Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Babylon & mystart, & javascript:void(0);


  • This topic is locked This topic is locked
201 replies to this topic

#1 Ektar

Ektar

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 13 September 2012 - 11:36 PM

Sorry I'm not computer literate...however I saw that I was infected with Babylon & Mystart in June 2012 &
I'm not sure when the javascriptvoid:void(0) started. I went through procedures from another website & thought Babylon & Incredible were
gone...however they were not on loading Chrome or IE.

I did try to find as much info as I could & I thought I got rid of them...now they are back.
I run Inspirion 531S with Vista & have Firefox, Google,& IE but use FF...
I also run MalwareBytes, SpyBot SD Resident, Advance System Care, Iobit Malware Fighter 1.5, Panda Cloud Anti-virus. Prevx v3.0.5.220 & Microsoft Essentials w/o Defender.

Last night I saw info from another named site I won't mention, not cool...
I ran Dr. Web's CureIt & the quick scan was near or over 16 Bloody hours...& found nothing. Sorry
but that does not sound like a quick scan. I hope you can help me w/o such a long time w/o use of my computer as that's all I have...no TV. Thank You So MUCH!!!

I went through procedures from another website & thought Babylon & Incredible were
gone...however they were not on loading Chrome or IE.

I do have a question besides to PLEASE help me... & that is, if I'm running Malwarebytes or Spybot
do I have to be totally out of everything meaning I cannot use the computer while
cz I do not want to waste anyone's time & your help is GREATLY APPRECIATED!!!

I have wasted SO many hours & wks in June & now 2 wks in Sept researching on how to fix these problems.I do not just trust anyone & especially the quick fixes.
I am VERY thankful for ALL your Help!!!

Cheers
Ektar

Edited by Ektar, 14 September 2012 - 12:45 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:56 AM

Posted 14 September 2012 - 04:46 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Ektar

Ektar
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 14 September 2012 - 05:00 PM

Hi Gringo thank you so much for your help. Sorry my internet service has been out today & I am just getting your message
& am now following your instructions.

Cheers
Ektar

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:56 AM

Posted 14 September 2012 - 05:21 PM

No Problem


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Ektar

Ektar
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 14 September 2012 - 05:41 PM

Hi Gringo

Results of screen317's Security Check version 0.99.50
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Panda Cloud Antivirus
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.65.0.1400
Java 7 Update 7
Adobe Flash Player 11.4.402.265
Mozilla Firefox (15.0)
Mozilla Thunderbird (3.1.11) Thunderbird out of Date!
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Panda Security Panda Cloud Antivirus PSUAMain.exe
Panda Security Panda Cloud Antivirus PSUAService.exe
Panda Security Panda Cloud Antivirus PSANHost.exe
IObit IObit Malware Fighter IMFsrv.exe
IObit IObit Malware Fighter IMF.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:56 AM

Posted 14 September 2012 - 06:00 PM

I will be waiting for the other reports when they are ready


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Ektar

Ektar
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 14 September 2012 - 06:44 PM

Sorry it took SO long as I do not want to waste your time. I couldn't find a way to disable Microsoft Essentials.
So I finally went to settings & unchecked everything & it seemed to have worked...

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by Owner at 19:34:45 on 2012-09-14
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3006.1405 [GMT -4:00]
.
AV: Panda Cloud Antivirus *Disabled/Updated* {3456760B-FDAA-FFFD-06C2-7BB528D2066C}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Panda Cloud Antivirus *Disabled/Updated* {8F3797EF-DB90-F073-3C72-40C753554CD1}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: IObit Malware Fighter *Enabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
FW: Cloud Antivirus Firewall *Disabled* {0C6DF72E-B7C5-FEA5-2D9D-D280D6014117}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAMain.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\system32\AERTSrv.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Prevx\prevx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAService.exe
C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\IObit\IObit Malware Fighter\IMF.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe
C:\Users\Owner\Downloads\SecurityCheck.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: CDelHotkeys Object: {78875f5c-a685-4405-8dc5-d48dc65452b0} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BE4BD794-7292-4114-A408-F06C56F51049} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: Delicious Sidebar: {9d19c405-ba93-461b-871f-97992cc45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\owner\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart
uRun: [msnmsgr] "c:\program files\windows live\messenger\MSNMSGR.EXE" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [FileHippo.com] "c:\program files\filehippo.com\UpdateChecker.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart
mRun: [PSUAMain] "c:\program files\panda security\panda cloud antivirus\PSUAMain.exe" /LaunchSysTray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
uPolicies-explorer: NoRealMode = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2C887991-08F0-11DC-A9B2-0012F0B227DD} - {B8D8B1D0-83AF-451B-8CD9-8F1BF4ED8FEA} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2C887992-08F0-11DC-A9B2-0012F0B227DD} - {9D19C405-BA93-461b-871F-97992CC45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2C887993-08F0-11DC-A9B2-0012F0B227DD} - {4D3D441F-9543-4941-B664-2EDCF9FC1B56} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{57DC54CC-034A-4EBC-8A1C-78ACBF7CAF85} : DhcpNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\4vs228u4.default-1343788102204\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\owner\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1165635.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2009-12-3 4608]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R0 nvamacpi;NVIDIA Away Mode System;c:\windows\system32\drivers\nvamacpi.sys [2009-7-17 24608]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-12-27 32008]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2012-2-1 15672]
R1 MpKsld9532105;MpKsld9532105;c:\programdata\microsoft\microsoft antimalware\definition updates\{4db8eb65-a5b6-40f5-91c5-06bc0232e2c5}\MpKsld9532105.sys [2012-9-14 29904]
R1 NNSALPC;NNSAlpc;c:\windows\system32\drivers\NNSAlpc.sys [2012-6-27 82472]
R1 NNSHTTP;NNSHttp;c:\windows\system32\drivers\NNSHttp.sys [2012-6-27 120744]
R1 NNSIDS;NNSids;c:\windows\system32\drivers\NNSIds.sys [2012-6-27 122664]
R1 NNSPICC;NNSPicc;c:\windows\system32\drivers\NNSpicc.sys [2012-6-27 93992]
R1 NNSPOP3;NNSPop3;c:\windows\system32\drivers\NNSPop3.sys [2012-6-27 104104]
R1 NNSPROT;NNSProt;c:\windows\system32\drivers\NNSProt.sys [2012-6-27 286376]
R1 NNSPRV;NNSPrv;c:\windows\system32\drivers\NNSPrv.sys [2012-6-27 153000]
R1 NNSSMTP;NNSSmtp;c:\windows\system32\drivers\NNSSmtp.sys [2012-6-27 106536]
R1 NNSSTRM;NNSStrm;c:\windows\system32\drivers\NNSStrm.sys [2012-7-12 206632]
R1 NNSTLSC;NNSTlsc;c:\windows\system32\drivers\NNStlsc.sys [2012-6-27 92840]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2012-7-13 174632]
R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-12-27 76696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-11 116608]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2011-11-17 913792]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-12-27 6416120]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-12-3 21504]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-6-14 821592]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2012-7-13 140064]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2012-7-13 148520]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2012-7-13 103464]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2012-7-13 114216]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2012-7-13 120872]
R2 PSUAService;Panda Product Service;c:\program files\panda security\panda cloud antivirus\PSUAService.exe [2012-7-13 36640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-7-31 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-7-14 239648]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-7-29 110592]
R2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2010-7-29 952832]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2010-7-29 483840]
R3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\FileMonitor.sys [2012-7-11 20336]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-12-27 26096]
R3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\RegFilter.sys [2012-7-11 30640]
R3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\UrlFilter.sys [2012-7-11 19832]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S2 CloudAvUpdaterEx;CloudAvUpdaterEx;c:\program files\panda security\panda cloud antivirus\Setup.exe [2012-7-10 847976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-29 250568]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2012-4-11 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 114144]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 PSKMAD;PSKMAD;c:\windows\system32\drivers\PSKMAD.sys [2012-9-14 46280]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 NNSPIHSW;NNSPihsw;c:\windows\system32\drivers\NNSPihsw.sys [2012-6-27 60968]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-09-14 20:32:37 -------- d-----w- c:\users\owner\appdata\roaming\Malwarebytes
2012-09-14 20:31:22 -------- d-----w- c:\programdata\Malwarebytes
2012-09-14 20:31:15 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-14 20:31:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-14 20:21:05 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4db8eb65-a5b6-40f5-91c5-06bc0232e2c5}\MpKsld9532105.sys
2012-09-14 14:29:07 46280 ----a-w- c:\windows\system32\drivers\PSKMAD.sys
2012-09-14 01:01:35 7022536 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4db8eb65-a5b6-40f5-91c5-06bc0232e2c5}\mpengine.dll
2012-09-13 04:47:42 -------- d-----w- c:\users\owner\DoctorWeb
2012-09-13 01:01:31 7022536 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-09-06 22:47:21 -------- d-----w- c:\programdata\Ask
2012-09-05 17:29:29 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-19 16:52:07 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-08-19 16:50:30 623616 ----a-w- c:\windows\system32\localspl.dll
.
==================== Find3M ====================
.
2012-09-05 17:28:49 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-05 16:55:33 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-05 16:55:33 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-23 19:59:18 22400 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2012-07-13 11:01:51 120872 ----a-w- c:\windows\system32\drivers\PSINProt.sys
2012-07-13 11:01:50 174632 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
2012-07-13 11:01:50 114216 ----a-w- c:\windows\system32\drivers\PSINProc.sys
2012-07-13 11:01:16 103464 ----a-w- c:\windows\system32\drivers\PSINFile.sys
2012-07-13 11:01:15 148520 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2012-07-12 15:18:32 206632 ----a-w- c:\windows\system32\drivers\NNSStrm.sys
2012-07-06 02:06:30 772544 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-27 19:51:07 92840 ----a-w- c:\windows\system32\drivers\NNStlsc.sys
2012-06-27 19:51:06 286376 ----a-w- c:\windows\system32\drivers\NNSProt.sys
2012-06-27 19:51:06 153000 ----a-w- c:\windows\system32\drivers\NNSPrv.sys
2012-06-27 19:51:06 106536 ----a-w- c:\windows\system32\drivers\NNSSmtp.sys
2012-06-27 19:51:05 60968 ----a-w- c:\windows\system32\drivers\NNSPihsw.sys
2012-06-27 19:51:05 104104 ----a-w- c:\windows\system32\drivers\NNSPop3.sys
2012-06-27 19:51:04 93992 ----a-w- c:\windows\system32\drivers\NNSpicc.sys
2012-06-27 19:51:04 122664 ----a-w- c:\windows\system32\drivers\NNSIds.sys
2012-06-27 19:51:03 82472 ----a-w- c:\windows\system32\drivers\NNSAlpc.sys
2012-06-27 19:51:03 120744 ----a-w- c:\windows\system32\drivers\NNSHttp.sys
2012-06-27 02:14:52 4472832 ----a-w- c:\windows\system32\GPhotos.scr
.
============= FINISH: 19:35:31.61 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/3/2009 5:58:55 PM
System Uptime: 9/14/2012 4:19:03 PM (3 hours ago)
.
Motherboard: Dell Inc. | | 0RY206
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4000+ | Socket AM2 | 2100/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 126.618 GiB free.
D: is CDROM (CDFS)
E: is FIXED (NTFS) - 466 GiB total, 426.126 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe Flash Player 11 Plugin
Adobe Shockwave Player 11.6
Advanced SystemCare 5
Apple Application Support
Apple Software Update
Belarc Advisor 8.2
Canon MP Navigator EX 2.0
Canon MP480 series MP Drivers
Canon MP480 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Cooliris for Internet Explorer
D3DX10
Delicious Add-on for Internet Explorer
Driver Whiz
FileHippo.com Update Checker
Foxit Office Suite
Fraps
Game Booster
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IObit Malware Fighter
iTunes
Java 7 Update 7
Java Auto Updater
Junk Mail filter update
Kingsoft Office 2012 (8.1.0.3032)
LiveUpload to YouTube
Malwarebytes Anti-Malware version 1.65.0.1400
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft UI Engine
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Miro
Mozilla Firefox 15.0 (x86 en-US)
Mozilla Firefox 15.0.1 (x86 en-US)
Mozilla Maintenance Service
Mozilla Thunderbird (3.1.11)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB973688)
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA Stereoscopic 3D Driver
Octoshape add-in for Adobe Flash Player
OpenOffice.org 3.4
Panda Cloud Antivirus
Picasa 3
Prevx
Protected Folder
QuickTime
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Segoe UI
SES Driver
Smart Defrag 2
Spybot - Search & Destroy
SUPERAntiSpyware
swMSM
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
VLC media player 1.1.5
WD SmartWare
WIDCOMM Bluetooth Software
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live OneCare safety scanner
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
.
==== Event Viewer Messages From Past Week ========
.
9/14/2012 4:27:01 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Panda Cloud Antivirus Service service to connect.
9/14/2012 4:27:01 PM, Error: Service Control Manager [7000] - The Panda Cloud Antivirus Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/14/2012 4:24:41 PM, Error: Service Control Manager [7024] - The KtmRm for Distributed Transaction Coordinator service terminated with service-specific error 2147942438 (0x80070026).
9/14/2012 4:22:32 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Null
9/14/2012 4:22:32 PM, Error: Service Control Manager [7022] - The CloudAvUpdaterEx service hung on starting.
9/14/2012 4:20:12 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
9/14/2012 4:18:05 PM, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
9/14/2012 4:18:02 PM, Error: Service Control Manager [7031] - The CSIScanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
9/14/2012 2:20:42 PM, Error: Service Control Manager [7031] - The Microsoft .NET Framework NGEN v4.0.30319_X86 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/12/2012 12:58:41 PM, Error: Service Control Manager [7034] - The WD File Management Engine service terminated unexpectedly. It has done this 1 time(s).
9/12/2012 12:14:38 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
.
==== End Of File ===========================

#8 Ektar

Ektar
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 14 September 2012 - 07:04 PM

Hi Gringo

As far as the Panda not loading, it did load after I uninstalled MalwareBytes, then used the MBAM uninstall tool,
in case that one was tainted & wanted to get a fresh download of the new version from you guys. After re-booting Panda loaded just fine. This was all prior to starting here...I never use IE & had mostly used Chrome for job searches & 2 email contacts, so I have a couple of different gmail accts. but have not used since at least June.
I use FF & yahoo mail...had been thinking of using TB as a private acct & have the other mail screened through that one.
After everything is hopefully fixed maybe you can advise me on the protections I need. Sorry I forgot to mention I use Micro. Essentials Fire Wall, but I am open to ANY changes for protection.
There is so much to learn & I was trying to learn about proxies & etc for privacy & safety prior to the mess I'm in...

Cheers
Ektar

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:56 AM

Posted 14 September 2012 - 07:06 PM

Hello

Don't worry if you have any type of problem let me know and then I may change what I want you to do




-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Ektar

Ektar
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 14 September 2012 - 08:06 PM

# AdwCleaner v2.001 - Logfile created 09/14/2012 at 20:41:39
# Updated 09/09/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Owner - OWNER-PC
# Boot Mode : Normal
# Running from : C:\Users\Owner\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
File Deleted : C:\user.js
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Users\Owner\AppData\LocalLow\Toolbar4
Folder Deleted : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ho6n8edw.default\Conduit

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{336D0C35-8A85-403a-B9D2-65C292C39087}_is1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
Key Deleted : HKLM\Software\Web Assistant

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ho6n8edw.default\prefs.js

C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ho6n8edw.default\user.js ... Deleted !

Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
Deleted : user_pref("browser.newtab.url", "hxxp://mystart.incredibar.com/mb167?a=6OyJth2WNQ&loc=FF_NT");
Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");
Deleted : user_pref("extensions.BabylonToolbar.admin", false);
Deleted : user_pref("extensions.BabylonToolbar.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar.dfltLng", "en");
Deleted : user_pref("extensions.BabylonToolbar.excTlbr", false);
Deleted : user_pref("extensions.BabylonToolbar.id", "eabe3bd6000000000000001aa0791c51");
Deleted : user_pref("extensions.BabylonToolbar.instlDay", "15551");
Deleted : user_pref("extensions.BabylonToolbar.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar.tlbrId", "base");
Deleted : user_pref("extensions.BabylonToolbar.tlbrSrchUrl", "hxxp://www.google.com/search?babsrc=TB_ggl&q=");
Deleted : user_pref("extensions.BabylonToolbar.vrsn", "1.5.29.1");
Deleted : user_pref("extensions.BabylonToolbar.vrsni", "1.5.29.1");
Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=112542&tt=3012_3");
Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);
Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=112542&tt=3012_[...]
Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.29.123:07:42");
Deleted : user_pref("extensions.incredibar.actvtyRptTime", "1343621614482");
Deleted : user_pref("extensions.incredibar.admin", false);
Deleted : user_pref("extensions.incredibar.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar.afterInstallRpt", "sent");
Deleted : user_pref("extensions.incredibar.cntry", "US");
Deleted : user_pref("extensions.incredibar.dfltLng", "EN");
Deleted : user_pref("extensions.incredibar.dfltSrch", false);
Deleted : user_pref("extensions.incredibar.dfltlng", "en");
Deleted : user_pref("extensions.incredibar.dfltsrch", "false");
Deleted : user_pref("extensions.incredibar.did", "10643");
Deleted : user_pref("extensions.incredibar.envrmnt", "production");
Deleted : user_pref("extensions.incredibar.excTlbr", false);
Deleted : user_pref("extensions.incredibar.hdrMd5", "972D8E6EC6D4091688F8CAE27FF9CD5A");
Deleted : user_pref("extensions.incredibar.hmpg", false);
Deleted : user_pref("extensions.incredibar.hrdid", "eabe3bd6000000000000001aa0791c51");
Deleted : user_pref("extensions.incredibar.id", "eabe3bd6000000000000001aa0791c51");
Deleted : user_pref("extensions.incredibar.installerproductid", "26");
Deleted : user_pref("extensions.incredibar.instlDay", "15551");
Deleted : user_pref("extensions.incredibar.instlRef", "");
Deleted : user_pref("extensions.incredibar.instlday", "15551");
Deleted : user_pref("extensions.incredibar.instlref", "");
Deleted : user_pref("extensions.incredibar.isDcmntCmplt", true);
Deleted : user_pref("extensions.incredibar.isdcmntcmplt", "false");
Deleted : user_pref("extensions.incredibar.keywordurl", "");
Deleted : user_pref("extensions.incredibar.lastVrsnTs", "1.5.11.140:13:00");
Deleted : user_pref("extensions.incredibar.mntrvrsn", "1.2.0");
Deleted : user_pref("extensions.incredibar.newTab", false);
Deleted : user_pref("extensions.incredibar.newtab", "false");
Deleted : user_pref("extensions.incredibar.newtaburl", "");
Deleted : user_pref("extensions.incredibar.noFFXTlbr", false);
Deleted : user_pref("extensions.incredibar.ppd", "1");
Deleted : user_pref("extensions.incredibar.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar.productid", "26");
Deleted : user_pref("extensions.incredibar.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar.prtnrid", "Incredibar");
Deleted : user_pref("extensions.incredibar.sg", "none");
Deleted : user_pref("extensions.incredibar.smplGrp", "none");
Deleted : user_pref("extensions.incredibar.smplgrp", "none");
Deleted : user_pref("extensions.incredibar.srch", "");
Deleted : user_pref("extensions.incredibar.srchprvdr", "");
Deleted : user_pref("extensions.incredibar.tlbrId", "base");
Deleted : user_pref("extensions.incredibar.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6OyJth2WNQ&loc=IB_T[...]
Deleted : user_pref("extensions.incredibar.tlbrid", "base");
Deleted : user_pref("extensions.incredibar.tlbrsrchurl", "hxxp://mystart.Incredibar.com/?a=6OyJth2WNQ&loc=IB_T[...]
Deleted : user_pref("extensions.incredibar.upn2", "6OyJth2WNQ");
Deleted : user_pref("extensions.incredibar.upn2n", "92261842283791002");
Deleted : user_pref("extensions.incredibar.vrsn", "1.5.11.14");
Deleted : user_pref("extensions.incredibar.vrsnTs", "1.5.11.140:13:00");
Deleted : user_pref("extensions.incredibar.vrsni", "1.5.11.14");
Deleted : user_pref("extensions.incredibar.vrsnts", "1.5.11.140:13:00");
Deleted : user_pref("extensions.incredibar_i.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar_i.dfltLng", "");
Deleted : user_pref("extensions.incredibar_i.did", "10643");
Deleted : user_pref("extensions.incredibar_i.excTlbr", false);
Deleted : user_pref("extensions.incredibar_i.id", "eabe3bd6000000000000001aa0791c51");
Deleted : user_pref("extensions.incredibar_i.installerproductid", "26");
Deleted : user_pref("extensions.incredibar_i.instlDay", "15551");
Deleted : user_pref("extensions.incredibar_i.instlRef", "");
Deleted : user_pref("extensions.incredibar_i.ms_url_id", "");
Deleted : user_pref("extensions.incredibar_i.newTab", false);
Deleted : user_pref("extensions.incredibar_i.ppd", "1");
Deleted : user_pref("extensions.incredibar_i.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar_i.productid", "26");
Deleted : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar_i.smplGrp", "none");
Deleted : user_pref("extensions.incredibar_i.tlbrId", "base");
Deleted : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6OyJth2WNQ&loc=IB[...]
Deleted : user_pref("extensions.incredibar_i.upn2", "6OyJth2WNQ");
Deleted : user_pref("extensions.incredibar_i.upn2n", "92261842283791002");
Deleted : user_pref("extensions.incredibar_i.vrsn", "1.5.11.14");
Deleted : user_pref("extensions.incredibar_i.vrsnTs", "1.5.11.140:13:00");
Deleted : user_pref("extensions.incredibar_i.vrsni", "1.5.11.14");
Deleted : user_pref("{336D0C35-8A85-403a-B9D2-65C292C39087}.ScriptData_WSG_whiteList", "{\"search.babylon.com\[...]

Profile name : default-1343788102204 [Profil par défaut]
File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\4vs228u4.default-1343788102204\prefs.js

Deleted : user_pref("extensions.ntk.HISTORY", "[{\"title\":\"AboveTopSecret.com Recently Active Topics: Monday[...]
Deleted : user_pref("extensions.ntk.ntk_feeds", "<ul class=\"chartlist_rss\" style=\"width:100%\"><li id=\"rss[...]
Deleted : user_pref("extensions.ntk.recentClosedPers", "hxxp://download.drweb.com/demoreq/::Dr.Web anti-virus [...]

-\\ Google Chrome v21.0.1180.89

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.16] : homepage = "hxxp://search.babylon.com/?affID=112542&tt=3012_3&babsrc=HP_ss&mntrId=eabe3bd6000000000000001aa0791c51",
Deleted [l.20] : urls_to_restore_on_startup = [ "hxxp://search.babylon.com/?affID=112542&tt=3012_3&babsrc=HP_ss&mntrId=eabe3bd6000000000000001aa0791c51" ]
Deleted [l.1307] : homepage = "hxxp://search.babylon.com/?affID=112542&tt=3012_3&babsrc=HP_ss&mntrId=eabe3bd6000000000000001aa0791c51",
Deleted [l.1955] : urls_to_restore_on_startup = [ "hxxp://search.babylon.com/?affID=112542&tt=3012_3&babsrc=HP_ss&mntrId=eabe3bd6000000000000001aa0791c51" ]

*************************

AdwCleaner[S1].txt - [10296 octets] - [14/09/2012 20:41:39]

########## EOF - C:\AdwCleaner[S1].txt - [10357 octets] ##########

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:56 AM

Posted 14 September 2012 - 08:31 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Ektar

Ektar
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 14 September 2012 - 08:34 PM

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Remove -- Date : 09/14/2012 21:30:23

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[TASK][SUSP PATH] OAS Integration : C:\Users\Owner\AppData\Local\Temp\MATS-Temp\IXPna0sjsom.clg\MATSWiz.exe -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD25 00AAJS-00B4A SCSI Disk Device +++++
--- User ---
[MBR] 8c6e83a38e869db732e5b9140f8865e2
[BSP] 89da0e16b646afa6341f032b17f61e5e : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238473 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

#13 Ektar

Ektar
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 14 September 2012 - 08:54 PM

I have been writing down all your instructions in case of malfunctions.
Thanks so much!

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:56 AM

Posted 14 September 2012 - 09:16 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Ektar

Ektar
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 14 September 2012 - 10:40 PM

Hi Gringo
I'm having problems closing Panda Cloud Antivirus. Initially when I closed all virus & malware...I right clicked
on the Panda in the tray & disabled & it still looks disabled...however got a warning from Combofix
Antivirus: Panda Cloud Antivirus Antispyware: Panda Cloud Antivirus & Antispyware: IObit Malware Fighter
all need to be disabled before hitting "OK". I tried going through task manager to disable
by ending processes & keep getting denied. I think I just took care of IObit everything was off but dog time & I just turned that off.
Thanks!
Should I just bloody Hell uninstall it & restall afterwards?

Edited by Ektar, 14 September 2012 - 10:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users