Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

310 redirect, persistent but almost imperceptible - tried tdss, malwarebytes etc


  • This topic is locked This topic is locked
12 replies to this topic

#1 whippletom

whippletom

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 22 February 2013 - 12:41 PM

Hello, hopefully this isn’t something that’s already covered – but I’m pretty certain I have some rather persistent malware.



Fairly regularly, I get a 310 redirect message on certain websites (The Times for instance). Others just redirect me automatically – for
instance, BBC news will sometimes not open, sending me instead to the general BBC homepage whatever link I click on.



It seems to be temporarily cured by resynching the clock or restarting the browser, but it always comes back. I have run adaware, malwarebytes in safe mode and kaspersky’s tdss rootkit – all to no avail. It’s only a mild inconvenience, but it’s almost the more worrying for it – I wonder what it is it’s up to if it doesn’t even advertise its presence. Any ideas???!



Thank you in advance so, so much for the time you appear to put into helping muppets like me,



Tom



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:40 AM

Posted 23 February 2013 - 09:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
 
Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.
 

  •  


  • Download DDS by sUBs from one of the following links if you no longer have it available.  Save it to your desktop.
    •  



  • DDS.scr <- not recommended if you use Chrome to download this .scr file. Use the other options.

 

  • Double click on the DDS icon, allow it to run. 


  • A small box will open, with an explanation about the tool.  No input is needed, the scan is running. 


  • Notepad will open with the results. 


  • Follow the instructions that pop up for posting the results. 

Please note:  You may have to disable any script protection running if the scan fails to run.
 
Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===
Third party programs if not up to date can be an open door for an infection.
 
Please run this security check for my review.
 
Download Security Check by screen317 from here.
  • Save it to your Desktop.

  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
Please download AdwCleaner by Xplode onto your Desktop.

  •  


  • Close all open programs and internet browsers.


  • Double click on AdwCleaner.exe to run the tool.


  • Click on Delete tab follow the prompts.


  • A log file will automatically open after the scan has finished.


  • Please post the content of that log file with your next answer.


  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

 
 
Please post the logs and let me know if the problem persists.


#3 whippletom

whippletom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 24 February 2013 - 03:29 PM

Thank you so much, I really do hugely appreciate this - it's very kind of you to give up your time. Below are the logs in order. I can't tell you for certain if the problem is still there, it takes a while after reboots to appear. If you think there is a possibility that adwcleaner might have done the job (I have used it before though), then maybe I should wait a few days and confirm if it hasn't worked - rather than have you potentially waste your time looking through the logs.

 

Thanks again,

 

Tom



 



DDS
(Ver_2012-11-20.01) - NTFS_x86 



Internet
Explorer: 8.0.7601.17514



Run by
Administrator at 20:07:06 on 2013-02-24



Microsoft
Windows 7 Enterprise   6.1.7601.1.1252.44.1033.18.3014.1085 [GMT 0:00]



.



AV:
Lavasoft Ad-Aware *Disabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}



AV:
Symantec Endpoint Protection *Enabled/Updated*
{88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}



SP:
Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}



SP:
Lavasoft Ad-Aware *Disabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}



SP:
Symantec Endpoint Protection *Enabled/Updated*
{33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}



FW:
Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}



FW:
Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}



.



==============
Running Processes ================



.



C:\Windows\system32\wininit.exe



C:\Windows\system32\lsm.exe



C:\Program
Files\IDT\WDM\STacSV.exe



C:\Windows\system32\Hpservice.exe



C:\Windows\system32\vcsFPService.exe



C:\Program
Files\Symantec\Symantec Endpoint Protection\Smc.exe



C:\Program
Files\Common Files\Symantec Shared\ccSvcHst.exe



C:\Windows\System32\spoolsv.exe



C:\Program
Files\Ad-Aware Antivirus\AdAwareService.exe



C:\Program
Files\Common Files\Adobe\ARM\1.0\armsvc.exe



C:\Program
Files\IDT\WDM\aestsrv.exe



C:\Program
Files\LSI SoftModem\agrsmsvc.exe



C:\Program
Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe



C:\Program
Files\Bonjour\mDNSResponder.exe



C:\Program
Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe



C:\Program
Files\Malwarebytes' Anti-Malware\mbamscheduler.exe



C:\Program
Files\Malwarebytes' Anti-Malware\mbamservice.exe



C:\Program
Files\RealNetworks\RealDownloader\rndlresolversvc.exe



C:\Program
Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe



C:\Windows\system32\CCM\CcmExec.exe



C:\Windows\system32\wbem\wmiprvse.exe



C:\Windows\system32\wbem\wmiprvse.exe



C:\Windows\system32\wbem\wmiprvse.exe



C:\Windows\system32\taskhost.exe



C:\Windows\system32\Dwm.exe



C:\Program
Files\Malwarebytes' Anti-Malware\mbamgui.exe



C:\Windows\Explorer.EXE



C:\Program
Files\Symantec\Symantec Endpoint Protection\SmcGui.exe



C:\Windows\System32\igfxtray.exe



C:\Windows\System32\hkcmd.exe



C:\Windows\System32\igfxpers.exe



C:\Program
Files\IDT\WDM\sttray.exe



C:\Program
Files\Common Files\Symantec Shared\ccApp.exe



C:\Program
Files\iTunes\iTunesHelper.exe



C:\ProgramData\Ad-Aware
Browsing Protection\adawarebp.exe



C:\Users\Administrator\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe



C:\Users\Administrator\AppData\Roaming\Spotify\spotify.exe



C:\PROGRA~1\AD-AWA~1\AdAware.exe



C:\Users\Administrator\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe



C:\Users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe



C:\Program
Files\iPod\bin\iPodService.exe



C:\Users\Administrator\AppData\Local\Google\Update\1.3.21.135\GoogleCrashHandler.exe



C:\Program
Files\Hewlett-Packard\Shared\hpqWmiEx.exe



C:\Program
Files\Ad-Aware Antivirus\SBAMSvc.exe



C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe



C:\Program
Files\Windows Media Player\wmpnetwk.exe



C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe



C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe



C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe



C:\Program
Files\RealNetworks\RealDownloader\recordingmanager.exe



C:\Windows\system32\SearchIndexer.exe



C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe



C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe



C:\Program
Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE



C:\Program
Files\Real\RealPlayer\update\realsched.exe



C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe



C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe



C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe



C:\Windows\system32\taskeng.exe



C:\Windows\system32\taskeng.exe



C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe



C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe



C:\Windows\system32\sppsvc.exe



C:\Windows\system32\SearchProtocolHost.exe



C:\Windows\system32\SearchFilterHost.exe



C:\Windows\system32\taskhost.exe



C:\Windows\System32\wsqmcons.exe



C:\Windows\system32\conhost.exe



C:\Windows\system32\wbem\wmiprvse.exe



C:\Windows\system32\svchost.exe
-k DcomLaunch



C:\Windows\system32\svchost.exe
-k RPCSS



C:\Windows\System32\svchost.exe
-k LocalServiceNetworkRestricted



C:\Windows\System32\svchost.exe
-k LocalSystemNetworkRestricted



C:\Windows\system32\svchost.exe
-k netsvcs



C:\Windows\system32\svchost.exe
-k LocalService



C:\Windows\system32\svchost.exe
-k NetworkService



C:\Windows\system32\svchost.exe
-k LocalServiceAndNoImpersonation



C:\Windows\system32\svchost.exe
-k LocalServiceNoNetwork



C:\Windows\system32\svchost.exe
-k imgsvc



C:\Windows\system32\svchost.exe
-k bthsvcs



C:\Windows\system32\svchost.exe
-k NetworkServiceNetworkRestricted



C:\Windows\System32\svchost.exe
-k LocalServicePeerNet



.



==============
Pseudo HJT Report ===============



.



uStart
Page =
hxxp://safesearchr.lavasoft.com/?source=3336ca5f&tbp=homepage&toolbarid=adawaretb&v=2_2&u=2F4F7AAB4A06E3710698EC50D1BB8797



uSearch
Bar = Preserve



BHO:
Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program
files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll



BHO:
RealNetworks Download and Record Plugin for Internet Explorer:
{3049C3E9-B461-4BC5-8870-4C09146192CA} -
c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll



BHO:
Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program
files\adawaretb\adawareDx.dll



BHO:
Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program
files\microsoft office\office14\GROOVEEX.DLL



BHO:
Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} -
c:\program files\microsoft office\office14\URLREDIR.DLL



TB:
Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program
files\adawaretb\adawareDx.dll



TB:
<No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 -
<no file>



uRun:
[Google Update]
"c:\users\administrator\appdata\local\google\update\GoogleUpdate.exe"
/c



uRun:
[Steam] "c:\program files\steam\Steam.exe" -silent



uRun:
[SkyDrive] "c:\users\administrator\appdata\local\microsoft\skydrive\SkyDrive.exe"
/background



uRun:
[Spotify]
"c:\users\administrator\appdata\roaming\spotify\Spotify.exe" /uri
spotify:autostart



uRun:
[Spotify Web Helper] "c:\users\administrator\appdata\roaming\spotify\data\SpotifyWebHelper.exe"



uRun:
[BitTorrent] "c:\program files\bittorrent\BitTorrent.exe"
 /MINIMIZED



uRunOnce:
[Uninstall
c:\users\administrator\appdata\local\microsoft\skydrive\16.4.6010.0727]
c:\windows\system32\cmd.exe /q /c rmdir /s /q
"c:\users\administrator\appdata\local\microsoft\skydrive\16.4.6010.0727"



uRunOnce:
[Uninstall
c:\users\administrator\appdata\local\microsoft\skydrive\16.4.6013.0910]
c:\windows\system32\cmd.exe /q /c rmdir /s /q "c:\users\administrator\appdata\local\microsoft\skydrive\16.4.6013.0910"



mRun:
[SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe



mRun:
[IgfxTray] c:\windows\system32\igfxtray.exe



mRun:
[HotKeysCmds] c:\windows\system32\hkcmd.exe



mRun:
[Persistence] c:\windows\system32\igfxpers.exe



mRun:
[SysTrayApp] c:\program files\idt\wdm\sttray.exe



mRun:
[BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe"
/DelayServices



mRun:
[QLBController] c:\program files\hewlett-packard\hp hotkey
support\QLBController.exe /start



mRun:
[ccApp] "c:\program files\common files\symantec shared\ccApp.exe"



mRun:
[APSDaemon] "c:\program files\common files\apple\apple application
support\APSDaemon.exe"



mRun:
[Adobe ARM] "c:\program files\common
files\adobe\arm\1.0\AdobeARM.exe"



mRun:
[iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"



mRun:
[Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing
protection\adawarebp.exe"



mRun:
[SearchProtection] c:\programdata\search protection\_run.bat



mRun:
[Ad-Aware Antivirus] "c:\program files\ad-aware
antivirus\AdAwareLauncher" --windows-run



mRun:
[TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"
 -osboot



StartupFolder:
c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk
- c:\users\administrator\appdata\roaming\dropbox\bin\Dropbox.exe



StartupFolder:
c:\progra~2\micros~1\windows\startm~1\programs\startup\bginfo.lnk - c:\program
files\bginfo\Bginfo.exe



uPolicies-Explorer:
NoDriveTypeAutoRun = dword:145



mPolicies-System:
ConsentPromptBehaviorAdmin = dword:5



mPolicies-System:
ConsentPromptBehaviorUser = dword:3



mPolicies-System:
EnableUIADesktopToggle = dword:0



mPolicies-Windows\System:
UseOEMBackground = dword:1



IE:
{2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C}
- c:\program files\microsoft office\office14\ONBttnIE.dll



IE:
{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52}
- c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll



TCP: NameServer
= 195.130.131.2 195.130.130.130



TCP:
Interfaces\{06AAEB7A-F615-4DAC-BC10-9A2002DF7385} : DHCPNameServer =
195.130.131.2 195.130.130.130



TCP:
Interfaces\{06AAEB7A-F615-4DAC-BC10-9A2002DF7385}\2425F475E43502F464022425F434B4C45495
: DHCPNameServer = 192.168.2.1



TCP:
Interfaces\{06AAEB7A-F615-4DAC-BC10-9A2002DF7385}\2425F475E43502F464022425F434B4C4549502
: DHCPNameServer = 192.168.2.1



TCP:
Interfaces\{06AAEB7A-F615-4DAC-BC10-9A2002DF7385}\2737E6564777F627B6 :
DHCPNameServer = 155.198.142.77 155.198.142.78



TCP:
Interfaces\{06AAEB7A-F615-4DAC-BC10-9A2002DF7385}\74F6C64637D696478637 :
DHCPNameServer = 158.223.1.3 158.223.1.6



TCP:
Interfaces\{6AE908B8-8F95-4272-ADF1-67A457F35A7A} : DHCPNameServer =
88.82.13.60 88.82.13.60



Filter:
text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common
files\microsoft shared\office14\MSOXMLMF.DLL



Notify:
igfxcui - igfxdev.dll



SSODL:
WebCheck - <orphaned>



SEH:
Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} -
c:\program files\microsoft office\office14\GROOVEEX.DLL



.



=============
SERVICES / DRIVERS ===============



.



R3
btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys
[2012-4-3 297000]



S3
b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys
[2009-7-13 229888]



.



===============
Created Last 30 ================



.



2013-02-09
13:29:37    --------    d-----w-    c:\users\administrator\appdata\roaming\Malwarebytes



2013-02-09
13:29:30    --------    d-----w-    c:\programdata\Malwarebytes



2013-02-09
13:29:29    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys



2013-02-09
13:29:29    --------    d-----w-    c:\program
files\Malwarebytes' Anti-Malware



2013-02-09
13:29:21    --------    d-----w-    c:\users\administrator\appdata\local\Programs



2013-02-06
14:48:38    --------    d-----w-    c:\users\administrator\appdata\roaming\RealNetworks



2013-02-06
14:47:58    --------    d-----w-    c:\program
files\RealNetworks



2013-02-06
14:47:53    --------    d-----w-    c:\programdata\RealNetworks



2013-02-06
14:47:43    --------    d-----w-    c:\program
files\common files\xing shared



.



====================
Find3M  ====================



.



2013-02-10
16:20:49    74096    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl



2013-02-10
16:20:49    697712    ----a-w-    c:\windows\system32\FlashPlayerApp.exe



2012-12-22
09:49:16    3026944    ----a-w-    c:\windows\bsdsetup.dll



2012-12-19
13:05:55    44424    ----a-w-    c:\windows\system32\sbbd.exe



2012-12-19
13:05:55    13560    ----a-w-    c:\windows\system32\drivers\gfibto.sys



.



=============
FINISH: 20:08:21.75 ===============



 



 



NEXT LOG:



 



 Results
of screen317's Security Check version 0.99.59  



 Windows
7 Service Pack 1 x86 (UAC is enabled)  



 Internet
Explorer 8 Out of date! 



``````````````Antivirus/Firewall
Check:``````````````
 



 Windows
Firewall Enabled!  



Lavasoft
Ad-Aware              



Symantec
Endpoint Protection   



 Antivirus
up to date!  (On Access scanning disabled!) 



`````````Anti-malware/Other
Utilities Check:`````````
 



 Ad-Aware 



 Malwarebytes
Anti-Malware version 1.70.0.1100  



 CCleaner
    



 Adobe
Reader 10.1.6 Adobe Reader out of Date!  



 Google
Chrome 24.0.1312.56  



 Google
Chrome 24.0.1312.57  



````````Process
Check: objlist.exe by Laurent````````
 



 Norton
ccSvcHst.exe 



 Ad-Aware
AAWService.exe is disabled!
 



 Ad-Aware
AAWTray.exe is disabled!
 



 Malwarebytes
Anti-Malware mbamservice.exe  



 Malwarebytes
Anti-Malware mbamgui.exe  



 Ad-Aware
Antivirus AdAwareService.exe   



 Ad-Aware
Antivirus SBAMSvc.exe   



 Malwarebytes'
Anti-Malware mbamscheduler.exe   



`````````````````System
Health check`````````````````
 



 Total
Fragmentation on Drive C: 7% 



````````````````````End
of Log``````````````````````
 



 



FINAL LOG



 



#
AdwCleaner v2.113 - Logfile created 02/24/2013 at 20:16:34



# Updated
23/02/2013 by Xplode



#
Operating system : Windows 7 Enterprise Service Pack 1 (32 bits)



# User :
Administrator - L108184



# Boot
Mode : Normal



# Running
from : C:\Users\Administrator\Downloads\adwcleaner (3).exe



# Option
[Delete]



 



 



*****
[Services] *****



 



 



*****
[Files / Folders] *****



 



File
Deleted : C:\Users\Administrator\Desktop\Search The Web.url



File
Deleted : C:\Users\Administrator\Desktop\sweetpcfix.url



Folder
Deleted : C:\Program Files\adawaretb



Folder
Deleted : C:\Program Files\SweetIM



Folder
Deleted : C:\ProgramData\adawaretb



Folder
Deleted : C:\Users\Administrator\AppData\LocalLow\adawaretb



Folder
Deleted : C:\Users\Administrator\AppData\Roaming\blekko



Folder
Deleted : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\TornTV.com



 



*****
[Registry] *****



 



Key
Deleted : HKCU\Software\1ClickDownload



Key
Deleted : HKCU\Software\AppDataLow\Software\Crossrider



Key Deleted
: HKCU\Software\Cr_Installer



Key
Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}



Key
Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}



Key
Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}



Key
Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}



Key
Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}



Key
Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}



Key
Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}



Key
Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}



Key
Deleted : HKCU\Software\SmartBar



Key
Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr



Key
Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1



Key
Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}



Key
Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}



Key Deleted
: HKLM\SOFTWARE\Google\Chrome\Extensions\jbpkiefagocgkmemidfngdkamloieekf



Key
Deleted :
HKLM\SOFTWARE\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn



Key
Deleted :
HKLM\SOFTWARE\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj



Key Deleted
: HKLM\SOFTWARE\Microsoft\Tracing\BundleSweetIMSetup_RASAPI32



Key
Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BundleSweetIMSetup_RASMANCS



Key
Deleted : HKLM\SOFTWARE\Microsoft\Tracing\QuickShare_RASAPI32



Key
Deleted : HKLM\SOFTWARE\Microsoft\Tracing\QuickShare_RASMANCS



Key
Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SweetIM_RASAPI32



Key
Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SweetIM_RASMANCS



Key
Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASAPI32



Key
Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASMANCS



Key
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}



Key
Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9



Key
Deleted :
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966



Key
Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2



Key
Deleted :
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509



Key
Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B5BAE2ED018083A4C8DA86D6E3F4B024



Value
Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
[{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]



Value
Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
[{AE07101B-46D4-4A98-AF68-0333EA26E113}]



 



*****
[Internet Browsers] *****



 



-\\
Internet Explorer v8.0.7601.17514



 



[OK]
Registry is clean.



 



-\\
Google Chrome v24.0.1312.57



 



File :
C:\Users\Administrator\AppData\Local\Google\Chrome\User
Data\Default\Preferences



 



[OK] File
is clean.



 



*************************



 



AdwCleaner[S4].txt
- [7960 octets] - [29/12/2012 13:28:21]



AdwCleaner[S5].txt
- [4445 octets] - [24/02/2013 20:16:34]



 



##########
EOF - C:\AdwCleaner[S5].txt - [4505 octets] ##########



 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:40 AM

Posted 25 February 2013 - 08:48 AM

Get the latest version of the  Adobe Reader.
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
 
When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
 
===
 
Your DDS log cannot be read in the current format.
Plese save the file in NotePad and make sure the Word wrap is not set.
There are too many blank lines.
It shoud look like this.
 
 
DDS (Ver_2012-11-20.01) - NTFSx86 
Run by Vu at 0:22:38.31 on Thu 12/30/2010
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.820 [GMT -8:00]
 
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
 
etc...
 
Please repost for my review.


#5 whippletom

whippletom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 27 February 2013 - 04:39 AM

Done! Is this better?

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.7601.17514
Run by Administrator at 9:37:26 on 2013-02-27
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.44.1033.18.3014.893 [GMT 0:00]
.
AV: Lavasoft Ad-Aware *Disabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Aware *Disabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\vcsFPService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\system32\CCM\CcmExec.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\PROGRA~1\AD-AWA~1\AdAware.exe
C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
C:\Users\Administrator\AppData\Local\Google\Update\1.3.21.135\GoogleCrashHandler.exe
C:\Users\Administrator\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
C:\Users\Administrator\AppData\Roaming\Spotify\spotify.exe
C:\Users\Administrator\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\Windows\system32\conhost.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://safesearchr.lavasoft.com/?source=3336ca5f&tbp=homepage&toolbarid=adawaretb&v=2_2&u=2F4F7AAB4A06E3710698EC50D1BB8797
uSearch Bar = Preserve
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
uRun: [Google Update] "c:\users\administrator\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [SkyDrive] "c:\users\administrator\appdata\local\microsoft\skydrive\SkyDrive.exe" /background
uRun: [Spotify] "c:\users\administrator\appdata\roaming\spotify\Spotify.exe" /uri spotify:autostart
uRun: [Spotify Web Helper] "c:\users\administrator\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [BitTorrent] "c:\program files\bittorrent\BitTorrent.exe"  /MINIMIZED
uRunOnce: [Uninstall c:\users\administrator\appdata\local\microsoft\skydrive\16.4.6010.0727] c:\windows\system32\cmd.exe /q /c rmdir /s /q "c:\users\administrator\appdata\local\microsoft\skydrive\16.4.6010.0727"
uRunOnce: [Uninstall c:\users\administrator\appdata\local\microsoft\skydrive\16.4.6013.0910] c:\windows\system32\cmd.exe /q /c rmdir /s /q "c:\users\administrator\appdata\local\microsoft\skydrive\16.4.6013.0910"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_5_502_149_ActiveX.exe -update activex
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [QLBController] c:\program files\hewlett-packard\hp hotkey support\QLBController.exe /start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
mRun: [SearchProtection] c:\programdata\search protection\_run.bat
mRun: [Ad-Aware Antivirus] "c:\program files\ad-aware antivirus\AdAwareLauncher" --windows-run
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\administrator\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bginfo.lnk - c:\program files\bginfo\Bginfo.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-Windows\System: UseOEMBackground = dword:1
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{06AAEB7A-F615-4DAC-BC10-9A2002DF7385} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{06AAEB7A-F615-4DAC-BC10-9A2002DF7385}\2425F475E43502F464022425F434B4C45495 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{06AAEB7A-F615-4DAC-BC10-9A2002DF7385}\2425F475E43502F464022425F434B4C4549502 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{06AAEB7A-F615-4DAC-BC10-9A2002DF7385}\26F687477667 : DHCPNameServer = 10.164.48.1
TCP: Interfaces\{06AAEB7A-F615-4DAC-BC10-9A2002DF7385}\2737E6564777F627B6 : DHCPNameServer = 155.198.142.77 155.198.142.78
TCP: Interfaces\{06AAEB7A-F615-4DAC-BC10-9A2002DF7385}\74F6C64637D696478637 : DHCPNameServer = 158.223.1.3 158.223.1.6
TCP: Interfaces\{06AAEB7A-F615-4DAC-BC10-9A2002DF7385}\94249435 : DHCPNameServer = 172.30.3.254
TCP: Interfaces\{6AE908B8-8F95-4272-ADF1-67A457F35A7A} : DHCPNameServer = 88.82.13.44 88.82.13.44
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-19 13560]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2012-12-14 1236968]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2012-4-3 81920]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2012-4-3 297000]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-9-2 106656]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-9 21104]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2012-4-3 7513088]
R3 SPUVCbv;SPUVCb Driver Service;c:\windows\system32\drivers\SPUVCBv.sys [2012-4-3 2468728]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-12 62464]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2012-4-3 132480]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2012-4-3 144984]
S3 johci;JMicron 1394 Filter Driver;c:\windows\system32\drivers\johci.sys [2012-4-3 23640]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-8-2 18432]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2012-4-3 62336]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2012-4-3 141440]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2011-4-12 77184]
S3 SzCCID;USB SmartCard Reader Driver;c:\windows\system32\drivers\SzCCID.sys [2012-4-3 24064]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2011-4-12 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2011-4-12 112640]
.
=============== Created Last 30 ================
.
2013-02-09 13:29:37    --------    d-----w-    c:\users\administrator\appdata\roaming\Malwarebytes
2013-02-09 13:29:30    --------    d-----w-    c:\programdata\Malwarebytes
2013-02-09 13:29:29    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-02-09 13:29:29    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-02-09 13:29:21    --------    d-----w-    c:\users\administrator\appdata\local\Programs
2013-02-06 14:48:38    --------    d-----w-    c:\users\administrator\appdata\roaming\RealNetworks
2013-02-06 14:47:58    --------    d-----w-    c:\program files\RealNetworks
2013-02-06 14:47:53    --------    d-----w-    c:\programdata\RealNetworks
2013-02-06 14:47:43    --------    d-----w-    c:\program files\common files\xing shared
.
==================== Find3M  ====================
.
2013-02-10 16:20:49    74096    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-10 16:20:49    697712    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2012-12-22 09:49:16    3026944    ----a-w-    c:\windows\bsdsetup.dll
2012-12-19 13:05:55    44424    ----a-w-    c:\windows\system32\sbbd.exe
2012-12-19 13:05:55    13560    ----a-w-    c:\windows\system32\drivers\gfibto.sys
.
============= FINISH:  9:38:18.81 ===============


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:40 AM

Posted 27 February 2013 - 10:03 AM

Please run and update AdwCleaner.
 
 
This should be removed.
mRun: [SearchProtection] c:\programdata\search protection\_run.bat
 
Post the log for my review.
 
Let me know what problem persists.


#7 whippletom

whippletom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 28 February 2013 - 09:06 AM

Here it is. Computer seems to be working well now - I'll let you know if the problem recurs.

 

 

# AdwCleaner v2.113 - Logfile created 02/28/2013 at 14:02:16
# Updated 23/02/2013 by Xplode
# Operating system : Windows 7 Enterprise Service Pack 1 (32 bits)
# User : Administrator - L108184
# Boot Mode : Normal
# Running from : C:\Users\Administrator\Downloads\AdwCleaner (5).exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
 
***** [Registry] *****
 
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.7601.17514
 
[OK] Registry is clean.
 
-\\ Google Chrome v25.0.1364.97
 
File : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S4].txt - [7960 octets] - [29/12/2012 13:28:21]
AdwCleaner[S5].txt - [4574 octets] - [24/02/2013 20:16:34]
AdwCleaner[S6].txt - [337 octets] - [28/02/2013 09:35:19]
AdwCleaner[S7].txt - [862 octets] - [28/02/2013 14:02:16]
 
########## EOF - C:\AdwCleaner[S7].txt - [921 octets] ##########


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:40 AM

Posted 28 February 2013 - 09:36 AM

If all is well:
 
Time for some housekeeping
The following will implement some cleanup procedures as well as reset  System Restore points:
 
Click Start > Run  and copy/paste the following bold text into the Run box and click OK:
 
ComboFix /Uninstall 
===
 
To remove AdwCleaner.
 
Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.
 
If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.
 
Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.
 
Surf Safely, and Think Prevention!
===


#9 whippletom

whippletom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 01 March 2013 - 09:43 AM

Fab! Thank you so much, again.

 

Tom



Ah, crap. Just as soon as I sent that message, the problem popped up again. The redirects have just restarted. Sorry...



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:40 AM

Posted 01 March 2013 - 11:29 AM

 
I taught we had run this tool. Please do now.
 
Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
IMPORTANT !!! Save ComboFix.exe to your Desktop
 
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.
 
How to : Disable Anti-virus and Firewall...
 
Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall
 
Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
 
Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===


#11 whippletom

whippletom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 05 March 2013 - 05:50 PM

Done! Here's the log:

 

 

ComboFix 13-03-05.01 - Administrator 05/03/2013  22:40:38.1.4 - x86
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.44.1033.18.3014.1764 [GMT 0:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-05 to 2013-03-05  )))))))))))))))))))))))))))))))
.
.
2013-03-05 22:46 . 2013-03-05 22:46    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-03-03 19:48 . 2013-03-03 19:48    --------    d-----w-    c:\programdata\Trusteer
2013-02-27 14:19 . 2013-02-27 14:19    15846768    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2013-02-27 09:32 . 2013-02-27 09:32    --------    d-----w-    c:\program files\Common Files\Adobe
2013-02-09 13:29 . 2013-02-09 13:29    --------    d-----w-    c:\users\Administrator\AppData\Roaming\Malwarebytes
2013-02-09 13:29 . 2013-02-09 13:29    --------    d-----w-    c:\programdata\Malwarebytes
2013-02-09 13:29 . 2013-02-09 13:29    --------    d-----w-    c:\users\Administrator\AppData\Local\Programs
2013-02-06 14:47 . 2013-02-06 14:47    --------    d-----w-    c:\program files\Common Files\xing shared
2013-02-06 14:46 . 2013-02-06 14:47    --------    d-----w-    c:\program files\Real
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-27 14:19 . 2012-12-10 21:19    71024    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-27 14:19 . 2012-12-10 21:19    691568    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2012-12-22 09:49 . 2012-12-23 12:00    3026944    ----a-w-    c:\windows\bsdsetup.dll
2012-12-19 13:05 . 2012-12-19 13:05    44424    ----a-w-    c:\windows\system32\sbbd.exe
2012-12-19 13:05 . 2012-12-19 13:05    13560    ----a-w-    c:\windows\system32\drivers\gfibto.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-11-17 20:28    222712    ----a-w-    c:\users\Administrator\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-11-17 20:28    222712    ----a-w-    c:\users\Administrator\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-11-17 20:28    222712    ----a-w-    c:\users\Administrator\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2013-02-25 1602984]
"SkyDrive"="c:\users\Administrator\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" [2012-11-17 255992]
"Spotify"="c:\users\Administrator\AppData\Roaming\Spotify\Spotify.exe" [2012-11-29 7880664]
"Spotify Web Helper"="c:\users\Administrator\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-11-29 1199576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2012-04-03 2209064]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-04-03 143384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-04-03 176664]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-04-03 178200]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-04-03 1138783]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"QLBController"="c:\program files\Hewlett-Packard\HP HotKey Support\QLBController.exe" [2011-05-13 318520]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-04-18 115560]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-27 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-09 421776]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-12-11 542104]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2013-02-06 295072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BGInfo.lnk - c:\program files\BgInfo\Bginfo.exe [2012-4-3 844648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [x]
R3 johci;JMicron 1394 Filter Driver;c:\windows\system32\drivers\johci.sys [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [x]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]
S3 SPUVCbv;SPUVCb Driver Service;c:\windows\system32\Drivers\SPUVCbv.sys [x]
S3 SzCCID;USB SmartCard Reader Driver;c:\windows\system32\DRIVERS\SzCCID.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-10 14:19]
.
2013-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-20 13:08]
.
2013-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-20 13:08]
.
2013-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3752593014-3381274859-1190395094-500Core.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-03 15:18]
.
2013-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3752593014-3381274859-1190395094-500UA.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-03 15:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://safesearchr.lavasoft.com/?source=3336ca5f&tbp=homepage&toolbarid=adawaretb&v=2_2&u=2F4F7AAB4A06E3710698EC50D1BB8797
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-BitTorrent - c:\program files\BitTorrent\BitTorrent.exe
HKLM-Run-SearchProtection - c:\programdata\Search Protection\_run.bat
SafeBoot-73454341.sys
SafeBoot-Symantec Antvirus
AddRemove-adawaretb - c:\program files\adawaretb\uninstall.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,60,ec,f4,07,3f,35,46,9f,ab,96,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,d6,11,00,0e,e5,13,46,80,5c,59,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,10,c4,4e,7d,da,17,84,48,a8,f8,69,\
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADTS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AVI"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.m3u"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M4A"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mod\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MOV"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\AcroRd32.exe"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"
.
[HKEY_USERS\S-1-5-21-3752593014-3381274859-1190395094-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4220)
c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
Completion time: 2013-03-05  22:48:53
ComboFix-quarantined-files.txt  2013-03-05 22:48
.
Pre-Run: 227,046,141,952 bytes free
Post-Run: 227,046,002,688 bytes free
.
- - End Of File - - A1B4E29457C65D9027A7BB876BA28DC4


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:40 AM

Posted 06 March 2013 - 08:24 AM

Looking good.
 
If all is well:
 
Time for some housekeeping
The following will implement some cleanup procedures as well as reset  System Restore points:
 
Click Start > Run  and copy/paste the following bold text into the Run box and click OK:
 
ComboFix /Uninstall 
===
 
To remove AdwCleaner.
 
Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.
 
If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.
 
Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.
 
Surf Safely, and Think Prevention!
===


#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:40 AM

Posted 12 March 2013 - 09:11 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users