pref("extensions.crossriderapp435.435.backgroundjs", "\n\nfunction buttonClick() { \n \[...]
Found : user_pref("extensions.crossriderapp435.435.backgroundver", 8);
Found : user_pref("extensions.crossriderapp435.435.certdomaininstaller", "");
Found : user_pref("extensions.crossriderapp435.435.changeprevious", false);
Found : user_pref("extensions.crossriderapp435.435.cookie.InstallationTime.expiration", "Fri Feb 01 2030 00:[...]
Found : user_pref("extensions.crossriderapp435.435.cookie.InstallationTime.value", "1333483105");
Found : user_pref("extensions.crossriderapp435.435.cookie.InstallerParams.expiration", "Fri Feb 01 2030 00:0[...]
Found : user_pref("extensions.crossriderapp435.435.cookie.InstallerParams.value", "%7B%22source_id%22%3A%220[...]
Found : user_pref("extensions.crossriderapp435.435.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
Found : user_pref("extensions.crossriderapp435.435.cookie._GPL_aoi.value", "%221333493114%22");
Found : user_pref("extensions.crossriderapp435.435.cookie._GPL_geo.expiration", "Wed Apr 11 2012 00:45:15 GM[...]
Found : user_pref("extensions.crossriderapp435.435.cookie._GPL_geo.value", "%7B%22geoplugin_city%22%3Anull%2[...]
Found : user_pref("extensions.crossriderapp435.435.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030 0[...]
Found : user_pref("extensions.crossriderapp435.435.cookie._GPL_parent_zoneid.value", "%2214974%22");
Found : user_pref("extensions.crossriderapp435.435.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:00[...]
Found : user_pref("extensions.crossriderapp435.435.cookie._GPL_zoneid.value", "%2227881%22");
Found : user_pref("extensions.crossriderapp435.435.cookie.__GPL_ID.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
Found : user_pref("extensions.crossriderapp435.435.cookie.__GPL_ID.value", "435");
Found : user_pref("extensions.crossriderapp435.435.cookie.__GPL_custom_zoneid.expiration", "Fri Feb 01 2030 [...]
Found : user_pref("extensions.crossriderapp435.435.cookie.__GPL_custom_zoneid.value", "14969");
Found : user_pref("extensions.crossriderapp435.435.cookie.__GPL_pubid.expiration", "Fri Feb 01 2030 00:00:00[...]
Found : user_pref("extensions.crossriderapp435.435.cookie.__GPL_pubid.value", "%222993%22");
Found : user_pref("extensions.crossriderapp435.435.description", "Premiumplay Codec check");
Found : user_pref("extensions.crossriderapp435.435.domain", "");
Found : user_pref("extensions.crossriderapp435.435.emailsig", "");
Found : user_pref("extensions.crossriderapp435.435.enablesearch", false);
Found : user_pref("extensions.crossriderapp435.435.exposesites", "");
Found : user_pref("extensions.crossriderapp435.435.fbremoteurl", "");
Found : user_pref("extensions.crossriderapp435.435.group", 0);
Found : user_pref("extensions.crossriderapp435.435.homepage", "");
Found : user_pref("extensions.crossriderapp435.435.iframe", false);
Found : user_pref("extensions.crossriderapp435.435.js", "\n\n//------------------ PLUGIN app_435_specific S[...]
Found : user_pref("extensions.crossriderapp435.435.manifesturl", "");
Found : user_pref("extensions.crossriderapp435.435.name", "Codec-V");
Found : user_pref("extensions.crossriderapp435.435.newtab", "");
Found : user_pref("extensions.crossriderapp435.435.opensearch", "");
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_10.code", "if(!appAPI.matchPages(\"search.[...]
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_10.name", "app_435_specific");
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_10.ver", 2);
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_13.code", "(function(B){b.selectedText=fun[...]
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_13.name", "CrossriderAppUtils");
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_13.ver", 1);
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_14.code", "\"undefined\"===typeof appAPI&&[...]
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_14.name", "CrossriderUtils");
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_14.ver", 1);
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_15.code", "(function(e){function u(c,B){fo[...]
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_15.name", "FacebookFFIE");
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_15.ver", 1);
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_16.code", "(function(b,a){function i(){var[...]
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_16.name", "FFAppAPIWrapper");
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_16.ver", 1);
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_17.code", "var $$jquery;\n(function(l,n){f[...]
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_17.name", "jQuery");
Found : user_pref("extensions.crossriderapp435.435.plugins.plugin_17.ver", 1);
Found : user_pref("extensions.crossriderapp435.435.plugins_lists.plugins_0", "17,14,16");
Found : user_pref("extensions.crossriderapp435.435.plugins_lists.plugins_1", "17,14,13,16,15,10");
Found : user_pref("extensions.crossriderapp435.435.pluginsurl", "hxxp://app-static.crossrider.com/plugin/app[...]
Found : user_pref("extensions.crossriderapp435.435.pluginsversion", 2);
Found : user_pref("extensions.crossriderapp435.435.premium", true);
Found : user_pref("extensions.crossriderapp435.435.publisher", "Premiumplay");
Found : user_pref("extensions.crossriderapp435.435.searchstatus", 0);
Found : user_pref("extensions.crossriderapp435.435.setnewtab", false);
Found : user_pref("extensions.crossriderapp435.435.settingsurl", "");
Found : user_pref("extensions.crossriderapp435.435.thankyou", "");
Found : user_pref("extensions.crossriderapp435.435.updateinterval", 360);
Found : user_pref("extensions.crossriderapp435.435.ver", 48);
Found : user_pref("extensions.crossriderapp435.adsOldValue", -1);
Found : user_pref("extensions.crossriderapp435.apps", "435");
Found : user_pref("extensions.crossriderapp435.bic", "1367a61efa65673cf93eebd3a8f605e2");
Found : user_pref("extensions.crossriderapp435.cid", 435);
Found : user_pref("extensions.crossriderapp435.firstrun", false);
Found : user_pref("extensions.crossriderapp435.hadappinstalled", true);
Found : user_pref("extensions.crossriderapp435.installationdate", 1333493100);
Found : user_pref("extensions.crossriderapp435.jsver", 3);
Found : user_pref("extensions.crossriderapp435.lastcheck", 22226397);
Found : user_pref("extensions.crossriderapp435.lastcheckitem", 22226428);
Found : user_pref("extensions.crossriderapp435.misc.lastBgWorkerTimer", "1333585689227");
Found : user_pref("extensions.crossriderapp435.misc.lastDomWorkerTimer", "1333585689183");
Found : user_pref("extensions.nurit5562nurit235.scode", "(function(){try{for(i=0;i<5;i++){window.setTimeout([...]

*************************

AdwCleaner[R1].txt - [13599 octets] - [16/08/2012 19:16:40]

########## EOF - C:\AdwCleaner[R1].txt - [13728 octets] ##########

Results of screen317's Security Check version 0.99.44
Windows 7 x86 (UAC is enabled)
Out of date service pack!!
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
AVG Anti-Virus Free Edition 2012
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.62.0.1300
Java™ 6 Update 26
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 11.3.300.265
Adobe Reader X 10.1.1 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
Google Chrome 21.0.1180.75
Google Chrome 21.0.1180.79
Google Chrome VisualElementsManifest.xml..
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbam.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

#6 stbutt01

stbutt01
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 16 August 2012 - 06:43 PM

When I run SB S&D it still detects the Doubleclick virus.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 AM

Posted 17 August 2012 - 07:33 AM

Remove the AdWare.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

===

Results of screen317's Security Check version 0.99.44
Windows 7 x86 (UAC is enabled)
Out of date service pack!!

Click on the link Out of date service pack!! and update the service pack.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 26


===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Post the log and please let me know if the problem persists.

#8 stbutt01

stbutt01
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 17 August 2012 - 04:11 PM

# AdwCleaner v1.801 - Logfile created 08/17/2012 at 16:03:26
# Updated 14/08/2012 by Xplode
# Operating system : Windows 7 Professional (32 bits)
# User : Sean - SEAN-SCHOOL
# Boot Mode : Normal
# Running from : C:\Users\Sean\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Sean\AppData\Local\AskToolbar
Folder Deleted : C:\Users\Sean\AppData\LocalLow\AskToolbar
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Folder Deleted : C:\ProgramData\Premium

***** [Registry] *****

Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\AppDataLow\AskToolbarInfo
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\AskToolbar
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKLM\SOFTWARE\APN
Key Deleted : HKLM\SOFTWARE\AskToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho
Key Deleted : HKLM\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\yptcxw8k.default\prefs.js

Deleted : user_pref("extensions.asktb.InstallDir", "C:\\Program Files\\Ask.com\\");
Deleted : user_pref("extensions.asktb.abar-war-timeout", "4000");
Deleted : user_pref("extensions.asktb.autofill-competitor-query-enabled", true);
Deleted : user_pref("extensions.asktb.autofill-text-highlight-enabled", true);
Deleted : user_pref("extensions.asktb.cbid", "UF");
Deleted : user_pref("extensions.asktb.config-updated", true);
Deleted : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}[...]
Deleted : user_pref("extensions.asktb.displaybehavior", "");
Deleted : user_pref("extensions.asktb.displaytext", "");
Deleted : user_pref("extensions.asktb.dyn-weather-do-locid-lookup-weatherWidget", true);
Deleted : user_pref("extensions.asktb.first-restart-after-config-update", true);
Deleted : user_pref("extensions.asktb.fresh-install", false);
Deleted : user_pref("extensions.asktb.guid", "5C201612-690B-4A4D-B45B-B17CC5C239A0");
Deleted : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...]
Deleted : user_pref("extensions.asktb.if", "su");
Deleted : user_pref("extensions.asktb.l", "dis");
Deleted : user_pref("extensions.asktb.last-config-req", "1322708145573");
Deleted : user_pref("extensions.asktb.last-v", "3.12.2.100006");
Deleted : user_pref("extensions.asktb.locale", "en_US");
Deleted : user_pref("extensions.asktb.lstation", "");
Deleted : user_pref("extensions.asktb.news-native-on", false);
Deleted : user_pref("extensions.asktb.o", "15150");
Deleted : user_pref("extensions.asktb.options-lang", "en");
Deleted : user_pref("extensions.asktb.options-locale", "UK");
Deleted : user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
Deleted : user_pref("extensions.asktb.pstate", "");
Deleted : user_pref("extensions.asktb.qsrc", "2871");
Deleted : user_pref("extensions.asktb.r", "7");
Deleted : user_pref("extensions.asktb.sa", "NO");
Deleted : user_pref("extensions.asktb.search-suggestions-enabled", true);
Deleted : user_pref("extensions.asktb.silent-upgrade", true);
Deleted : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", true);
Deleted : user_pref("extensions.asktb.socialmini-first", true);
Deleted : user_pref("extensions.asktb.socialmini-interval", "1200000");
Deleted : user_pref("extensions.asktb.socialmini-max-char-ticker", "33");
Deleted : user_pref("extensions.asktb.socialmini-max-items", "30");
Deleted : user_pref("extensions.asktb.socialmini-native-on", true);
Deleted : user_pref("extensions.asktb.socialmini-speed", "5000");
Deleted : user_pref("extensions.asktb.socialmini-transition-first-open", false);
Deleted : user_pref("extensions.asktb.themeid", "");
Deleted : user_pref("extensions.asktb.timeinstalled", "9/13/2011 5:14:18 PM");
Deleted : user_pref("extensions.asktb.version", "5.13.1.18107");
Deleted : user_pref("extensions.asktb.volume", "");
Deleted : user_pref("extensions.crossriderapp435.435.InstallationThankYouPage", true);
Deleted : user_pref("extensions.crossriderapp435.435.InstallationTime", 1333483105);
Deleted : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.searchUserConifrmation", false);
Deleted : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.setHomepage", false);
Deleted : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.setNewTab", false);
Deleted : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.setSearch", false);
Deleted : user_pref("extensions.crossriderapp435.435.active", true);
Deleted : user_pref("extensions.crossriderapp435.435.addressbar", "");
Deleted : user_pref("extensions.crossriderapp435.435.affid", "0");
Deleted : user_pref("extensions.crossriderapp435.435.backgroundjs", "\n\nfunction buttonClick() { \n \[...]
Deleted : user_pref("extensions.crossriderapp435.435.backgroundver", 8);
Deleted : user_pref("extensions.crossriderapp435.435.certdomaininstaller", "");
Deleted : user_pref("extensions.crossriderapp435.435.changeprevious", false);
Deleted : user_pref("extensions.crossriderapp435.435.cookie.InstallationTime.expiration", "Fri Feb 01 2030 00:[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie.InstallationTime.value", "1333483105");
Deleted : user_pref("extensions.crossriderapp435.435.cookie.InstallerParams.expiration", "Fri Feb 01 2030 00:0[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie.InstallerParams.value", "%7B%22source_id%22%3A%220[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_aoi.value", "%221333493114%22");
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_geo.expiration", "Wed Apr 11 2012 00:45:15 GM[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_geo.value", "%7B%22geoplugin_city%22%3Anull%2[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_parent_zoneid.value", "%2214974%22");
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:00[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_zoneid.value", "%2227881%22");
Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_ID.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_ID.value", "435");
Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_custom_zoneid.expiration", "Fri Feb 01 2030 [...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_custom_zoneid.value", "14969");
Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_pubid.expiration", "Fri Feb 01 2030 00:00:00[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_pubid.value", "%222993%22");
Deleted : user_pref("extensions.crossriderapp435.435.description", "Premiumplay Codec check");
Deleted : user_pref("extensions.crossriderapp435.435.domain", "");
Deleted : user_pref("extensions.crossriderapp435.435.emailsig", "");
Deleted : user_pref("extensions.crossriderapp435.435.enablesearch", false);
Deleted : user_pref("extensions.crossriderapp435.435.exposesites", "");
Deleted : user_pref("extensions.crossriderapp435.435.fbremoteurl", "");
Deleted : user_pref("extensions.crossriderapp435.435.group", 0);
Deleted : user_pref("extensions.crossriderapp435.435.homepage", "");
Deleted : user_pref("extensions.crossriderapp435.435.iframe", false);
Deleted : user_pref("extensions.crossriderapp435.435.js", "\n\n//------------------ PLUGIN app_435_specific S[...]
Deleted : user_pref("extensions.crossriderapp435.435.manifesturl", "");
Deleted : user_pref("extensions.crossriderapp435.435.name", "Codec-V");
Deleted : user_pref("extensions.crossriderapp435.435.newtab", "");
Deleted : user_pref("extensions.crossriderapp435.435.opensearch", "");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_10.code", "if(!appAPI.matchPages(\"search.[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_10.name", "app_435_specific");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_10.ver", 2);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_13.code", "(function(B){b.selectedText=fun[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_13.name", "CrossriderAppUtils");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_13.ver", 1);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_14.code", "\"undefined\"===typeof appAPI&&[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_14.name", "CrossriderUtils");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_14.ver", 1);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_15.code", "(function(e){function u(c,B){fo[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_15.name", "FacebookFFIE");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_15.ver", 1);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_16.code", "(function(b,a){function i(){var[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_16.name", "FFAppAPIWrapper");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_16.ver", 1);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_17.code", "var $$jquery;\n(function(l,n){f[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_17.name", "jQuery");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_17.ver", 1);
Deleted : user_pref("extensions.crossriderapp435.435.plugins_lists.plugins_0", "17,14,16");
Deleted : user_pref("extensions.crossriderapp435.435.plugins_lists.plugins_1", "17,14,13,16,15,10");
Deleted : user_pref("extensions.crossriderapp435.435.pluginsurl", "hxxp://app-static.crossrider.com/plugin/app[...]
Deleted : user_pref("extensions.crossriderapp435.435.pluginsversion", 2);
Deleted : user_pref("extensions.crossriderapp435.435.premium", true);
Deleted : user_pref("extensions.crossriderapp435.435.publisher", "Premiumplay");
Deleted : user_pref("extensions.crossriderapp435.435.searchstatus", 0);
Deleted : user_pref("extensions.crossriderapp435.435.setnewtab", false);
Deleted : user_pref("extensions.crossriderapp435.435.settingsurl", "");
Deleted : user_pref("extensions.crossriderapp435.435.thankyou", "");
Deleted : user_pref("extensions.crossriderapp435.435.updateinterval", 360);
Deleted : user_pref("extensions.crossriderapp435.435.ver", 48);
Deleted : user_pref("extensions.crossriderapp435.adsOldValue", -1);
Deleted : user_pref("extensions.crossriderapp435.apps", "435");
Deleted : user_pref("extensions.crossriderapp435.bic", "1367a61efa65673cf93eebd3a8f605e2");
Deleted : user_pref("extensions.crossriderapp435.cid", 435);
Deleted : user_pref("extensions.crossriderapp435.firstrun", false);
Deleted : user_pref("extensions.crossriderapp435.hadappinstalled", true);
Deleted : user_pref("extensions.crossriderapp435.installationdate", 1333493100);
Deleted : user_pref("extensions.crossriderapp435.jsver", 3);
Deleted : user_pref("extensions.crossriderapp435.lastcheck", 22226397);
Deleted : user_pref("extensions.crossriderapp435.lastcheckitem", 22226428);
Deleted : user_pref("extensions.crossriderapp435.misc.lastBgWorkerTimer", "1333585689227");
Deleted : user_pref("extensions.crossriderapp435.misc.lastDomWorkerTimer", "1333585689183");
Deleted : user_pref("extensions.nurit5562nurit235.scode", "(function(){try{for(i=0;i<5;i++){window.setTimeout([...]

*************************

AdwCleaner[R1].txt - [13730 octets] - [16/08/2012 19:16:40]
AdwCleaner[S1].txt - [13862 octets] - [17/08/2012 16:03:26]

########## EOF - C:\AdwCleaner[S1].txt - [13991 octets] ##########

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 AM

Posted 18 August 2012 - 07:26 AM

Any remaining issues?

#10 stbutt01

stbutt01
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 22 August 2012 - 10:58 PM

I have not encountered any clicking issues, but when I run spy-bot, it still detects the DoubleClick virus. What do you think it could be and how can I get rid of it? By the way, thanks for everything so far.

Sean

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 AM

Posted 23 August 2012 - 08:19 AM

What is DoubleClick?
http://www.google.com/doubleclick/
An advertising co. not a virus.

===

Lets find out if Spybot and Destroy changes your HOSTS file so as to ignore the cookies coming from DoubleClick clients.

By default, if you try to modify your hosts file in Vista or Window 7, it will not let you save it. It tells you that you don't have permission. To successfully modify the hosts file, run notepad.exe as an administrator and open the file.

1) Browse to Start -> All Programs -> Accessories
2) Right click "Notepad" and select "Run as administrator"
3) Click "Continue" on the UAC prompt
4) Click File -> Open
5) Browse to "C:\Windows\System32\Drivers\etc"
6) Change the file filter drop down box from "Text Documents (*.txt)" to "All Files (*.*)"
7) Select "hosts" and click "Open"
8) Search the file for Doubleclick do you see any entries with that name?

Close the file.

p.s.
All you need to know about the hosts file.
http://www.mvps.org/winhelp2002/hosts.htm

#12 stbutt01

stbutt01
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 23 August 2012 - 10:52 AM

It only shows an IP address and localhost

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 AM

Posted 23 August 2012 - 01:30 PM

This HOSTS file created by a Microsoft MVP will help in eliminating the installation some of the Doubleclick cookies.

Download HostsXpert

Tutorial, go here:
http://i28.photobucket.com/albums/c227/tetonbob/emoticons/HostsXpert4.jpg
  • Unzip HostsXpert to it's own folder.
  • Run HostsXpert.exe (run as an Administrator)
  • Click: Make Writable? in the upper left corner.
  • Click: Download
  • Click: MVPs Hosts
  • Click: Replace
  • Click: OK
  • Click: Make ReadOnly
  • Close HostsXpert.
Note: If a custom Hosts file was in place, also edit those entries back in.
*/*
I suggest that you update the new version of the Hosts file, every 6 weeks. I Do.

If you have any difficulties please refer to this page.

Directions for Windows 7 Operating system.
http://www.mvps.org/winhelp2002/hostswin7.htm

Let me know if you have any difficulties with this installation.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 AM

Posted 29 August 2012 - 10:03 AM

Are you still with me?

#15 stbutt01

stbutt01
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 30 August 2012 - 11:56 AM

Sorry, yeah I'm still here. I downloaded the HOSTS file but it didn't seem to have an effect on the DoubleClick cookies because it still appears when I run Spybot




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users