Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Default Search Provider Corrupted


  • This topic is locked This topic is locked
7 replies to this topic

#1 cheeseman55

cheeseman55

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 16 October 2012 - 09:36 PM

EDIT: Moved to Virus, Trojan, Spyware, and Malware Removal Logs ~~ boopme

I need help getting rid of the search provider default message which says a program has corrupted my search provider setting for Internet Explorer. This computer is using Vista and IE 8.

The machine has been infected since 02/13 which is the day that the normal template for Word was set to read only. I have tried many things such as locating all files last modified on 02/13/2012 and ensuring that they are now not read only. In some cases I renamed them in addition to changing their attributes. I did this by using the cmd command, positioning myself in the users\CurrentUser directory, and then entering the command dir /s >f:\dirlist.txt to pipe the results to my thumb drive, and from there I used notepad’s find command to look for the 02/13/2012 modified files.
I have gone into regedit, and modified entries in scopes, and in user preferences, basing them on other machines that I have access too. I have used Windows update to go between IE 7, 8, and 9. When using IE 7, I do not have a problem with the default search provider.

I ran hijackthis, but I don’t know how to interpret the log as shown below. Any ideas of what to try would be appreciated.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:42:06 PM, on 10/16/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19019)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\sttray.exe
C:\Program Files\Freedom Scientific\Shared\Freedom Import Printer\fipagent.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Freedom Scientific\JAWS\13.0\jfw.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Freedom Scientific\Shared\FSOcr\FSOcrServer.exe
C:\Program Files\Freedom Scientific\JAWS\13.0\fsATProxy.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\msfeedssync.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-1629
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;localhost;127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Freedom Import Printer printing agent] C:\Program Files\Freedom Scientific\Shared\Freedom Import Printer\fipagent.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [JAWS] "C:\Program Files\Freedom Scientific\JAWS\13.0\jfw.exe" /run
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SoftAuto.exe] "C:\Program Files\Creative\Software Update 3\SoftAuto.exe"
O4 - HKCU\..\Run: [CTZDetec.exe] "C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JTVNCProxy_12.0 - Unknown owner - C:\Program Files\Freedom Scientific\JAWS\12.0\JTVNCProxy.exe
O23 - Service: JTVNCProxy_13.0 - Freedom Scientific BLV Group LLC - C:\Program Files\Freedom Scientific\JAWS\13.0\JTVNCProxy.exe

--
End of file - 6288 bytes

Edited by boopme, 16 October 2012 - 10:14 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 18 October 2012 - 10:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs for my review.

#3 cheeseman55

cheeseman55
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 18 October 2012 - 02:15 PM

Thank you very much for the help. As you likely will be able to tell from the logs, my system has been updated, but the problem still exists. I will await further instructions.

ComboFix 12-10-18.03 - jkadmin 10/18/2012 11:31:04.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2941.1840 [GMT -5:00]
Running from: c:\users\jkadmin\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\0.bak
c:\program files\RadioPI_4eEI
c:\program files\RadioRage_4jEI
c:\program files\RadioRage_4jEI\Installr\1.bin\4jEIPlug.dll
c:\program files\RadioRage_4jEI\Installr\1.bin\NP4jEISb.dll
c:\users\jkadmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop old.ini
c:\users\jkadmin\AppData\Roaming\Microsoft\Windows\Cookies\index old.dat
c:\windows\security\Database\tmp.edb
c:\windows\SSCE5432.DLL
c:\windows\system32\drivers\etc\hosts1
c:\windows\system32\msstdfmt.dll
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-09-18 to 2012-10-18 )))))))))))))))))))))))))))))))
.
.
2012-10-18 12:36 . 2012-10-12 05:56 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2004462E-04D8-4F4D-972E-310CD66622FE}\mpengine.dll
2012-10-16 18:16 . 2012-08-30 08:17 6980552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-16 12:58 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2012-10-16 12:58 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-10-16 12:36 . 2009-03-08 11:32 72704 ----a-w- c:\windows\system32\admparse.dll
2012-10-15 20:56 . 2012-10-15 20:56 -------- d-----w- c:\program files\Trend Micro
2012-10-11 20:34 . 2012-10-11 20:34 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-10 03:54 . 2012-08-24 15:53 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-10-10 03:53 . 2012-09-13 13:28 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 03:53 . 2012-08-29 11:27 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 03:53 . 2012-08-29 11:27 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-10-10 03:53 . 2012-06-02 00:02 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 03:53 . 2012-06-02 00:02 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 03:53 . 2012-06-02 00:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-08 02:59 . 2012-09-28 02:32 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9293481E-7A71-4CE1-8CAC-691E7CD64E99}\gapaengine.dll
2012-09-28 20:09 . 2012-09-28 20:09 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-09-28 02:51 . 2012-09-28 02:32 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-09-27 03:57 . 2012-09-07 22:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-22 20:25 . 2012-09-27 03:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-11 20:34 . 2011-09-17 22:20 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-03 17:09 . 2012-09-03 17:09 1356 ----a-w- c:\users\jkadmin\AppData\Local\d3d9caps.tmp
2012-08-31 03:03 . 2012-08-31 03:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-31 03:03 . 2012-03-21 01:44 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-01 18:44 . 2012-08-01 18:44 37768 ----a-w- c:\windows\system32\drivers\fsbrldsp.sys
2012-08-01 18:43 . 2012-08-01 18:43 99696 ----a-w- c:\windows\system32\fsbrldspapi.dll
2012-08-01 18:42 . 2012-08-01 18:42 18312 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\Addins\JawsAddin.dll
2012-08-01 18:25 . 2012-08-01 18:25 16744 ----a-w- c:\windows\system32\drivers\powerbrl.sys
2012-08-01 17:19 . 2012-08-01 17:19 25960 ----a-w- c:\windows\system32\fskutil.dll
2012-08-01 17:19 . 2012-08-01 17:19 21864 ----a-w- c:\windows\system32\fsKMgr.dll
2012-08-01 17:19 . 2012-08-01 17:19 13672 ----a-w- c:\windows\system32\drivers\fsvidmir.sys
2012-08-01 17:19 . 2012-08-01 17:19 128360 ----a-w- c:\windows\system32\fsvidmir.dll
2012-08-01 17:19 . 2012-08-01 17:19 110440 ----a-w- c:\windows\system32\fsVidMag.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-05-28 401408]
"CTZDetec.exe"="c:\program files\Creative\Creative Media Lite\CTZDetec.exe" [2008-04-24 368640]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"SigmatelSysTrayApp"="sttray.exe" [2007-09-07 405504]
"Freedom Import Printer printing agent"="c:\program files\Freedom Scientific\Shared\Freedom Import Printer\fipagent.exe" [2011-08-05 94208]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"JAWS"="c:\program files\Freedom Scientific\JAWS\13.0\jfw.exe" [2012-08-01 1490312]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^jkadmin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\users\jkadmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^jkadmin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\users\jkadmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-09-13 21:09 638976 ----a-w- c:\program files\Camera Assistant Software for Gateway\traybar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 02:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JAWS]
2011-08-11 02:09 1331512 ----a-w- c:\program files\Freedom Scientific\JAWS\12.0\jfw.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launcher]
2008-01-19 03:37 40072 ----a-w- c:\windows\SMINST\Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-11 20:34]
.
2011-11-06 c:\windows\Tasks\PC Unleashed Defrag.job
- c:\program files\PC Unleashed Online\Suite\pcu.exe [2011-08-03 19:27]
.
2012-10-17 c:\windows\Tasks\PC Unleashed Registration3.job
- c:\program files\Common Files\PC Unleashed Online\UUS3\UUS3.dll [2011-08-03 19:27]
.
2012-08-27 c:\windows\Tasks\PC Unleashed Update Version3.job
- c:\program files\Common Files\PC Unleashed Online\UUS3\Update3.exe [2011-08-03 19:27]
.
2012-10-12 c:\windows\Tasks\PC Unleashed.job
- c:\program files\PC Unleashed Online\Suite\pcu.exe [2011-08-03 19:27]
.
2012-10-18 c:\windows\Tasks\User_Feed_Synchronization-{1C2F362A-0A2D-408C-AEB5-E5528597696E}.job
- c:\windows\system32\msfeedssync.exe [2012-10-16 08:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-1629
uInternet Settings,ProxyOverride = *.local;localhost;127.0.0.1
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.33.1
FF - ProfilePath - c:\users\jkadmin\AppData\Roaming\Mozilla\Firefox\Profiles\r8bfjerc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-ABBYY Screenshot Reader Retail - (no file)
MSConfigStartUp-F-Secure Manager - c:\program files\Charter Security Suite\Common\FSM32.EXE
MSConfigStartUp-F-Secure TNB - c:\program files\Charter Security Suite\FSGUI\TNBUtil.exe
MSConfigStartUp-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-18 11:56
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-587565644-3833608471-106863242-1000\Software\SecuROM\License information*]
"datasecu"=hex:41,e7,ba,2e,67,41,59,e9,37,fd,c6,c6,57,d3,f9,9e,bb,a4,ec,e2,c0,
cc,44,2b,9e,8e,38,16,0a,5d,86,29,e2,48,0b,d9,09,d5,97,06,bc,3d,2a,12,e2,47,\
"rkeysecu"=hex:3a,6f,17,b7,c1,d7,26,f7,fa,7a,8f,00,4f,6b,2e,11
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\WUDFHost.exe
c:\windows\sttray.exe
c:\program files\Freedom Scientific\Shared\FSOcr\FSOcrServer.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Freedom Scientific\JAWS\13.0\fsATProxy.exe
.
**************************************************************************
.
Completion time: 2012-10-18 12:01:31 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-18 17:01
.
Pre-Run: 107,121,651,712 bytes free
Post-Run: 107,127,123,968 bytes free
.
- - End Of File - - 16C6D2BA859EE5894AF196B87782DEC7



Results of screen317's Security Check version 0.99.51
Windows Vista Service Pack 2 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
(On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.0.1400
CCleaner
Java™ 6 Update 29
Java Access Bridge
Java™ 6 Update 5
Java™ SE Development Kit 6 Update 16
Java DB 10.4.2.1
Java version out of Date!
Adobe Reader 8 Adobe Reader out of Date!
Adobe Reader X KB403742.. Adobe Reader out of Date!
Mozilla Firefox (3.0.15) Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
[u]````````````````````End of Log``````````````````````[/u#

# AdwCleaner v2.005 - Logfile created 10/18/2012 at 13:42:09
# Updated 14/10/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : jkadmin - JKADMIN-PC
# Boot Mode : Normal
# Running from : C:\Users\jkadmin\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\.autoreg

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKLM\Software\Freeze.com
Key Found : HKU\S-1-5-21-587565644-3833608471-106863242-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.19328

[OK] Registry is clean.

-\\ Mozilla Firefox v3.0.15 (en-US)

Profile name : default
File : C:\Users\jkadmin\AppData\roaming\Mozilla\Firefox\Profiles\r8bfjerc.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\jkadmin\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R2].txt - [1218 octets] - [18/10/2012 13:42:09]

########## EOF - C:\AdwCleaner[R2].txt - [1278 octets] ##########

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 19 October 2012 - 07:05 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 29
Java™ 6 Update 5
Java™ SE Development Kit 6 Update 16


===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[Sn].txt (n is a number)..

===

I need help getting rid of the search provider default message which says a program has corrupted my search provider setting for Internet Explorer. This computer is using Vista and IE 8.


Try the suggested fix on this page.


http://answers.microsoft.com/en-us/ie/forum/ie8-windows_other/a-program-on-your-computer-has-corrupted-your/854f9563-5dfe-48fc-9180-0927339a93cf

If at any time you need help please ask before proceeding.

Keep me posted.

#5 cheeseman55

cheeseman55
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 22 October 2012 - 08:54 AM

Okay, I updated Java to 7, and deleted 6. I updated Adobe reader to version 10.

I updated the register, and attached the log below.

The search provider error has not gone away. I performed a Windows Update to IE 9, with no change. I haven't completely decided to do it yet, but it looks like I will need to create another user acount as described in the link that you gave me. I have a feeling that a couple of registry entries are set incorrectly, because it won't let me check the box prohibiting other programs from suggesting a search provider, and even though it says that a provider is the default, the dialogue still comes up. The bing sound prior to the message popping up is gone. I think I remembered seeing one of those ntuser files being tampered with on 02/13, so I reset the attributes so that it was not read only. I see another one still on the machine, from the 14th. Perhaps this is the result of the reboot. I thought about renaming it, but before doing that, I really should create another user acount that I can be logged into.

On the bright side, the machine seems to be performing more in line with how I would expect it to perform.

Thanks again for all of your help, and feel free to pass along any thoughts.


# AdwCleaner v2.005 - Logfile created 10/19/2012 at 10:42:31
# Updated 14/10/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : jkadmin - JKADMIN-PC
# Boot Mode : Normal
# Running from : C:\Users\jkadmin\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla Firefox\.autoreg

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\Software\Freeze.com

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.19328

[OK] Registry is clean.

-\\ Mozilla Firefox v3.0.15 (en-US)

Profile name : default
File : C:\Users\jkadmin\AppData\roaming\Mozilla\Firefox\Profiles\r8bfjerc.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\jkadmin\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R2].txt - [1347 octets] - [18/10/2012 13:42:09]
AdwCleaner[S1].txt - [1133 octets] - [19/10/2012 10:42:31]

########## EOF - C:\AdwCleaner[S1].txt - [1193 octets] ##########

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 22 October 2012 - 09:12 AM

I agree creating a new profile will save you a lot of griefs and time.

When all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#7 cheeseman55

cheeseman55
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 22 October 2012 - 11:03 PM

Creating a second administrative user account, and copying as the link instructed resulted in the same error. Apparently one of the files keeps me from checking the box which does not allow another program to suggest a different search provider. The third account appears to be working correctly but I have yet to copy over anything. Would you perhaps know of any links that suggest how to manually copy over portions of the profile? I could copy a folder, log out of the old, back into the new, and see if the box remains checked after launching IE. Or, should I simply manually export and import favorites and e-mails over to the new acount? This isn't my machine, and she seems to have a good deal of data on here.

Thanks again for any help.

Creating a second administrative user account, and copying as the link instructed resulted in the same error. Apparently one of the files keeps me from checking the box which does not allow another program to suggest a different search provider. The third account appears to be working correctly but I have yet to copy over anything. Would you perhaps know of any links that suggest how to manually copy over portions of the profile? I could copy a folder, log out of the old, back into the new, and see if the box remains checked after launching IE. Or, should I simply manually export and import favorites and e-mails over to the new acount? This isn't my machine, and she seems to have a good deal of data on here.

Thanks again for any help.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 23 October 2012 - 01:14 PM

Google this string transfer files new user account vista

If the 3rd account if good you can start with it and add what else the owner wants.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users