Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus in both IE and Firefox


  • This topic is locked This topic is locked
36 replies to this topic

#1 CDMartinJr

CDMartinJr

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 24 June 2013 - 10:31 AM

While searches in both Bing and Google bring up legitimate websites (e.g., microsoft.com, yahoo.com, even this site), when I click on the links, I am often (about 55% of the time) redirected to a different search site (two examples are searchmd.com and findit.com).  Norton, MBAM, SuperAntiSpyware, HitMan and TDSSkiller have consistently found nothing.  Here is my DDS log: 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.6001.19437
Run by Owner at 11:11:54 on 2013-06-24
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.4084.2372 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\WINDOWS\SMINST\sftservice.EXE
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\DllHost.exe
C:\windows\SMINST\Components\scheduler\STService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\WINDOWS\RAVCpl64.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\PixArt\Pac7302\Monitor.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\SysWOW64\regsvr32.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
mWinlogon: Userinit = C:\Windows\SysWOW64\Userinit.exe,
BHO: MRI_DISABLED - <orphaned>
BHO: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ipsbho.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coieplg.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coieplg.dll
TB: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
uRun: [JavaSoft] Regsvr32.exe C:\Users\Owner\AppData\Local\JavaSoft\fyocltkn.dll
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [dellsupportcenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: [Launcher] C:\Windows\SMINST\Components\scheduler\Launcher.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SMCWUS~1.LNK - C:\Program Files (x86)\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MI1933~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{39B661F3-DBE9-41B6-85C9-6E17E07C4C42} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{45E2C138-5491-46D8-9AF4-94030639DD40} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{96754E1C-FC4D-40FF-B6D1-5B87C47C0B4E} : DHCPNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
x64-BHO: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitBHO64.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-TB: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitIEAddin64.dll
x64-Run: [RtHDVCpl] RAVCpl64.exe
x64-Run: [Skytel] Skytel.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [PAC7302_Monitor] C:\Windows\PixArt\PAC7302\Monitor.exe
x64-RunOnce: [DSUpdateLauncher] "c:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\runhstart.bat"
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: NoActiveDesktopChanges = dword:1
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll
x64-Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\px9ad0bu.default\
FF - prefs.js: browser.startup.homepage - www.bing.com
FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - ExtSQL: 2013-05-26 15:11; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-5-4 53488]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\0404000.00C\symds64.sys [2011-11-6 433200]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\0404000.00C\symefa64.sys [2011-11-6 221304]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20130531.001\BHDrvx64.sys [2013-5-31 1393240]
R1 ccHP;Symantec Hash Provider;C:\Windows\System32\drivers\N360x64\0404000.00C\cchpx64.sys [2011-11-6 593544]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20130621.001\IDSviA64.sys [2013-6-22 513184]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\0404000.00C\ironx64.sys [2011-11-6 150064]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\Windows\System32\drivers\N360x64\0404000.00C\symtdiv.sys [2011-11-6 451704]
R2 AERTFilters;Andrea RT Filters Service;C:\Windows\System32\AERTSr64.exe [2009-5-4 86016]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccsvchst.exe [2011-11-6 126400]
R2 PCASp50a64;PCASp50a64 NDIS Protocol Driver;C:\Windows\System32\drivers\PCASp50a64.sys [2012-8-13 41280]
R2 SftService;SoftThinks Agent Service;C:\WINDOWS\SMINST\SftService.exe [2009-5-4 632048]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-5-14 3289208]
R3 athrusb;Atheros Wireless LAN USB device driver;C:\Windows\System32\drivers\athrxusb.sys [2007-11-29 1064448]
S2 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S3 PCD5SRVC{048DBD20-445E8C82-05040104};PCD5SRVC{048DBD20-445E8C82-05040104} - PCDR Kernel Mode Service Helper Driver;C:\PROGRA~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms [2008-11-4 28152]
S3 PerfHost;Performance Counter DLL Host;C:\WINDOWS\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-5-10 51712]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-3-7 89920]
.
=============== File Associations ===============
.
FileExt: .js: JSFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2013-06-12 19:02:03    75825640    ----a-w-    C:\Windows\System32\mrt.exe
2013-06-11 20:28:51    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-11 20:28:51    692104    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-17 03:50:49    916480    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-05-17 03:50:32    1212928    ----a-w-    C:\Windows\SysWow64\urlmon.dll
2013-05-17 03:50:31    105984    ----a-w-    C:\Windows\SysWow64\url.dll
2013-05-17 03:48:34    206848    ----a-w-    C:\Windows\SysWow64\occache.dll
2013-05-17 03:46:32    611840    ----a-w-    C:\Windows\SysWow64\mstime.dll
2013-05-17 03:46:01    67072    ----a-w-    C:\Windows\SysWow64\mshtmled.dll
2013-05-17 03:46:01    6014464    ----a-w-    C:\Windows\SysWow64\mshtml.dll
2013-05-17 03:45:57    630272    ----a-w-    C:\Windows\SysWow64\msfeeds.dll
2013-05-17 03:45:57    55296    ----a-w-    C:\Windows\SysWow64\msfeedsbs.dll
2013-05-17 03:45:15    43520    ----a-w-    C:\Windows\SysWow64\licmgr10.dll
2013-05-17 03:45:01    25600    ----a-w-    C:\Windows\SysWow64\jsproxy.dll
2013-05-17 03:44:52    1469440    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2013-05-17 03:44:39    164352    ----a-w-    C:\Windows\SysWow64\ieui.dll
2013-05-17 03:44:39    109056    ----a-w-    C:\Windows\SysWow64\iesysprep.dll
2013-05-17 03:44:38    71680    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2013-05-17 03:44:38    2004992    ----a-w-    C:\Windows\SysWow64\iertutil.dll
2013-05-17 03:44:37    55808    ----a-w-    C:\Windows\SysWow64\iernonce.dll
2013-05-17 03:44:37    184320    ----a-w-    C:\Windows\SysWow64\iepeers.dll
2013-05-17 03:44:37    11111424    ----a-w-    C:\Windows\SysWow64\ieframe.dll
2013-05-17 03:44:33    387584    ----a-w-    C:\Windows\SysWow64\iedkcs32.dll
2013-05-17 03:35:09    1147392    ----a-w-    C:\Windows\System32\wininet.dll
2013-05-17 03:34:49    1489408    ----a-w-    C:\Windows\System32\urlmon.dll
2013-05-17 03:34:49    108032    ----a-w-    C:\Windows\System32\url.dll
2013-05-17 03:33:12    243712    ----a-w-    C:\Windows\System32\occache.dll
2013-05-17 03:31:34    1062912    ----a-w-    C:\Windows\System32\mstime.dll
2013-05-17 03:31:08    98304    ----a-w-    C:\Windows\System32\mshtmled.dll
2013-05-17 03:31:08    9337344    ----a-w-    C:\Windows\System32\mshtml.dll
2013-05-17 03:31:04    742912    ----a-w-    C:\Windows\System32\msfeeds.dll
2013-05-17 03:31:04    71680    ----a-w-    C:\Windows\System32\msfeedsbs.dll
2013-05-17 03:30:37    56832    ----a-w-    C:\Windows\System32\licmgr10.dll
2013-05-17 03:30:25    31744    ----a-w-    C:\Windows\System32\jsproxy.dll
2013-05-17 03:30:19    1538560    ----a-w-    C:\Windows\System32\inetcpl.cpl
2013-05-17 03:30:07    77312    ----a-w-    C:\Windows\System32\iesetup.dll
2013-05-17 03:30:07    2356736    ----a-w-    C:\Windows\System32\iertutil.dll
2013-05-17 03:30:07    219136    ----a-w-    C:\Windows\System32\ieui.dll
2013-05-17 03:30:07    132096    ----a-w-    C:\Windows\System32\iesysprep.dll
2013-05-17 03:30:06    72192    ----a-w-    C:\Windows\System32\iernonce.dll
2013-05-17 03:30:06    252416    ----a-w-    C:\Windows\System32\iepeers.dll
2013-05-17 03:29:56    12508160    ----a-w-    C:\Windows\System32\ieframe.dll
2013-05-17 03:29:51    459776    ----a-w-    C:\Windows\System32\iedkcs32.dll
2013-05-17 02:18:36    479232    ----a-w-    C:\Windows\System32\html.iec
2013-05-17 02:06:08    385024    ----a-w-    C:\Windows\SysWow64\html.iec
2013-05-17 01:07:07    162816    ----a-w-    C:\Windows\System32\ieUnatt.exe
2013-05-17 01:07:00    70656    ----a-w-    C:\Windows\System32\ie4uinit.exe
2013-05-17 01:06:11    12288    ----a-w-    C:\Windows\System32\msfeedssync.exe
2013-05-17 01:05:40    1638912    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-05-17 00:20:05    133632    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2013-05-17 00:19:54    174080    ----a-w-    C:\Windows\SysWow64\ie4uinit.exe
2013-05-17 00:18:49    13312    ----a-w-    C:\Windows\SysWow64\msfeedssync.exe
2013-05-17 00:18:12    1638912    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-05-08 04:50:00    1423720    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-05-02 04:16:27    686080    ----a-w-    C:\Windows\System32\win32spl.dll
2013-05-02 04:04:25    443904    ----a-w-    C:\Windows\SysWow64\win32spl.dll
2013-05-02 04:03:42    37376    ----a-w-    C:\Windows\SysWow64\printcom.dll
2013-04-24 04:09:48    174592    ----a-w-    C:\Windows\System32\cryptsvc.dll
2013-04-24 04:09:48    132096    ----a-w-    C:\Windows\System32\cryptnet.dll
2013-04-24 04:09:48    1269248    ----a-w-    C:\Windows\System32\crypt32.dll
2013-04-24 04:09:41    50688    ----a-w-    C:\Windows\System32\certenc.dll
2013-04-24 04:00:30    985600    ----a-w-    C:\Windows\SysWow64\crypt32.dll
2013-04-24 04:00:30    98304    ----a-w-    C:\Windows\SysWow64\cryptnet.dll
2013-04-24 04:00:30    133120    ----a-w-    C:\Windows\SysWow64\cryptsvc.dll
2013-04-24 04:00:24    41984    ----a-w-    C:\Windows\SysWow64\certenc.dll
2013-04-24 02:10:00    1078272    ----a-w-    C:\Windows\System32\certutil.exe
2013-04-24 01:46:29    812544    ----a-w-    C:\Windows\SysWow64\certutil.exe
2013-04-17 13:04:03    30720    ----a-w-    C:\Windows\System32\cryptdlg.dll
2013-04-17 12:30:06    24576    ----a-w-    C:\Windows\SysWow64\cryptdlg.dll
2013-04-15 14:17:12    901496    ----a-w-    C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-13 03:34:30    47104    ----a-w-    C:\Windows\System32\cdd.dll
2013-04-09 01:55:57    2774016    ----a-w-    C:\Windows\System32\win32k.sys
.
============= FINISH: 11:12:29.23 ===============
 

Any help you can offer would be fantastic!


Edited by hamluis, 24 June 2013 - 10:34 AM.
Moved from Vista to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 24 June 2013 - 12:20 PM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.
Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.

Edited by TB-Psychotic, 24 June 2013 - 12:21 PM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 CDMartinJr

CDMartinJr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 24 June 2013 - 03:34 PM

Marius,

 

Here's the log!

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.06.24.05

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 8.0.6001.19437
Owner :: OWNER-PC [administrator]

6/24/2013 3:11:09 PM
mbar-log-2013-06-24 (15-11-09).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 234339
Time elapsed: 9 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 24 June 2013 - 03:39 PM

Combofix


Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!
  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe
When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Edited by TB-Psychotic, 24 June 2013 - 03:40 PM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 CDMartinJr

CDMartinJr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 25 June 2013 - 07:18 AM

Here's the ComboFix log you requested:

 

ComboFix 13-06-24.01 - Owner 06/25/2013   7:53.1.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.4084.2319 [GMT -4:00]
Running from: c:\users\Owner\Desktop\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\DRM\E035.tmp
c:\windows\SysWow64\Oleaut32.1
c:\windows\SysWow64\Oleaut32.2
c:\windows\SysWow64\Oleaut32.3
c:\windows\SysWow64\Oleaut32.4
c:\windows\SysWow64\Oleaut32.5
c:\windows\SysWow64\Oleaut32.6
c:\windows\SysWow64\Oleaut32.7
c:\windows\SysWow64\Oleaut32.8
c:\windows\SysWow64\Oleaut32.9
c:\windows\wininit.ini
D:\AUTORUN.INF
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-25 to 2013-06-25  )))))))))))))))))))))))))))))))
.
.
2013-06-24 19:11 . 2013-06-24 19:22    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-24 18:51 . 2013-06-24 18:51    74136    ----a-w-    c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2013-06-24 18:51 . 2013-06-24 18:51    262552    ----a-w-    c:\program files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2013-06-24 18:51 . 2013-06-24 18:51    770384    ----a-w-    c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2013-06-24 18:51 . 2013-06-24 18:51    421200    ----a-w-    c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2013-06-24 18:51 . 2013-06-24 18:51    96664    ----a-w-    c:\program files (x86)\Mozilla Firefox\webapprt-stub.exe
2013-06-24 18:51 . 2013-06-24 18:51    26520    ----a-w-    c:\program files (x86)\Mozilla Firefox\plugin-hang-ui.exe
2013-06-24 18:51 . 2013-06-24 18:51    170232    ----a-w-    c:\program files (x86)\Mozilla Firefox\webapp-uninstaller.exe
2013-06-24 12:47 . 2013-06-24 12:53    --------    d-----w-    c:\programdata\HitmanPro
2013-06-21 14:59 . 2013-06-21 14:59    --------    d-----w-    c:\users\Owner\AppData\Roaming\Malwarebytes
2013-06-21 14:59 . 2013-06-21 14:59    --------    d-----w-    c:\programdata\Malwarebytes
2013-06-19 15:24 . 2013-06-20 15:45    --------    d-----w-    c:\users\Owner\AppData\Local\JavaSoft
2013-06-01 20:51 . 2013-06-01 20:51    --------    d-----w-    c:\users\Owner\AppData\Roaming\OverDrive
2013-06-01 17:34 . 2013-06-01 17:34    --------    d-----w-    c:\program files (x86)\OverDrive Media Console
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 19:02 . 2006-11-02 12:35    75825640    ----a-w-    c:\windows\system32\mrt.exe
2013-06-11 20:28 . 2012-10-24 13:27    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-06-11 20:28 . 2011-12-26 18:21    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-15 14:17 . 2013-05-18 11:52    901496    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-04-13 03:34 . 2013-05-18 11:52    47104    ----a-w-    c:\windows\system32\cdd.dll
2013-04-09 01:55 . 2013-05-18 11:52    2774016    ----a-w-    c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-02-28 18642024]
"JavaSoft"="c:\users\Owner\AppData\Local\JavaSoft\fyocltkn.dll" [2013-06-19 728576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2008-12-17 206064]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\Components\scheduler\Launcher.exe" [2009-02-23 165104]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
SMCWUSB-G 802.11g Wireless USB Utility.lnk - c:\program files (x86)\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2007-6-22 1077248]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe /firstrun [2009-2-6 1312096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 06:38    34672    ----a-w-    c:\program files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-12-17 01:14    206064    ----a-w-    c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe
.
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSr64.exe;c:\windows\SYSNATIVE\AERTSr64.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-24 20:28]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-07-18 6453760]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2007-12-10 323584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DSUpdateLauncher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\runhstart.bat" [2009-02-17 361]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: vccs.edu\learn
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\px9ad0bu.default\
FF - prefs.js: browser.startup.homepage - www.bing.com
FF - ExtSQL: 2013-05-26 15:11; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-SunJavaUpdateSched - c:\program files (x86)\Java\jre6\bin\jusched.exe
HKLM-Run-Skytel - Skytel.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\4.4.0.12\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{048DBD20-445E8C82-05040104}]
"ImagePath"="\??\c:\progra~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2013-06-25  08:03:16
ComboFix-quarantined-files.txt  2013-06-25 12:03
.
Pre-Run: 446,086,197,248 bytes free
Post-Run: 446,170,173,440 bytes free
.
- - End Of File - - 470D4F01A7597A4AAD447250AA1D4781
5C616939100B85E558DA92B899A0FC36
 

 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 25 June 2013 - 10:38 AM

CF-Script


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

REGLOCK::

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

CLEARJAVACACHE::



Save this as CFScript.txt, in the same location as ComboFix.exe


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Are you still facing the issue?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 CDMartinJr

CDMartinJr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 25 June 2013 - 11:02 AM

It's interesting that you asked that, because the last incident was at 11:00(ish) yesterday morning, though I have done nothing to fix the problem.  Any thoughts?



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 25 June 2013 - 11:32 AM

Some of the things I´ve adviced you to do DID something to fix the problem.

But due to the fact that I cannot see what´s happeing on your computer, you have to tell me.

 

Also post up the combofix log from the last scan, please


Edited by TB-Psychotic, 25 June 2013 - 11:33 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 CDMartinJr

CDMartinJr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 25 June 2013 - 12:09 PM

Marius,

 

Here is the log:

 

ComboFix 13-06-24.01 - Owner 06/25/2013  12:49:45.2.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.4084.2448 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Local\assembly\tmp
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-25 to 2013-06-25  )))))))))))))))))))))))))))))))
.
.
2013-06-25 16:56 . 2013-06-25 16:56    --------    d-----w-    c:\users\Owner\AppData\Local\temp
2013-06-25 16:56 . 2013-06-25 16:56    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-06-24 19:11 . 2013-06-24 19:22    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-24 18:51 . 2013-06-24 18:51    74136    ----a-w-    c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2013-06-24 18:51 . 2013-06-24 18:51    262552    ----a-w-    c:\program files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2013-06-24 18:51 . 2013-06-24 18:51    770384    ----a-w-    c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2013-06-24 18:51 . 2013-06-24 18:51    421200    ----a-w-    c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2013-06-24 18:51 . 2013-06-24 18:51    96664    ----a-w-    c:\program files (x86)\Mozilla Firefox\webapprt-stub.exe
2013-06-24 18:51 . 2013-06-24 18:51    26520    ----a-w-    c:\program files (x86)\Mozilla Firefox\plugin-hang-ui.exe
2013-06-24 18:51 . 2013-06-24 18:51    170232    ----a-w-    c:\program files (x86)\Mozilla Firefox\webapp-uninstaller.exe
2013-06-24 12:47 . 2013-06-24 12:53    --------    d-----w-    c:\programdata\HitmanPro
2013-06-21 14:59 . 2013-06-21 14:59    --------    d-----w-    c:\users\Owner\AppData\Roaming\Malwarebytes
2013-06-21 14:59 . 2013-06-21 14:59    --------    d-----w-    c:\programdata\Malwarebytes
2013-06-19 15:24 . 2013-06-20 15:45    --------    d-----w-    c:\users\Owner\AppData\Local\JavaSoft
2013-06-01 20:51 . 2013-06-01 20:51    --------    d-----w-    c:\users\Owner\AppData\Roaming\OverDrive
2013-06-01 17:34 . 2013-06-01 17:34    --------    d-----w-    c:\program files (x86)\OverDrive Media Console
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 19:02 . 2006-11-02 12:35    75825640    ----a-w-    c:\windows\system32\mrt.exe
2013-06-11 20:28 . 2012-10-24 13:27    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-06-11 20:28 . 2011-12-26 18:21    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-15 14:17 . 2013-05-18 11:52    901496    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-04-13 03:34 . 2013-05-18 11:52    47104    ----a-w-    c:\windows\system32\cdd.dll
2013-04-09 01:55 . 2013-05-18 11:52    2774016    ----a-w-    c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-02-28 18642024]
"JavaSoft"="c:\users\Owner\AppData\Local\JavaSoft\fyocltkn.dll" [2013-06-19 728576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2008-12-17 206064]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\Components\scheduler\Launcher.exe" [2009-02-23 165104]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
SMCWUSB-G 802.11g Wireless USB Utility.lnk - c:\program files (x86)\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2007-6-22 1077248]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe /firstrun [2009-2-6 1312096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 06:38    34672    ----a-w-    c:\program files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-12-17 01:14    206064    ----a-w-    c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe
.
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSr64.exe;c:\windows\SYSNATIVE\AERTSr64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-24 20:28]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-07-18 6453760]
"Skytel"="Skytel.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2007-12-10 323584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DSUpdateLauncher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\runhstart.bat" [2009-02-17 361]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: vccs.edu\learn
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\px9ad0bu.default\
FF - prefs.js: browser.startup.homepage - www.bing.com
FF - ExtSQL: 2013-05-26 15:11; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-SunJavaUpdateSched - c:\program files (x86)\Java\jre6\bin\jusched.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\4.4.0.12\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{048DBD20-445E8C82-05040104}]
"ImagePath"="\??\c:\progra~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2013-06-25  12:58:24
ComboFix-quarantined-files.txt  2013-06-25 16:58
ComboFix2.txt  2013-06-25 12:03
.
Pre-Run: 445,799,473,152 bytes free
Post-Run: 445,733,507,072 bytes free
.
- - End Of File - - BE82F1B453B389DEE6D1978A19CDB964
5C616939100B85E558DA92B899A0FC36



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 25 June 2013 - 12:18 PM

Are you still facing the issue?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 CDMartinJr

CDMartinJr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 25 June 2013 - 12:53 PM

I appear to be clean now.  My CPU usage, which was running in the upper 50th percentile at times, has also dropped to its normal 1-4%.  May I ask if you could tell what was going on?


Edited by CDMartinJr, 25 June 2013 - 12:53 PM.


#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 25 June 2013 - 12:58 PM

Something hijacked your machine´s settings to redirect your search results.

 

 

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 CDMartinJr

CDMartinJr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 26 June 2013 - 08:38 AM

Marius,

 

Just one item found:

 

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe    a variant of Win32/HiddenStart.A application
 

 



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 26 June 2013 - 11:34 AM

That´s no malware.

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Scan with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 CDMartinJr

CDMartinJr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 26 June 2013 - 11:57 AM

Here's the report:

 

# AdwCleaner v2.303 - Logfile created 06/26/2013 at 12:50:29
# Updated 08/06/2013 by Xplode
# Operating system : Windows ™ Vista Home Premium Service Pack 2 (64 bits)
# User : Owner - OWNER-PC
# Boot Mode : Normal
# Running from : C:\Users\Owner\Desktop\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Software
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.19437

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\px9ad0bu.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2208 octets] - [26/06/2013 12:50:09]
AdwCleaner[S1].txt - [2171 octets] - [26/06/2013 12:50:29]

########## EOF - C:\AdwCleaner[S1].txt - [2231 octets] ##########
 

 

Also, do I still need to go back and delete the Win32 virus?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users