Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linkbucks redirect/hi-jacker browser


  • This topic is locked This topic is locked
12 replies to this topic

#1 Neske

Neske

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 12 March 2014 - 07:49 AM

Been having problems with this for past month or so, haven't been paying much attention to it up until lately where i just get so many redirects to the point of being overwhelmed and unable to even search web.

I've tried many tutorials on removing this, i've tried many malware/spyware scanner/removal software and nothing has worked, some have detected couple files but none of those have been nothing connected to linkbucks redirect.

 

I went to last resort and flashed my bios then installed a fresh win7 with completely formated HDD, and that did not work.

 

I would want some help on this because i am growing desperate and thinking of buying a new HDD or even a motherboard.

 

Thanks in advance.

 

I appologize for posting in wrong section.


Edited by Neske, 12 March 2014 - 07:53 AM.


BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:55 AM

Posted 12 March 2014 - 08:09 AM

:welcome:

Hello Neske,

my name is Jo and I will help you with your computer problems.



Please follow these guidelines:
  • Logs can take a while to research, so please be patient.
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


1. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


2. Download OTL to your desktop.
  • Double click on the icon to run it.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note: These logs can be located in the OTL folder on your C:\ drive if they fail to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Neske

Neske
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 12 March 2014 - 11:35 AM

Security check log:

 Results of screen317's Security Check version 0.99.80 
 Windows 7 Service Pack 1 x86 (UAC is enabled) 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

OTL.txt:

OTL logfile created on: 3/12/2014 5:29:37 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Neske\Desktop
 Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 73.42% Memory free
4.00 Gb Paging File | 3.29 Gb Available in Paging File | 82.43% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 88.47 Gb Free Space | 90.60% Space Free | Partition Type: NTFS
Drive E: | 4.22 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
 
Computer Name: NESKE-PC | User Name: Neske | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Neske\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
 
========== Services (SafeList) ==========
 
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (VGPU) -- System32\drivers\rdvgkmd.sys File not found
DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (tsusbhub) -- C:\Windows\System32\drivers\tsusbhub.sys (Microsoft Corporation)
DRV - (Synth3dVsc) -- C:\Windows\System32\drivers\Synth3dVsc.sys (Microsoft Corporation)
DRV - (dmvsc) -- C:\Windows\System32\drivers\dmvsc.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (TsUsbGD) -- C:\Windows\System32\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV - (terminpt) -- C:\Windows\System32\drivers\terminpt.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (Serial) -- C:\Windows\System32\drivers\serial.sys (Brother Industries Ltd.)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 80 0B 49 FD 0F 3E CF 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
 
 
 
O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{008E972D-4E62-482E-9B22-6D18D74AA713}: DhcpNameServer = 10.0.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/11/21 03:17:00 | 000,000,100 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/03/12 22:22:53 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2014/03/12 21:24:13 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2014/03/12 21:23:41 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2014/03/12 17:25:32 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Neske\Desktop\OTL.exe
[2014/03/12 13:52:44 | 000,231,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2014/03/12 13:34:04 | 000,000,000 | R--D | C] -- C:\Users\Neske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2014/03/12 13:34:04 | 000,000,000 | R--D | C] -- C:\Users\Neske\Searches
[2014/03/12 13:34:04 | 000,000,000 | R--D | C] -- C:\Users\Neske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2014/03/12 13:34:04 | 000,000,000 | -H-D | C] -- C:\Users\Neske\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2014/03/12 13:33:57 | 000,000,000 | ---D | C] -- C:\Users\Neske\AppData\Roaming\Identities
[2014/03/12 13:33:55 | 000,000,000 | R--D | C] -- C:\Users\Neske\Contacts
[2014/03/12 13:33:49 | 000,000,000 | ---D | C] -- C:\Users\Neske\AppData\Local\VirtualStore
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\AppData\Local\Temporary Internet Files
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Templates
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Start Menu
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\SendTo
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Recent
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\PrintHood
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\NetHood
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Documents\My Videos
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Documents\My Pictures
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Documents\My Music
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\My Documents
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Local Settings
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\AppData\Local\History
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Cookies
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Application Data
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\AppData\Local\Application Data
[2014/03/12 13:33:44 | 000,000,000 | --SD | C] -- C:\Users\Neske\AppData\Roaming\Microsoft
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Videos
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Saved Games
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Pictures
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Music
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Links
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Favorites
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Downloads
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Documents
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Desktop
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2014/03/12 13:33:44 | 000,000,000 | -H-D | C] -- C:\Users\Neske\AppData
[2014/03/12 13:33:44 | 000,000,000 | ---D | C] -- C:\Users\Neske\AppData\Local\Temp
[2014/03/12 13:33:44 | 000,000,000 | ---D | C] -- C:\Users\Neske\AppData\Local\Microsoft
[2014/03/12 13:33:44 | 000,000,000 | ---D | C] -- C:\Users\Neske\AppData\Roaming\Media Center Programs
[2014/03/12 13:32:38 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2014/03/12 13:32:20 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2014/03/12 13:32:13 | 000,000,000 | -HSD | C] -- C:\Recovery
 
========== Files - Modified Within 30 Days ==========
 
[2014/03/12 21:28:07 | 000,266,808 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2014/03/12 21:27:10 | 000,116,385 | ---- | M] () -- C:\Windows\System32\license.rtf
[2014/03/12 17:25:34 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Neske\Desktop\OTL.exe
[2014/03/12 17:25:02 | 000,615,122 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/03/12 17:25:02 | 000,103,496 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/03/12 17:23:13 | 000,987,442 | ---- | M] () -- C:\Users\Neske\Desktop\SecurityCheck.exe
[2014/03/12 17:20:38 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/03/12 17:20:36 | 1609,474,048 | -HS- | M] () -- C:\hiberfil.sys
[2014/03/12 16:55:53 | 000,020,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/03/12 16:55:53 | 000,020,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/03/12 13:34:30 | 000,001,411 | ---- | M] () -- C:\Users\Neske\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2014/03/12 13:32:47 | 000,409,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\systemcpl.dll
[2014/03/12 13:32:47 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\slwga.dll
 
========== Files Created - No Company Name ==========
 
[2014/03/12 21:26:53 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2014/03/12 21:26:44 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2014/03/12 21:23:41 | 1609,474,048 | -HS- | C] () -- C:\hiberfil.sys
[2014/03/12 17:22:37 | 000,987,442 | ---- | C] () -- C:\Users\Neske\Desktop\SecurityCheck.exe
[2014/03/12 13:34:30 | 000,001,411 | ---- | C] () -- C:\Users\Neske\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2014/03/12 13:34:06 | 000,001,417 | ---- | C] () -- C:\Users\Neske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2014/03/12 13:33:45 | 000,000,290 | ---- | C] () -- C:\Users\Neske\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2014/03/12 13:33:45 | 000,000,272 | ---- | C] () -- C:\Users\Neske\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
 
========== ZeroAccess Check ==========
 
[2009/07/14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2010/11/20 22:29:11 | 012,872,192 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:29:20 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

 

Extras.txt:

OTL Extras logfile created on: 3/12/2014 5:29:37 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Neske\Desktop
 Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 73.42% Memory free
4.00 Gb Paging File | 3.29 Gb Available in Paging File | 82.43% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 88.47 Gb Free Space | 90.60% Space Free | Partition Type: NTFS
Drive E: | 4.22 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
 
Computer Name: NESKE-PC | User Name: Neske | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 3/12/2014 8:35:23 AM | Computer Name = Neske-PC | Source = WinMgmt | ID = 10
Description =
 
Error - 3/12/2014 11:54:43 AM | Computer Name = Neske-PC | Source = WinMgmt | ID = 10
Description =
 
Error - 3/12/2014 12:22:26 PM | Computer Name = Neske-PC | Source = WinMgmt | ID = 10
Description =
 
[ System Events ]
Error - 3/12/2014 11:52:58 AM | Computer Name = Neske-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 2:42:46 PM on ?3/?12/?2014 was unexpected.
 
 
< End of report >
 



#4 Jo*

Jo*

  • Malware Response Team
  • 3,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:55 AM

Posted 12 March 2014 - 11:48 AM

Hello Neske,

Do you have no Anti-Virus installed?

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Scan your system for malware

With some infections, you may see two messages boxes.

  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 Neske

Neske
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 12 March 2014 - 12:53 PM

No sir i do not have a anti-virus software at this moment, i've installed this fresh copy of win7 today and i have not installed anything on it so far except of what you have told me to do.

 

Malwarebytes  anti-rootkit:

 

No malware was found.

 

 

Adwcleaner:

# AdwCleaner v3.021 - Report created 12/03/2014 at 18:49:15
# Updated 10/03/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : Neske - NESKE-PC
# Running from : C:\Users\Neske\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7601.17514

*************************

AdwCleaner[R0].txt - [493 octets] - [12/03/2014 18:49:15]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [552 octets] ##########

 

 



#6 Jo*

Jo*

  • Malware Response Team
  • 3,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:55 AM

Posted 12 March 2014 - 01:17 PM

Hello Neske,

do you get the "Linkbucks redirect/hi-jacker browser" on this new installation too?
Which browser is effected?

OTL log shows:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.1.1

Is this a NameServer in a company network?
 

***

Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.




***

Run OTL again.
  • Double click on the OTL icon to run it.
  • Right click on the OTL icon and select Run As Administrator.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • don't check the boxes beside LOP Check and Purity Check this time.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open a notepad window OTL.Txt.
  • Please copy (Edit->Select All, Edit->Copy) the content of the file and post it with your next reply.

***

How the computer is running now?




***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 Neske

Neske
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 12 March 2014 - 01:39 PM

I've flashed the bios, and installed a fresh windows 7, and it still pops up on this newly installed windows.

Every browser is affected, but currently this windows 7 has nothing installed on it.

 

From what i understood that the guys that installed my internet said. I am receiving Ip adress from my modem directly, and that is pretty much what i undestood.

It is non a company network.

 

 

 

The PC has always been running fine, it is the problem with these redirects which i just can't get rid off. They keep appearing no matter what i try to do.

 

 

 

JRT logs:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 7 Ultimate x86
Ran by Neske on Wed 03/12/2014 at 19:26:25.35
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 03/12/2014 at 19:27:31.45
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

OTL logs:

OTL logfile created on: 3/12/2014 7:28:56 PM - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Neske\Desktop
 Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.61% Memory free
4.00 Gb Paging File | 3.36 Gb Available in Paging File | 84.11% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 87.91 Gb Free Space | 90.02% Space Free | Partition Type: NTFS
Drive E: | 4.22 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
 
Computer Name: NESKE-PC | User Name: Neske | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Neske\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
 
========== Services (SafeList) ==========
 
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (VGPU) -- System32\drivers\rdvgkmd.sys File not found
DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (tsusbhub) -- C:\Windows\System32\drivers\tsusbhub.sys (Microsoft Corporation)
DRV - (Synth3dVsc) -- C:\Windows\System32\drivers\Synth3dVsc.sys (Microsoft Corporation)
DRV - (dmvsc) -- C:\Windows\System32\drivers\dmvsc.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (TsUsbGD) -- C:\Windows\System32\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV - (terminpt) -- C:\Windows\System32\drivers\terminpt.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (Serial) -- C:\Windows\System32\drivers\serial.sys (Brother Industries Ltd.)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" =
http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache =
http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 80 0B 49 FD 0F 3E CF 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" =
http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
 
 
 
O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{008E972D-4E62-482E-9B22-6D18D74AA713}: DhcpNameServer = 10.0.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/11/21 03:17:00 | 000,000,100 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/03/12 22:22:53 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2014/03/12 21:24:13 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2014/03/12 21:23:41 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2014/03/12 19:26:23 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/03/12 19:25:11 | 001,037,734 | ---- | C] (Thisisu) -- C:\Users\Neske\Desktop\JRT.exe
[2014/03/12 18:49:03 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/03/12 18:42:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2014/03/12 18:42:24 | 000,107,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\MBAMSwissArmy.sys
[2014/03/12 18:42:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2014/03/12 18:41:07 | 000,075,480 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamchameleon.sys
[2014/03/12 18:41:06 | 000,000,000 | ---D | C] -- C:\Users\Neske\Desktop\mbar
[2014/03/12 18:40:40 | 012,589,848 | ---- | C] (Malwarebytes Corp.) -- C:\Users\Neske\Desktop\mbar-1.07.0.1009.exe
[2014/03/12 17:25:32 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Neske\Desktop\OTL.exe
[2014/03/12 13:52:44 | 000,231,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2014/03/12 13:34:04 | 000,000,000 | R--D | C] -- C:\Users\Neske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2014/03/12 13:34:04 | 000,000,000 | R--D | C] -- C:\Users\Neske\Searches
[2014/03/12 13:34:04 | 000,000,000 | R--D | C] -- C:\Users\Neske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2014/03/12 13:34:04 | 000,000,000 | -H-D | C] -- C:\Users\Neske\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2014/03/12 13:33:57 | 000,000,000 | ---D | C] -- C:\Users\Neske\AppData\Roaming\Identities
[2014/03/12 13:33:55 | 000,000,000 | R--D | C] -- C:\Users\Neske\Contacts
[2014/03/12 13:33:49 | 000,000,000 | ---D | C] -- C:\Users\Neske\AppData\Local\VirtualStore
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\AppData\Local\Temporary Internet Files
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Templates
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Start Menu
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\SendTo
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Recent
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\PrintHood
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\NetHood
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Documents\My Videos
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Documents\My Pictures
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Documents\My Music
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\My Documents
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Local Settings
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\AppData\Local\History
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Cookies
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\Application Data
[2014/03/12 13:33:46 | 000,000,000 | -HSD | C] -- C:\Users\Neske\AppData\Local\Application Data
[2014/03/12 13:33:44 | 000,000,000 | --SD | C] -- C:\Users\Neske\AppData\Roaming\Microsoft
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Videos
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Saved Games
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Pictures
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Music
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Links
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Favorites
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Downloads
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Documents
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\Desktop
[2014/03/12 13:33:44 | 000,000,000 | R--D | C] -- C:\Users\Neske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2014/03/12 13:33:44 | 000,000,000 | -H-D | C] -- C:\Users\Neske\AppData
[2014/03/12 13:33:44 | 000,000,000 | ---D | C] -- C:\Users\Neske\AppData\Local\Temp
[2014/03/12 13:33:44 | 000,000,000 | ---D | C] -- C:\Users\Neske\AppData\Local\Microsoft
[2014/03/12 13:33:44 | 000,000,000 | ---D | C] -- C:\Users\Neske\AppData\Roaming\Media Center Programs
[2014/03/12 13:32:38 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2014/03/12 13:32:20 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2014/03/12 13:32:13 | 000,000,000 | -HSD | C] -- C:\Recovery
 
========== Files - Modified Within 30 Days ==========
 
[2014/03/12 21:28:07 | 000,266,808 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2014/03/12 21:27:10 | 000,116,385 | ---- | M] () -- C:\Windows\System32\license.rtf
[2014/03/12 19:25:16 | 001,037,734 | ---- | M] (Thisisu) -- C:\Users\Neske\Desktop\JRT.exe
[2014/03/12 18:48:40 | 001,949,184 | ---- | M] () -- C:\Users\Neske\Desktop\AdwCleaner.exe
[2014/03/12 18:42:24 | 000,107,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\MBAMSwissArmy.sys
[2014/03/12 18:41:07 | 000,075,480 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamchameleon.sys
[2014/03/12 18:40:48 | 012,589,848 | ---- | M] (Malwarebytes Corp.) -- C:\Users\Neske\Desktop\mbar-1.07.0.1009.exe
[2014/03/12 18:38:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/03/12 17:25:34 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Neske\Desktop\OTL.exe
[2014/03/12 17:25:02 | 000,615,122 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/03/12 17:25:02 | 000,103,496 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/03/12 17:23:13 | 000,987,442 | ---- | M] () -- C:\Users\Neske\Desktop\SecurityCheck.exe
[2014/03/12 17:20:36 | 1609,474,048 | -HS- | M] () -- C:\hiberfil.sys
[2014/03/12 16:55:53 | 000,020,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/03/12 16:55:53 | 000,020,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/03/12 13:34:30 | 000,001,411 | ---- | M] () -- C:\Users\Neske\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2014/03/12 13:32:47 | 000,409,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\systemcpl.dll
[2014/03/12 13:32:47 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\slwga.dll
 
========== Files Created - No Company Name ==========
 
[2014/03/12 21:26:53 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2014/03/12 21:26:44 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2014/03/12 21:23:41 | 1609,474,048 | -HS- | C] () -- C:\hiberfil.sys
[2014/03/12 18:48:40 | 001,949,184 | ---- | C] () -- C:\Users\Neske\Desktop\AdwCleaner.exe
[2014/03/12 17:22:37 | 000,987,442 | ---- | C] () -- C:\Users\Neske\Desktop\SecurityCheck.exe
[2014/03/12 13:34:30 | 000,001,411 | ---- | C] () -- C:\Users\Neske\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2014/03/12 13:34:06 | 000,001,417 | ---- | C] () -- C:\Users\Neske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2014/03/12 13:33:45 | 000,000,290 | ---- | C] () -- C:\Users\Neske\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2014/03/12 13:33:45 | 000,000,272 | ---- | C] () -- C:\Users\Neske\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
 
========== ZeroAccess Check ==========
 
[2009/07/14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2010/11/20 22:29:11 | 012,872,192 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:29:20 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

 

 



#8 Jo*

Jo*

  • Malware Response Team
  • 3,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:55 AM

Posted 12 March 2014 - 02:04 PM

Hi ,

turn off all computers,
then unplug the power cable from the router,
then unplug the power cable from the (Cable) modem

....let it OFF for about 5 minutes.

Then with the computers still off,
plug back in the Cable modem power cable.

...when all the lights come on:
then plug in the router,

when all the lights come back on:
then start all computers:

Now check if your problem still exists.
Post results here!

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 Neske

Neske
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 12 March 2014 - 02:33 PM

The redirects have stopped. This could be shortlived, but i hope not.

 

More or less, is it possible that the redirects have came from one of the other PC's/laptops on the same network?



#10 Jo*

Jo*

  • Malware Response Team
  • 3,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:55 AM

Posted 12 March 2014 - 02:44 PM

Great news!

Redirects normally come from the same computer and/or from the router.
If another pc is working suspect, then start a new topic please.

On this pc install your anti-virus at once and then run OTL again and post a new OTL log.


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 Neske

Neske
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 12 March 2014 - 04:00 PM

The redirects are completely gone, i am very thankful sir, i tried myself turninig of router and restarting it to default but that didn't help at all.

 

I will post OTL log as soon as i can tomorrow.



#12 Jo*

Jo*

  • Malware Response Team
  • 3,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:55 AM

Posted 14 March 2014 - 10:18 AM

Hi,

 

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

 

Note: Threads will be closed if no response after 3 days.


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 Jo*

Jo*

  • Malware Response Team
  • 3,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:55 AM

Posted 16 March 2014 - 03:24 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users