Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
27 replies to this topic

#1 BobDevere

BobDevere

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 17 September 2012 - 08:24 AM

Problem includes redirect to Scour.com and host of other sites. Redirect occurs on google search links (it seems) randomly. Have tried tdsskiller, malwarebytes and combofix (after following instructions of google redirect threads on bleepingcomputer, including creating Java script, etc), and problem persists. I need help. Thank you.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:28 AM

Posted 17 September 2012 - 11:55 AM

what is your operating system?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 BobDevere

BobDevere
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 17 September 2012 - 12:07 PM

Windows 7

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:28 AM

Posted 17 September 2012 - 01:10 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 BobDevere

BobDevere
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 17 September 2012 - 07:04 PM

Frst Log:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-09-2012
Ran by SYSTEM at 17-09-2012 18:41:33
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [611896 2010-09-15] ()
HKLM\...\Run: [SBRegRebootCleaner] C:\Program Files (x86)\Sunbelt Software\VIPRE\SBRC.exe [197968 2010-08-20] (Sunbelt Software)
HKLM-x32\...\Run: [SBAMTray] "C:\Program Files (x86)\Sunbelt Software\VIPRE\SBAMTray.exe" [1348944 2010-08-20] (Sunbelt Software)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime [155648 2012-05-05] (Apple Computer, Inc.)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKU\No\...\Run: [lpc] rundll32.exe "C:\Users\No\AppData\Roaming\Remote\dllx4.dll",RegisterDll [x]
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Snapfish PictureMover.lnk
ShortcutTarget: Snapfish PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)
Startup: C:\Users\No\Start Menu\Programs\Startup\MagicDisc.lnk
ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (No File)

==================== Services (Whitelisted) ===================

2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [496232 2010-03-04] ()
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-07] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-07] (Malwarebytes Corporation)
2 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [209000 2010-03-04] ()
2 SBAMSvc; "C:\Program Files (x86)\Sunbelt Software\VIPRE\SBAMSvc.exe" [2763080 2010-08-20] (Sunbelt Software)
2 SBPIMSvc; "C:\Program Files (x86)\Sunbelt Software\VIPRE\SBPIMSvc.exe" [181584 2010-08-20] (Sunbelt Software)
3 rpcapd; "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini" [x]

==================== Drivers (Whitelisted) =====================

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-07] (Malwarebytes Corporation)
2 NPF; C:\Windows\System32\Drivers\NPF.sys [47632 2009-10-20] (CACE Technologies, Inc.)
2 sbapifs; C:\Windows\System32\Drivers\sbapifs.sys [64600 2010-06-14] (Sunbelt Software)
1 SbFw; C:\Windows\System32\Drivers\SbFw.sys [253528 2010-07-27] (Sunbelt Software, Inc.)
3 SBFWIMCL; C:\Windows\System32\DRIVERS\sbfwim.sys [84056 2010-04-15] (Sunbelt Software, Inc.)
3 SBFWIMCLMP; C:\Windows\System32\DRIVERS\SBFWIM.sys [84056 2010-04-15] (Sunbelt Software, Inc.)
3 sbhips; C:\Windows\System32\Drivers\sbhips.sys [60504 2010-07-27] (Sunbelt Software, Inc.)
1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [49752 2010-03-22] (Sunbelt Software)
1 SbTis; C:\Windows\System32\Drivers\SbTis.sys [94296 2010-07-27] (Sunbelt Software, Inc.)
3 catchme; \??\C:\ComboFix\catchme.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-09-17 14:56 - 2012-09-17 14:56 - 00000000 ____D C:\Users\No\AppData\Roaming\Remote
2012-09-17 13:24 - 2012-09-17 13:24 - 01454285 ____A (Farbar) C:\Users\No\Desktop\FRST64.exe
2012-09-17 12:17 - 2012-09-17 13:47 - 00000112 ____A C:\Windows\setupact.log
2012-09-17 12:17 - 2012-09-17 12:17 - 00001444 ____A C:\Windows\PFRO.log
2012-09-17 12:17 - 2012-09-17 12:17 - 00000000 ____A C:\Windows\setuperr.log
2012-09-16 22:18 - 2012-09-16 22:18 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
2012-09-16 22:15 - 2012-09-16 22:15 - 00019993 ____A C:\ComboFix.txt
2012-09-16 22:03 - 2012-09-16 22:03 - 00000000 ____A C:\Users\No\defogger_reenable
2012-09-16 21:50 - 2012-09-16 21:50 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-16 21:50 - 2012-09-07 14:04 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-16 21:17 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-09-16 21:17 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-09-16 21:17 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-09-16 21:17 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-09-16 21:17 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-09-16 21:17 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-09-16 21:17 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-09-16 21:17 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-09-16 20:06 - 2012-09-16 20:13 - 00000000 ____D C:\Users\No\AppData\Local\NPE
2012-09-16 07:02 - 2012-09-16 07:02 - 00262144 ____A C:\Windows\System32\config\elam
2012-09-16 06:24 - 2012-09-16 06:33 - 00000000 ____D C:\Program Files (x86)\PC Tools
2012-09-16 06:08 - 2012-09-16 06:08 - 02105184 ____A C:\Windows\System32\Drivers\Cat.DB
2012-09-16 06:08 - 2012-06-22 12:35 - 00251560 ____A (PC Tools) C:\Windows\System32\Drivers\PCTSD64.sys
2012-09-16 06:07 - 2012-09-16 06:32 - 00000000 ____D C:\Users\All Users\PC Tools
2012-09-16 06:07 - 2012-09-16 06:07 - 00000000 ____D C:\Users\No\AppData\Roaming\TestApp
2012-09-15 14:19 - 2012-09-15 14:19 - 00000000 ____D C:\Users\No\AppData\Local\SweetScape
2012-09-15 08:18 - 2012-09-15 14:31 - 00000000 ____D C:\Users\No\Desktop\Editor
2012-09-15 07:57 - 2012-09-15 07:57 - 00000000 ____D C:\Users\No\Downloads\New folder (4)
2012-09-14 20:57 - 2012-09-14 20:57 - 00000000 ____D C:\Program Files (x86)\AutoHotkey
2012-09-14 20:51 - 2012-09-15 14:24 - 00000000 ____D C:\Users\No\AppData\Local\010 Editor
2012-09-14 20:49 - 2012-09-14 20:49 - 00000000 ____D C:\Program Files (x86)\Sothink SWF Decompiler
2012-09-14 19:52 - 2012-09-14 19:52 - 00001352 ____A C:\Users\No\Documents\AutoHotkey.ahk
2012-09-14 19:47 - 2012-09-14 19:47 - 00000000 ____D C:\Users\No\Documents\SweetScape
2012-09-14 19:47 - 2012-09-14 19:47 - 00000000 ____D C:\Users\No\AppData\Roaming\SweetScape
2012-09-14 19:46 - 2012-09-14 20:36 - 00000000 ____D C:\Program Files (x86)\SourceTec
2012-09-14 19:44 - 2012-09-14 19:44 - 00000000 ____D C:\Users\All Users\AutoUpdate
2012-09-14 19:01 - 2012-09-14 22:00 - 00000000 ____D C:\Program Files (x86)\DComSoft
2012-09-09 14:30 - 2012-09-17 15:39 - 00077279 ____A C:\Windows\WindowsUpdate.log
2012-09-09 14:15 - 2012-09-14 05:21 - 00000000 ____D C:\Users\All Users\0C1D173D00001C950008C11AF875F002
2012-09-07 08:36 - 2012-09-07 08:36 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-08-30 18:52 - 2012-09-08 15:55 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-08-30 18:52 - 2012-08-30 18:52 - 00001132 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-08-27 13:43 - 2012-08-27 13:43 - 00000104 ____A C:\Windows\System32\SBRC.dat
2012-08-27 11:28 - 2012-08-27 11:34 - 00000000 ____D C:\Users\No\AppData\Roaming\Izowke
2012-08-27 11:28 - 2012-08-27 11:28 - 00000000 ____D C:\Users\No\AppData\Roaming\Pocy
2012-08-27 11:03 - 2012-08-27 11:03 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-08-20 08:05 - 2012-09-14 07:56 - 00000000 ____D C:\Users\No\AppData\Local\blekkotb_031
2012-08-20 08:05 - 2012-08-20 08:33 - 00000000 ____D C:\Users\All Users\blekko toolbars


==================== 3 Months Modified Files ==================

2012-09-17 15:39 - 2012-09-09 14:30 - 00077279 ____A C:\Windows\WindowsUpdate.log
2012-09-17 15:39 - 2011-11-11 17:27 - 00000506 ____A C:\Windows\SysWOW64\CountBlockedByFirewall.XML
2012-09-17 15:18 - 2012-04-08 13:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-17 13:54 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-17 13:54 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-17 13:51 - 2009-07-13 21:13 - 00732464 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-17 13:47 - 2012-09-17 12:17 - 00000112 ____A C:\Windows\setupact.log
2012-09-17 13:47 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-17 13:24 - 2012-09-17 13:24 - 01454285 ____A (Farbar) C:\Users\No\Desktop\FRST64.exe
2012-09-17 12:17 - 2012-09-17 12:17 - 00001444 ____A C:\Windows\PFRO.log
2012-09-17 12:17 - 2012-09-17 12:17 - 00000000 ____A C:\Windows\setuperr.log
2012-09-16 22:14 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-09-16 22:03 - 2012-09-16 22:03 - 00000000 ____A C:\Users\No\defogger_reenable
2012-09-16 07:02 - 2012-09-16 07:02 - 00262144 ____A C:\Windows\System32\config\elam
2012-09-16 06:40 - 2012-01-15 20:46 - 00125848 ____A C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT
2012-09-16 06:08 - 2012-09-16 06:08 - 02105184 ____A C:\Windows\System32\Drivers\Cat.DB
2012-09-14 19:52 - 2012-09-14 19:52 - 00001352 ____A C:\Users\No\Documents\AutoHotkey.ahk
2012-09-10 13:27 - 2012-02-06 14:22 - 00000320 ____A C:\Windows\Tasks\HPCeeScheduleForNo.job
2012-09-10 13:27 - 2011-11-07 15:19 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-09-07 14:04 - 2012-09-16 21:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-05 15:14 - 2012-04-08 13:07 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-05 15:14 - 2011-11-01 15:05 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-30 18:52 - 2012-08-30 18:52 - 00001132 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-08-29 19:07 - 2012-02-10 10:12 - 00001570 ____A C:\Users\No\Desktop\DivX Movies.lnk
2012-08-29 19:06 - 2012-02-10 10:12 - 00001114 ____A C:\Users\Public\Desktop\DivX Plus Player.lnk
2012-08-27 20:54 - 2012-01-30 21:55 - 00000336 ____A C:\Windows\Tasks\HPCeeScheduleForNO-HP$.job
2012-08-27 13:43 - 2012-08-27 13:43 - 00000104 ____A C:\Windows\System32\SBRC.dat
2012-08-16 00:18 - 2009-07-13 20:45 - 02428648 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-15 20:29 - 2011-11-01 15:14 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-07 18:07 - 2012-05-05 13:47 - 00054156 ___AH C:\Windows\QTFont.qfn
2012-08-07 07:55 - 2012-08-07 07:55 - 00255352 ____A (Audible, Inc.) C:\Windows\SysWOW64\awrdscdc.ax
2012-08-07 07:55 - 2012-08-07 07:55 - 00001967 ____A C:\Users\No\Desktop\Audible Manager.lnk
2012-07-24 09:02 - 2012-07-24 09:02 - 00001192 ____A C:\Users\No\Desktop\RISKII - Shortcut.lnk
2012-07-24 09:02 - 2012-07-24 09:02 - 00000599 ____A C:\Users\No\Desktop\LORDS2 - Shortcut.lnk
2012-07-23 13:46 - 2011-11-21 11:54 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2012-07-23 05:51 - 2012-07-23 05:52 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-07-23 05:51 - 2012-07-23 05:52 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-07-23 05:34 - 2012-07-23 05:34 - 00955888 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-07-23 05:34 - 2012-07-23 05:34 - 00839152 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-07-23 05:34 - 2012-07-23 05:34 - 00268784 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-07-23 05:34 - 2012-07-23 05:34 - 00189424 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-07-23 05:34 - 2012-07-23 05:34 - 00188912 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-07-22 10:20 - 2012-07-22 10:20 - 00000624 ____A C:\Users\No\No - Shortcut.lnk
2012-07-22 10:18 - 2012-07-22 10:18 - 00000824 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-07-22 09:36 - 2012-07-22 05:12 - 00000682 ____A C:\Windows\System32\.crusader
2012-07-22 09:31 - 2012-07-22 09:31 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.913772F71F981DD6
2012-07-22 05:49 - 2009-07-13 18:34 - 00000098 ____A C:\Windows\System32\Drivers\etc\hosts.hitmanpro
2012-07-18 10:15 - 2012-08-15 02:59 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-14 14:43 - 2012-07-14 14:43 - 00000844 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-619941627-1110601475-524485384-1000Core1cd62121673a358.job
2012-07-12 02:30 - 2011-12-05 11:36 - 00002346 ____A C:\Users\No\Desktop\Google Chrome.lnk
2012-07-11 00:10 - 2009-07-13 18:34 - 00000499 ____A C:\Windows\win.ini
2012-07-05 19:06 - 2012-07-23 05:52 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-07-05 19:06 - 2012-07-23 05:52 - 00227760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-07-05 19:06 - 2011-11-18 20:36 - 00687544 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-07-04 14:16 - 2012-08-15 02:59 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:13 - 2012-08-15 02:59 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:13 - 2012-08-15 02:59 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:16 - 2012-08-15 02:59 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:14 - 2012-08-15 02:59 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-06-28 20:55 - 2012-08-15 20:33 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 20:09 - 2012-08-15 20:33 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 19:56 - 2012-08-15 20:33 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 19:49 - 2012-08-15 20:33 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 19:49 - 2012-08-15 20:33 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 19:48 - 2012-08-15 20:33 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 19:47 - 2012-08-15 20:33 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 19:45 - 2012-08-15 20:33 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 19:44 - 2012-08-15 20:33 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 19:43 - 2012-08-15 20:33 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 19:42 - 2012-08-15 20:33 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 19:40 - 2012-08-15 20:33 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 19:39 - 2012-08-15 20:33 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 19:35 - 2012-08-15 20:33 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-28 16:52 - 2012-08-15 20:33 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-28 16:27 - 2012-08-15 20:33 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-28 16:16 - 2012-08-15 20:33 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-28 16:09 - 2012-08-15 20:33 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-28 16:09 - 2012-08-15 20:33 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-28 16:08 - 2012-08-15 20:33 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-28 16:07 - 2012-08-15 20:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-28 16:06 - 2012-08-15 20:33 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-28 16:04 - 2012-08-15 20:33 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-28 16:04 - 2012-08-15 20:33 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-28 16:01 - 2012-08-15 20:33 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-28 16:01 - 2012-08-15 20:33 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-28 16:00 - 2012-08-15 20:33 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-28 15:57 - 2012-08-15 20:33 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-27 14:47 - 2009-07-13 21:08 - 00032636 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-22 12:35 - 2012-09-16 06:08 - 00251560 ____A (PC Tools) C:\Windows\System32\Drivers\PCTSD64.sys

ZeroAccess:
C:\Windows\Installer\{1182a13b-0bbb-535c-2ab3-698c374fdd2f}
C:\Windows\Installer\{1182a13b-0bbb-535c-2ab3-698c374fdd2f}\L
C:\Windows\Installer\{1182a13b-0bbb-535c-2ab3-698c374fdd2f}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-14 20:33:47
Restore point made on: 2012-09-16 20:11:09

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 3839.3 MB
Available physical RAM: 3023.63 MB
Total Pagefile: 3837.45 MB
Available Pagefile: 3005.24 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:685.27 GB) (Free:137.78 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (HP_RECOVERY) (Fixed) (Total:13.27 GB) (Free:1.63 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: () (Removable) (Total:3.73 GB) (Free:2.51 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 0 B
Disk 1 Online 3819 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 685 GB 101 MB
Partition 3 Primary 13 GB 685 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 685 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E HP_RECOVERY NTFS Partition 13 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 3818 MB Healthy

=========================================================

Last Boot: 2012-09-16 11:53

==================== End Of Log =============================

#6 BobDevere

BobDevere
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 17 September 2012 - 07:06 PM

Search Log:

Farbar Recovery Scan Tool (x64) Version: 17-09-2012
Ran by SYSTEM at 2012-09-17 18:43:14
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____N (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\erdnt\cache64\Services.exe
[2012-07-22 10:06] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

#7 BobDevere

BobDevere
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 17 September 2012 - 07:16 PM

An additional issue now. On restart, this pop ups twice:

There was a problem starting.
c:\users\no\appdata\roaming\remote\dllx4.dll
The specified module could not be found.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:28 AM

Posted 17 September 2012 - 08:44 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\No\...\Run: [lpc] rundll32.exe "C:\Users\No\AppData\Roaming\Remote\dllx4.dll",RegisterDll [x]
C:\Users\No\AppData\Roaming\Remote\dllx4.dll
2012-09-09 14:15 - 2012-09-14 05:21 - 00000000 ____D C:\Users\All Users\0C1D173D00001C950008C11AF875F002
2012-08-27 11:28 - 2012-08-27 11:34 - 00000000 ____D C:\Users\No\AppData\Roaming\Izowke
2012-08-27 11:28 - 2012-08-27 11:28 - 00000000 ____D C:\Users\No\AppData\Roaming\Pocy
2012-08-20 08:05 - 2012-09-14 07:56 - 00000000 ____D C:\Users\No\AppData\Local\blekkotb_031
2012-08-20 08:05 - 2012-08-20 08:33 - 00000000 ____D C:\Users\All Users\blekko toolbars
C:\Windows\Installer\{1182a13b-0bbb-535c-2ab3-698c374fdd2f}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 BobDevere

BobDevere
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 17 September 2012 - 09:59 PM

Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-09-2012
Ran by SYSTEM at 2012-09-17 21:35:44 Run:1
Running from G:\

==============================================

HKEY_USERS\No\Software\Microsoft\Windows\CurrentVersion\Run\\lpc Value not found.
C:\Users\No\AppData\Roaming\Remote\dllx4.dll moved successfully.
C:\Users\All Users\0C1D173D00001C950008C11AF875F002 moved successfully.
C:\Users\No\AppData\Roaming\Izowke moved successfully.
C:\Users\No\AppData\Roaming\Pocy moved successfully.
C:\Users\No\AppData\Local\blekkotb_031 moved successfully.
C:\Users\All Users\blekko toolbars moved successfully.
C:\Windows\Installer\{1182a13b-0bbb-535c-2ab3-698c374fdd2f} moved successfully.

==== End of Fixlog ====

#10 BobDevere

BobDevere
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 17 September 2012 - 10:00 PM

Combofix log:

ComboFix 12-09-16.01 - No 09/17/2012 21:41:35.8.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3839.2689 [GMT -5:00]
Running from: c:\users\No\Downloads\ComboFix.exe
AV: Sunbelt VIPRE *Disabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
FW: Sunbelt VIPRE *Disabled* {86665057-352D-7810-313F-4F92DEFBC8FA}
SP: Sunbelt VIPRE *Disabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\No\AppData\Roaming\Remote
c:\users\No\AppData\Roaming\Remote\kkjt
.
.
((((((((((((((((((((((((( Files Created from 2012-08-18 to 2012-09-18 )))))))))))))))))))))))))))))))
.
.
2012-09-18 02:48 . 2012-09-18 02:48 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-18 02:48 . 2012-09-18 02:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-18 00:36 . 2012-09-18 00:36 -------- d-----w- C:\FRST
2012-09-17 06:18 . 2012-09-17 06:18 -------- d-----w- c:\program files (x86)\VS Revo Group
2012-09-17 04:06 . 2012-09-17 04:13 -------- d-----w- c:\users\No\AppData\Local\NPE
2012-09-16 14:24 . 2012-09-16 14:33 -------- d-----w- c:\program files (x86)\PC Tools
2012-09-16 14:08 . 2012-09-16 14:33 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-09-16 14:08 . 2012-06-22 20:35 251560 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-09-16 14:07 . 2012-09-16 14:32 -------- d-----w- c:\programdata\PC Tools
2012-09-16 14:07 . 2012-09-16 14:07 -------- d-----w- c:\users\No\AppData\Roaming\TestApp
2012-09-15 22:19 . 2012-09-15 22:19 -------- d-----w- c:\users\No\AppData\Local\SweetScape
2012-09-15 05:03 . 2012-09-15 05:03 -------- d-----w- c:\program files (x86)\010 Editor v3
2012-09-15 04:57 . 2012-09-15 04:57 -------- d-----w- c:\program files (x86)\AutoHotkey
2012-09-15 04:51 . 2012-09-15 22:24 -------- d-----w- c:\users\No\AppData\Local\010 Editor
2012-09-15 04:49 . 2012-09-15 04:49 -------- d-----w- c:\program files (x86)\Common Files\SourceTec
2012-09-15 04:49 . 2012-09-15 04:49 -------- d-----w- c:\program files (x86)\Sothink SWF Decompiler
2012-09-15 03:47 . 2012-09-15 03:47 -------- d-----w- c:\users\No\AppData\Roaming\SweetScape
2012-09-15 03:46 . 2012-09-15 04:36 -------- d-----w- c:\program files (x86)\SourceTec
2012-09-15 03:44 . 2012-09-15 03:44 -------- d-----w- c:\programdata\AutoUpdate
2012-09-15 03:01 . 2012-09-15 06:00 -------- d-----w- c:\program files (x86)\DComSoft
2012-08-31 02:52 . 2012-09-08 23:55 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-08-27 19:03 . 2012-08-27 19:03 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-05 23:14 . 2012-04-08 21:07 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-05 23:14 . 2011-11-01 23:05 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-16 04:29 . 2011-11-01 23:14 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-07 15:55 . 2012-08-07 15:55 255352 ----a-w- c:\windows\SysWow64\awrdscdc.ax
2012-08-05 19:20 . 2012-05-02 04:56 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-08-05 19:20 . 2012-05-02 04:55 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-08-05 19:19 . 2012-05-02 04:55 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-08-02 19:29 . 2012-08-02 19:29 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-08-02 19:28 . 2012-08-02 19:28 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-08-02 19:28 . 2012-08-02 19:28 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-08-02 19:28 . 2012-08-02 19:28 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-07-23 13:34 . 2012-07-23 13:34 839152 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-23 13:34 . 2012-07-23 13:34 955888 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-23 13:34 . 2012-07-23 13:34 268784 ----a-w- c:\windows\system32\javaws.exe
2012-07-23 13:34 . 2012-07-23 13:34 189424 ----a-w- c:\windows\system32\javaw.exe
2012-07-23 13:34 . 2012-07-23 13:34 188912 ----a-w- c:\windows\system32\java.exe
2012-07-22 17:31 . 2012-07-22 17:31 328704 ----a-w- c:\windows\system32\services.exe.913772F71F981DD6
2012-07-18 18:15 . 2012-08-15 10:59 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-06 03:06 . 2012-07-23 13:52 772544 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-07-06 03:06 . 2011-11-19 04:36 687544 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-07-04 22:16 . 2012-08-15 10:59 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-07-04 22:13 . 2012-08-15 10:59 59392 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 22:13 . 2012-08-15 10:59 136704 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:14 . 2012-08-15 10:59 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-06-29 04:55 . 2012-08-16 04:33 17809920 ----a-w- c:\windows\system32\mshtml.dll
2012-06-29 04:09 . 2012-08-16 04:33 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-06-29 03:56 . 2012-08-16 04:33 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 03:49 . 2012-08-16 04:33 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-29 03:49 . 2012-08-16 04:33 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 03:48 . 2012-08-16 04:33 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 03:47 . 2012-08-16 04:33 237056 ----a-w- c:\windows\system32\url.dll
2012-06-29 03:45 . 2012-08-16 04:33 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-29 03:44 . 2012-08-16 04:33 816640 ----a-w- c:\windows\system32\jscript.dll
2012-06-29 03:43 . 2012-08-16 04:33 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 03:42 . 2012-08-16 04:33 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-29 03:40 . 2012-08-16 04:33 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-29 03:39 . 2012-08-16 04:33 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-29 03:35 . 2012-08-16 04:33 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-29 00:16 . 2012-08-16 04:33 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-29 00:09 . 2012-08-16 04:33 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-29 00:08 . 2012-08-16 04:33 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-29 00:04 . 2012-08-16 04:33 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-29 00:00 . 2012-08-16 04:33 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
.
.
((((((((((((((((((((((((((((( SnapShot_2012-09-17_05.25.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-01 23:24 . 2012-09-18 02:38 54546 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-09-17 05:05 41166 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-09-18 02:38 41166 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-11-01 23:24 . 2012-09-18 02:38 14744 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-619941627-1110601475-524485384-1000_UserData.bin
- 2011-05-24 17:15 . 2012-09-16 15:13 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-24 17:15 . 2012-09-17 20:25 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-24 17:15 . 2012-09-17 20:25 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-24 17:15 . 2012-09-16 15:13 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-17 20:25 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-09-16 15:13 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-11-05 13:27 . 2012-09-17 04:11 3970 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2011-11-05 13:27 . 2012-09-17 20:17 3970 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-09-18 02:36 . 2012-09-18 02:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-09-17 05:03 . 2012-09-17 05:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-18 02:36 . 2012-09-18 02:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-09-17 05:03 . 2012-09-17 05:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-09-17 05:08 628304 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-09-18 02:43 628304 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-09-18 02:43 108482 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-09-17 05:08 108482 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-09-17 05:03 534984 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-09-18 02:32 534984 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-11-01 23:19 . 2012-09-17 05:03 3677600 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-619941627-1110601475-524485384-1000-8192.dat
+ 2011-11-01 23:19 . 2012-09-18 02:32 3677600 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-619941627-1110601475-524485384-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files (x86)\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-08-20 1348944]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"QuickTime Task"="c:\program files (x86)\QuickTime\qttask.exe" [2012-05-05 155648]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
.
c:\users\No\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2010-9-28 1040952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files (x86)\Sunbelt Software\VIPRE\SBAMSvc.exe [2010-08-20 2763080]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-05 250568]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-07 114144]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\DRIVERS\sbfwim.sys [2010-04-15 84056]
R3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2010-07-27 60504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-02 1255736]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2011-12-19 29288]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2011-12-19 29288]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2011-12-19 29288]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2011-12-19 29288]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2011-12-19 29288]
S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-07-27 253528]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-03-22 49752]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-07-27 94296]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 291896]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 47632]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-09-11 399344]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2010-06-14 64600]
S2 SBPIMSvc;SB Recovery Service;c:\program files (x86)\Sunbelt Software\VIPRE\SBPIMSvc.exe [2010-08-20 181584]
S3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\SBFWIM.sys [2010-04-15 84056]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 23:14]
.
2012-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-619941627-1110601475-524485384-1000Core1cd62121673a358.job
- c:\users\No\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-05 19:36]
.
2012-08-28 c:\windows\Tasks\HPCeeScheduleForNO-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
2012-09-10 c:\windows\Tasks\HPCeeScheduleForNo.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-09-15 611896]
"SBRegRebootCleaner"="c:\program files (x86)\Sunbelt Software\VIPRE\SBRC.exe" [2010-08-20 197968]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: En&queue current page with BID - file://c:\program files (x86)\Bulk Image Downloader\iemenu\iebidqueue.htm
IE: Enqueue link tar&get with BID - file://c:\program files (x86)\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
IE: Open &link target with BID - file://c:\program files (x86)\Bulk Image Downloader\iemenu\iebidlink.htm
IE: Open current page with BI&D - file://c:\program files (x86)\Bulk Image Downloader\iemenu\iebid.htm
IE: Open current page with BID Link Explorer - file://c:\program files (x86)\Bulk Image Downloader\iemenu\iebidlinkexplorer.htm
IE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\No\AppData\Roaming\Mozilla\Firefox\Profiles\jlhenit6.default\
FF - prefs.js: browser.search.selectedEngine - Blekko
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-17 21:50:39
ComboFix-quarantined-files.txt 2012-09-18 02:50
ComboFix2.txt 2012-09-17 06:15
ComboFix3.txt 2012-09-17 05:44
ComboFix4.txt 2012-09-17 05:27
ComboFix5.txt 2012-09-18 02:40
.
Pre-Run: 147,864,870,912 bytes free
Post-Run: 147,565,125,632 bytes free
.
- - End Of File - - 5AE7E57416550235399D15F0EC81F5A9

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:28 AM

Posted 18 September 2012 - 06:08 PM

Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 BobDevere

BobDevere
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 19 September 2012 - 12:23 AM

AdwCleaner:

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\No\AppData\Roaming\Mozilla\Firefox\Profiles\jlhenit6.default\prefs.js

C:\Users\No\AppData\Roaming\Mozilla\Firefox\Profiles\jlhenit6.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultenginename", "Blekko");
Deleted : user_pref("browser.search.order.1", "Blekko");
Deleted : user_pref("browser.search.selectedEngine", "Blekko");

-\\ Google Chrome v20.0.1132.57

File : C:\Users\No\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [3529 octets] - [18/09/2012 18:43:02]

########## EOF - C:\AdwCleaner[S1].txt - [3589 octets] ##########

#13 BobDevere

BobDevere
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 19 September 2012 - 12:24 AM

MalwareBytes:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.18.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
No :: NO-HP [administrator]

9/18/2012 6:56:47 PM
mbam-log-2012-09-18 (18-56-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 206490
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#14 BobDevere

BobDevere
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 19 September 2012 - 12:25 AM

ESATSCAN:

C:\Users\No\AppData\Roaming\Mozilla\Firefox\Profiles\jlhenit6.default\extensions\eqhghiheju@eqhghiheju.org.xpi JS/Redirector.NCA trojan

#15 BobDevere

BobDevere
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 19 September 2012 - 10:28 AM

And CatByte, thank you so much for all your time and effort in helping. I was on the edge of system restoring, but this project has become something of a detective story and I want to see how it comes out.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users