Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Installed ComboFix, Need help with log!


  • This topic is locked This topic is locked
26 replies to this topic

#1 ashleyh.

ashleyh.

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 January 2013 - 09:26 AM

Hello!

I a new here so please excuse my ignorance to anything!

Ok, I have the Google Redirect Virus. I've scanned with Malwarebytes and many others. The only software that found it was SpyHunter 4. Spyhunter said it took care of it but, it still happens when I surf the web.

So I researched and found ComboFix. I installed it and it ran its program and now I have a Log from the scan. Can anyone who knows about this help me/tell me what to do now. I know I am suppose to post the log, according to Bleeping Computer, so someone can analyze it, to tell me what to do. Thank you to anyone that helps me! I need this virus gone! thanks!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:17 AM

Posted 22 January 2013 - 09:44 AM

Hello, Post that log here. I moved this to Virus, Trojan, Spyware, and Malware Removal Logs
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ashleyh.

ashleyh.
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 January 2013 - 09:46 AM

Hello!

I a new here so please excuse my ignorance to anything!

Ok, I have the Google Redirect Virus. I've scanned with Malwarebytes and many others. The only software that found it was SpyHunter 4. Spyhunter said it took care of it but, it still happens when I surf the web.

So I researched and found ComboFix. I installed it and it ran its program and now I have a Log from the scan. Can anyone who knows about this help me/tell me what to do now. I know I am suppose to post the log, according to Bleeping Computer, so someone can analyze it, to tell me what to do. Thank you to anyone that helps me! I need this virus gone! thanks!




COMBOFIX LOG:

ComboFix 13-01-21.04 - ashley 01/22/2013 9:28.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2663.1493 [GMT -5:00]
Running from: c:\users\ashley\Pictures\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-22 to 2013-01-22 )))))))))))))))))))))))))))))))
.
.
2013-01-22 14:39 . 2013-01-22 14:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-21 17:29 . 2013-01-21 17:29 110080 ----a-r- c:\users\ashley\AppData\Roaming\Microsoft\Installer\{83B952C7-F8F3-4CA3-B4C5-33C85B24E478}\IconF7A21AF7.exe
2013-01-21 17:29 . 2013-01-21 17:29 110080 ----a-r- c:\users\ashley\AppData\Roaming\Microsoft\Installer\{83B952C7-F8F3-4CA3-B4C5-33C85B24E478}\IconD7F16134.exe
2013-01-21 17:29 . 2013-01-21 17:29 110080 ----a-r- c:\users\ashley\AppData\Roaming\Microsoft\Installer\{83B952C7-F8F3-4CA3-B4C5-33C85B24E478}\Icon1226A4C5.exe
2013-01-21 17:29 . 2013-01-21 17:29 -------- d-----w- C:\sh4ldr
2013-01-21 17:24 . 2013-01-21 17:24 -------- d-----w- c:\program files (x86)\MSXML 4.0
2013-01-21 13:57 . 2013-01-21 13:57 -------- d-----w- c:\programdata\BDLogging
2013-01-21 13:57 . 2007-04-11 15:11 511328 ----a-w- c:\windows\capicom.dll
2013-01-21 13:57 . 2009-07-15 05:21 1721576 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2013-01-21 13:51 . 2013-01-21 17:25 -------- d-----w- c:\program files\Bitdefender
2013-01-21 13:48 . 2013-01-21 17:21 -------- d-----w- c:\program files\Common Files\Bitdefender
2013-01-21 13:46 . 2013-01-21 13:46 -------- d-----w- c:\users\ashley\AppData\Roaming\QuickScan
2013-01-21 13:00 . 2012-12-17 11:43 38096 ----a-w- c:\windows\system32\drivers\gfiark.sys
2013-01-21 02:36 . 2013-01-21 02:36 -------- d-----w- c:\program files (x86)\VS Revo Group
2013-01-21 02:36 . 2013-01-21 02:43 -------- d-----w- c:\users\ashley\AppData\Local\Coupon Companion Plugin
2013-01-21 02:03 . 2013-01-21 02:03 -------- d-----w- c:\users\ashley\AppData\Roaming\Lavasoft
2013-01-21 01:57 . 2013-01-21 01:57 -------- d-----w- c:\users\ashley\AppData\Local\Downloaded Installations
2013-01-21 01:57 . 2013-01-21 01:57 14456 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-01-21 01:57 . 2013-01-21 01:57 -------- d-----w- c:\program files (x86)\adawaretb
2013-01-21 01:57 . 2013-01-21 01:57 -------- d-----w- c:\program files (x86)\Toolbar Cleaner
2013-01-20 20:35 . 2013-01-20 20:36 -------- d-----w- c:\programdata\GFI Software
2013-01-20 20:34 . 2013-01-20 20:34 -------- d-----w- c:\programdata\Downloaded Installations
2013-01-20 20:31 . 2013-01-20 20:31 -------- d-----w- c:\program files (x86)\GFI Software
2013-01-20 20:31 . 2013-01-20 20:31 -------- d-----w- c:\users\ashley\AppData\Roaming\GFI Software
2013-01-20 20:23 . 2013-01-20 20:23 -------- d-----w- c:\users\ashley\AppData\Local\Avg2013
2013-01-20 03:53 . 2013-01-21 18:14 -------- d-----w- c:\program files\Enigma Software Group
2013-01-20 03:51 . 2013-01-21 18:05 -------- d-----w- c:\windows\83B952C7F8F34CA3B4C533C85B24E478.TMP
2013-01-20 03:51 . 2013-01-21 18:13 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2013-01-14 19:36 . 2013-01-14 19:36 -------- d-----w- c:\users\ashley\AppData\Local\CRE
2013-01-14 19:35 . 2013-01-19 02:14 -------- d-----w- C:\Remote Programs
2013-01-14 19:35 . 2013-01-14 19:35 -------- d-----w- c:\programdata\Free Ride Games
2013-01-14 19:35 . 2013-01-14 19:45 -------- d-----w- c:\users\ashley\AppData\Roaming\.minecraft
2013-01-09 20:50 . 2012-11-30 05:41 424448 ----a-w- c:\windows\system32\KernelBase.dll
2013-01-09 02:01 . 2013-01-09 02:01 -------- d-----w- c:\users\ashley\AppData\Local\Macromedia
2013-01-09 01:57 . 2013-01-09 01:57 -------- d-----w- c:\users\ashley\AppData\Local\Mozilla
2013-01-09 01:55 . 2013-01-09 01:55 -------- d-----w- c:\program files (x86)\Perion
2013-01-09 01:54 . 2013-01-09 01:54 450 ----a-w- C:\user.js
2012-12-30 01:03 . 2012-12-30 01:03 -------- d-----w- c:\users\ashley\AppData\Local\Programs
2012-12-23 16:27 . 2012-12-23 16:27 -------- d-----w- c:\programdata\CloudSoft
2012-12-23 16:26 . 2012-12-23 16:33 -------- d-----w- c:\program files (x86)\ZoomEx
2012-12-23 16:26 . 2012-12-23 16:33 -------- d-----w- c:\programdata\Zoomex
2012-12-23 16:26 . 2012-12-29 23:19 -------- d-----w- c:\programdata\InstallMate
2012-12-23 16:25 . 2012-12-23 16:33 110 ----a-w- C:\prefs.js
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-10 01:48 . 2012-04-01 12:28 67599240 ----a-w- c:\windows\system32\MRT.exe
2013-01-09 19:56 . 2012-04-04 23:06 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-09 19:56 . 2011-10-31 03:37 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-16 17:11 . 2012-12-21 15:36 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-21 15:36 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 15:36 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-21 15:36 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-14 21:49 . 2012-07-21 03:16 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-05 16:13 . 2012-12-05 16:14 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-12-05 16:13 . 2012-12-05 16:14 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-12-05 16:13 . 2011-10-31 03:31 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-11-30 04:45 . 2013-01-09 20:50 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-11-14 07:06 . 2012-12-12 21:33 17811968 ----a-w- c:\windows\system32\mshtml.dll
2012-11-14 06:32 . 2012-12-12 21:33 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-11-14 06:11 . 2012-12-12 21:33 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 06:04 . 2012-12-12 21:33 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-11-14 06:04 . 2012-12-12 21:33 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 06:02 . 2012-12-12 21:33 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 06:02 . 2012-12-12 21:33 237056 ----a-w- c:\windows\system32\url.dll
2012-11-14 05:59 . 2012-12-12 21:33 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-11-14 05:58 . 2012-12-12 21:33 816640 ----a-w- c:\windows\system32\jscript.dll
2012-11-14 05:57 . 2012-12-12 21:33 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 05:57 . 2012-12-12 21:33 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 05:55 . 2012-12-12 21:33 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-11-14 05:55 . 2012-12-12 21:33 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-11-14 05:53 . 2012-12-12 21:33 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-11-14 05:52 . 2012-12-12 21:33 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-14 05:46 . 2012-12-12 21:33 248320 ----a-w- c:\windows\system32\ieui.dll
2012-11-14 02:09 . 2012-12-12 21:33 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-11-14 01:58 . 2012-12-12 21:33 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-11-14 01:57 . 2012-12-12 21:33 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-11-14 01:49 . 2012-12-12 21:33 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-11-14 01:48 . 2012-12-12 21:33 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-11-14 01:44 . 2012-12-12 21:33 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-11-09 05:45 . 2012-12-12 13:18 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-09 04:42 . 2012-12-12 13:18 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-11-02 05:59 . 2012-12-12 13:17 478208 ----a-w- c:\windows\system32\dpnet.dll
2012-11-02 05:11 . 2012-12-12 13:17 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-10-24 19:39 . 2012-10-24 19:39 634560 ----a-w- c:\windows\SysWow64\XceedZip.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"
"ROC_ROC_JULY_P1"="c:\program files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SBAMSvc;GFI VIPRE Antivirus Service;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [x]
R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2012-12-17 38096]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-10-08 243712]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-07-12 57216]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-01 1255736]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [2010-11-05 75904]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [2010-11-05 38016]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-01-21 14456]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-06-08 204288]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2011-07-19 126392]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-03-02 13088]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-11-11 137512]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 9216]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-09-27 76912]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2011-02-09 38096]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2011-01-05 1109096]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-06-10 138152]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-12 01:31 1606760 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 19:56]
.
2013-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-21 19:10]
.
2013-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-21 19:10]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDCtrl"="c:\program files (x86)\Elantech\ETDCtrl.exe" [BU]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = hxxp://searchab.com/?aff=7&uid=48adace1-4d1d-11e2-99f1-00266c073af4
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>;*.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
@="131473"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-22 09:44:22
ComboFix-quarantined-files.txt 2013-01-22 14:44
ComboFix2.txt 2013-01-22 01:43
.
Pre-Run: 257,678,876,672 bytes free
Post-Run: 257,384,513,536 bytes free
.
- - End Of File - - 589C2076F12121C08F43F9B568BAE40A

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 05 February 2013 - 10:22 AM

Greetings Ashley and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.


===================================================


Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. I really apologize for the delay. There was an apparent glitch in our system so you were flying under the radar. :(

Please allow me just a little bit of time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 05 February 2013 - 11:01 AM

Hi Ashley.

Again, I would like to apologize for the extended delay. Here is what I would like you to do first.


===================================================


Running TDSSKiller with Changed Parameters

--------------------

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    Posted Image

  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    Posted Image
  • Click Start Scan and allow the scan process to run


    Posted Image

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue


    Posted Image

  • Click Reboot computer
  • Please zip and attach in your reply the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.


    Posted Image
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.


    Posted Image
  • Please post the contents of the log in your next reply.
NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log (zipped)
  • aswMBR log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 ashleyh.

ashleyh.
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 05 February 2013 - 06:25 PM

I've attached the zip from TDSSKiller.

Here is the log from aswMBR:

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-05 17:53:41
-----------------------------
17:53:41.486 OS Version: Windows x64 6.1.7601 Service Pack 1
17:53:41.486 Number of processors: 2 586 0x200
17:53:41.488 ComputerName: ASHLEY-PC UserName: ashley
17:53:43.117 Initialize success
17:54:47.759 AVAST engine defs: 13020501
17:54:59.753 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000068
17:54:59.759 Disk 0 Vendor: TOSHIBA_ GT00 Size: 305245MB BusType: 11
17:54:59.785 Disk 0 MBR read successfully
17:54:59.791 Disk 0 MBR scan
17:54:59.803 Disk 0 Windows VISTA default MBR code
17:54:59.816 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
17:54:59.845 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 289710 MB offset 3074048
17:54:59.885 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 14034 MB offset 596400128
17:54:59.931 Disk 0 scanning C:\windows\system32\drivers
17:55:18.244 Service scanning
17:55:29.317 Service BdfNdisf c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys **LOCKED** 5
17:55:29.403 Service bdfwfpf C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys **LOCKED** 5
17:56:11.871 Modules scanning
17:56:12.275 Disk 0 trace - called modules:
17:56:12.313 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
17:56:12.329 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003013060]
17:56:12.343 3 CLASSPNP.SYS[fffff88001ba243f] -> nt!IofCallDriver -> [0xfffffa8002ed8ac0]
17:56:12.358 5 amd_xata.sys[fffff880011068b4] -> nt!IofCallDriver -> \Device\00000068[0xfffffa8002ed2060]
17:56:13.866 AVAST engine scan C:\windows
17:56:31.066 AVAST engine scan C:\windows\system32
18:01:59.657 AVAST engine scan C:\windows\system32\drivers
18:02:19.070 AVAST engine scan C:\Users\ashley
18:11:11.003 AVAST engine scan C:\ProgramData
18:13:57.170 Scan finished successfully
18:14:10.998 Disk 0 MBR has been saved successfully to "C:\Users\ashley\Desktop\MBR.dat"
18:14:11.013 The log file has been saved successfully to "C:\Users\ashley\Desktop\aswMBR.txt"


Thank you!

Attached Files



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 05 February 2013 - 07:28 PM

Hi Ashley,

Nice to meet you. :)

I would like you to run another program for me please.


===================================================


ListParts by Farbar for 64 bit Systems

--------------------

  • Please download ListParts.exe (for 64 bit systems) and save it to your desktop
  • Double click the Posted Image icon
  • Select Run
  • Select Scan
  • Select OK and wait for a Result - Notepad document to open on your desktop
  • Please copy and paste the contents in your reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • ListParts results

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 ashleyh.

ashleyh.
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 05 February 2013 - 07:42 PM

List Parts Log:

ListParts by Farbar Version: 16-01-2013
Ran by ashley (administrator) on 05-02-2013 at 19:39:58
Windows 7 (X64)
Running From: C:\Users\ashley\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 43%
Total physical RAM: 2662.87 MB
Available physical RAM: 1492.27 MB
Total Pagefile: 5323.93 MB
Available Pagefile: 3620 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: (TI106302W0C) (Fixed) (Total:282.92 GB) (Free:240.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B

Partitions of Disk 0:
===============

Disk ID: 20C94C86

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 282 GB 1501 MB
Partition 3 Primary 13 GB 284 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI106302W0C NTFS Partition 282 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 05 February 2013 - 07:57 PM

Hi Ashley,

Can you tell me which browser(s) are being redirected.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 ashleyh.

ashleyh.
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 05 February 2013 - 08:08 PM

Just Google :(

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 05 February 2013 - 08:11 PM

Which browsers do you use, Internet Explorer, Firefox, and/or Chrome?

Which browsers are you getting the redirects?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 ashleyh.

ashleyh.
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 05 February 2013 - 08:30 PM

I have internet explorer and google chrome installed. I only use Google chrome because its faster :)

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 05 February 2013 - 08:36 PM

Can you test the other browser to see if you experience the same issue. That answer might tell us a lot.

Edited by Oh My, 05 February 2013 - 08:37 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 ashleyh.

ashleyh.
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 06 February 2013 - 10:39 AM

I did test IE, it doesn't redirect. Only Google chrome :)

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 06 February 2013 - 10:51 AM

Hi Ashley,

Let's first see if there is a bunch of junk that needs to be cleaned out. Please do this for me.


===================================================


AdwCleaner by Xplode - Search for Adware

-------------------

  • Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on Search
  • A logfile will automatically open after the scan has finished
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[R1].txt as well

===================================================


Junkware Removal Tooll by thisisu

-------------------

  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • AdwCleaner log
  • Junkware Removal Tool log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users