Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacker - Google redirects to my-find.com - rootkit?


  • Please log in to reply
6 replies to this topic

#1 Poyzen

Poyzen

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Cheshire, UK
  • Local time:03:16 PM

Posted 17 March 2014 - 01:25 PM

Hi all,

 

At some point in the last couple of weeks, I've managed to let something in which is hijacking my search results in Internet Explorer.  I have Google set as my default search engine, but whilst the search works OK, when I click on any of the results, the link redirects to my-find.com and then some completely unrelated webpage.

 

It's only affecting IE, I can search and browse in Chrome with no problems, but I've noticed this evening that Windows Explorer also crashes if I right-click in it.  Might be unrelated, but I figured I need to do some housekeeping.

 

I've done some digging around, found some generic advice about searching my registry for TDSS entries but couldn't see anything.  I've run Spybot S&D, and my antivirus (AVG free) but they don't find any problems.  I've also run MalwareBytes Anti-Rootkit software and Kaspersky's TDSS killer, but they're not finding anything either.

 

All advice, suggestions or instructions gratefully received.

 

Thanks in advance.



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:16 AM

Posted 17 March 2014 - 01:59 PM

Hello poyzen

Lets try this way ....


Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

 
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
    Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


  • Reboot to Safe Mode With Networking



    Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
  • >>>
    ADW Cleaner

    Please download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  • -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on each one and uncheck any items you want to keep (except you cannot uncheck Chrome and Firefox preferences lines).

    >>>

    Download RogueKiller from one of the following links and save it to your desktop:
  • Link 1
  • Link 2
  • Close all programs and disconnect any USB or external drives before running the tool.
  • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
  • Copy and paste the report that opens into your next reply.
  • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
  • The highest number of [X], is the most recent Scan

  • [/list]

Edited by boopme, 17 March 2014 - 02:00 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Poyzen

Poyzen
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Cheshire, UK
  • Local time:03:16 PM

Posted 17 March 2014 - 04:02 PM

Thanks for getting back to me so quickly!   :)

 

Here's the first from MiniToolbox.

 

MiniToolBox by Farbar  Version: 23-01-2014
Ran by Purple Carrot (administrator) on 17-03-2014 at 20:41:43
Running from "C:\Users\Purple Carrot\Downloads"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
 
 
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
 
There are 15472 more lines starting with "127.0.0.1"
 
========================= IP Configuration: ================================
 
Realtek PCIe GBE Family Controller = Local Area Connection (Connected)
Realtek PCIe GBE Family Controller = Local Area Connection 2 (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : PurpleCarrot-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : home
 
Ethernet adapter Local Area Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller #2
   Physical Address. . . . . . . . . : 80-EE-73-2F-02-EC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 80-EE-73-2F-02-EB
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1c0d:75ca:1d5a:5f2c%10(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.89(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 17 March 2014 17:39:49
   Lease Expires . . . . . . . . . . : 18 March 2014 17:56:05
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 243330675
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-F8-CF-31-80-EE-73-2F-02-EB
   DNS Servers . . . . . . . . . . . : 192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.{AFA41E57-A22E-4CD4-9224-7BBC23332292}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.home:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:56:3bbd:a959:3bfc(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::56:3bbd:a959:3bfc%14(Preferred) 
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  BTBusinessHub.home
Address:  192.168.1.254
 
Name:    google.com
Addresses:  2a00:1450:4009:809::1001
 173.194.41.174
 173.194.41.163
 173.194.41.165
 173.194.41.168
 173.194.41.164
 173.194.41.166
 173.194.41.161
 173.194.41.160
 173.194.41.167
 173.194.41.162
 173.194.41.169
 
 
Pinging google.com [173.194.41.164] with 32 bytes of data:
Reply from 173.194.41.164: bytes=32 time=11ms TTL=52
Reply from 173.194.41.164: bytes=32 time=11ms TTL=52
 
Ping statistics for 173.194.41.164:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 11ms, Maximum = 11ms, Average = 11ms
Server:  BTBusinessHub.home
Address:  192.168.1.254
 
Name:    yahoo.com
Addresses:  98.139.183.24
 98.138.253.109
 206.190.36.45
 
 
Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=139ms TTL=44
Reply from 98.138.253.109: bytes=32 time=148ms TTL=44
 
Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 139ms, Maximum = 148ms, Average = 143ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 12...80 ee 73 2f 02 ec ......Realtek PCIe GBE Family Controller #2
 10...80 ee 73 2f 02 eb ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.89     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.89    266
     192.168.1.89  255.255.255.255         On-link      192.168.1.89    266
    192.168.1.255  255.255.255.255         On-link      192.168.1.89    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.89    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.89    266
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 14     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 14     58 2001::/32                On-link
 14    306 2001:0:9d38:6abd:56:3bbd:a959:3bfc/128
                                    On-link
 10    266 fe80::/64                On-link
 14    306 fe80::/64                On-link
 14    306 fe80::56:3bbd:a959:3bfc/128
                                    On-link
 10    266 fe80::1c0d:75ca:1d5a:5f2c/128
                                    On-link
  1    306 ff00::/8                 On-link
 14    306 ff00::/8                 On-link
 10    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (03/17/2014 08:40:53 PM) (Source: Application Error) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
Exception code: 0xc015000f
Fault offset: 0x000000000006f7ba
Faulting process id: 0x868
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3
 
Error: (03/17/2014 08:40:50 PM) (Source: Application Error) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: SHELL32.dll, version: 6.1.7601.18222, time stamp: 0x51f1ddfa
Exception code: 0xc0000005
Fault offset: 0x000000000005055a
Faulting process id: 0x868
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3
 
Error: (03/17/2014 05:41:26 PM) (Source: Steam Client Service) (User: )
Description: Error: Failed to poke open firewall
 
Error: (03/17/2014 05:28:50 PM) (Source: Steam Client Service) (User: )
Description: Error: Failed to poke open firewall
 
Error: (03/17/2014 05:28:48 PM) (Source: System Restore) (User: )
Description: An unspecified error occurred during System Restore: (Scheduled Checkpoint). Additional information: 0x80070005.
 
Error: (03/17/2014 05:28:43 PM) (Source: NvStreamSvc) (User: )
Description: NvStreamSvcNvVAD initialization failed [6]
 
Error: (03/17/2014 05:28:43 PM) (Source: NvStreamSvc) (User: )
Description: NvStreamSvcFailed to set NvVAD endpoint as default Audio endpoint [0]
 
Error: (03/17/2014 05:28:43 PM) (Source: NvStreamSvc) (User: )
Description: NvStreamSvcNvVAD endpoint registration failed [0]
 
Error: (03/17/2014 04:47:18 PM) (Source: Steam Client Service) (User: )
Description: Error: Failed to poke open firewall
 
Error: (03/17/2014 04:42:49 PM) (Source: Steam Client Service) (User: )
Description: Error: Failed to poke open firewall
 
 
System errors:
=============
Error: (03/17/2014 05:41:20 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error: 
%%1053
 
Error: (03/17/2014 05:41:20 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.
 
Error: (03/17/2014 05:40:49 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Updating Service service failed to start due to the following error: 
%%1053
 
Error: (03/17/2014 05:40:49 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Updating Service service to connect.
 
Error: (03/17/2014 05:40:19 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error: 
%%1053
 
Error: (03/17/2014 05:40:19 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.
 
Error: (03/17/2014 05:39:33 PM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume E: encountered a non-retryable error and could not start.  The data contains the error code.
 
Error: (03/17/2014 05:39:32 PM) (Source: Disk) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.
 
Error: (03/17/2014 05:28:36 PM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume E: encountered a non-retryable error and could not start.  The data contains the error code.
 
Error: (03/17/2014 05:28:35 PM) (Source: Disk) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.
 
 
Microsoft Office Sessions:
=========================
Error: (03/17/2014 08:40:53 PM) (Source: Application Error)(User: )
Description: Explorer.EXE6.1.7601.175674d672ee4ntdll.dll6.1.7601.18247521eaf24c015000f000000000006f7ba86801cf4207e4aba618C:\Windows\Explorer.EXEC:\Windows\SYSTEM32\ntdll.dll6e6c8344-ae14-11e3-a388-80ee732f02eb
 
Error: (03/17/2014 08:40:50 PM) (Source: Application Error)(User: )
Description: Explorer.EXE6.1.7601.175674d672ee4SHELL32.dll6.1.7601.1822251f1ddfac0000005000000000005055a86801cf4207e4aba618C:\Windows\Explorer.EXEC:\Windows\system32\SHELL32.dll6c65fd4c-ae14-11e3-a388-80ee732f02eb
 
Error: (03/17/2014 05:41:26 PM) (Source: Steam Client Service)(User: )
Description: Failed to poke open firewall
 
Error: (03/17/2014 05:28:50 PM) (Source: Steam Client Service)(User: )
Description: Failed to poke open firewall
 
Error: (03/17/2014 05:28:48 PM) (Source: System Restore)(User: )
Description: Scheduled Checkpoint0x80070005
 
Error: (03/17/2014 05:28:43 PM) (Source: NvStreamSvc)(User: )
Description: NvStreamSvcNvVAD initialization failed [6]
 
Error: (03/17/2014 05:28:43 PM) (Source: NvStreamSvc)(User: )
Description: NvStreamSvcFailed to set NvVAD endpoint as default Audio endpoint [0]
 
Error: (03/17/2014 05:28:43 PM) (Source: NvStreamSvc)(User: )
Description: NvStreamSvcNvVAD endpoint registration failed [0]
 
Error: (03/17/2014 04:47:18 PM) (Source: Steam Client Service)(User: )
Description: Failed to poke open firewall
 
Error: (03/17/2014 04:42:49 PM) (Source: Steam Client Service)(User: )
Description: Failed to poke open firewall
 
 
=========================== Installed Programs ============================
 
Adobe Flash Player 12 ActiveX (Version: 12.0.0.77)
Adobe Reader XI (11.0.06) (Version: 11.0.06)
Age of Empires III - Complete Collection
Air Video Server 2.4.6-beta3 (Version: 2.4.6-beta3)
Apple Application Support (Version: 3.0)
Apple Mobile Device Support (Version: 7.1.0.32)
Apple Software Update (Version: 2.1.3.127)
Asmedia ASM104x USB 3.0 Host Controller Driver (Version: 1.12.9.0)
Assassin's Creed ® III (Version: 1.01)
AVG 2013 (Version: 13.0.3462)
AVG 2013 (Version: 13.0.3722)
AVG 2013 (Version: 2013.0.3462)
Bonjour (Version: 3.0.0.10)
Broken Sword 5
calibre (Version: 0.9.31)
ConvertXtoDVD 4.1.19.365 (Version: 4.1.19.365)
Creeper World 3
DAEMON Tools Lite (Version: 4.47.1.0335)
Danse Macabre The Last Adagio Collectors 1.00 (Version: 1.00)
Dragon Age: Origins - Ultimate Edition
Dropbox (Version: 2.4.11)
Fintek USB Charger (Version: 1.00.0000)
GeForce Experience NvStream Client Components (Version: 1.6.28)
Google Chrome (Version: 33.0.1750.146)
Google Update Helper (Version: 1.3.22.5)
Intel® Management Engine Components (Version: 7.1.21.1134)
Intel® Rapid Storage Technology enterprise (Version: 3.0.0.1112)
iTunes (Version: 11.1.4.62)
Java 7 Update 51 (Version: 7.0.510)
Java Auto Updater (Version: 2.1.9.8)
KeePass Password Safe 2.22
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938)
Microsoft Mouse and Keyboard Center (Version: 2.1.177.0)
Microsoft Office Professional Plus 2013 - en-us (Version: 15.0.4535.1004)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Northern Tale 2 1.0 (Version: 1.0)
NVIDIA 3D Vision Controller Driver 320.49 (Version: 320.49)
NVIDIA 3D Vision Driver 320.49 (Version: 320.49)
NVIDIA Control Panel 320.49 (Version: 320.49)
NVIDIA GeForce Experience 1.8.2 (Version: 1.8.2)
NVIDIA Graphics Driver 320.49 (Version: 320.49)
NVIDIA HD Audio Driver 1.3.24.2 (Version: 1.3.24.2)
NVIDIA Install Application (Version: 2.1002.142.992)
NVIDIA LED Visualizer 1.0 (Version: 1.0)
NVIDIA Network Service (Version: 1.0)
NVIDIA PhysX (Version: 9.13.0604)
NVIDIA PhysX System Software 9.13.0604 (Version: 9.13.0604)
NVIDIA ShadowPlay 11.10.11 (Version: 11.10.11)
NVIDIA Stereoscopic 3D Driver (Version: 7.17.13.2049)
NVIDIA Update 11.10.11 (Version: 11.10.11)
NVIDIA Update Core (Version: 11.10.11)
NVIDIA Virtual Audio 1.2.20 (Version: 1.2.20)
Office 15 Click-to-Run Extensibility Component (Version: 15.0.4535.1004)
Office 15 Click-to-Run Licensing Component (Version: 15.0.4535.1004)
Office 15 Click-to-Run Localization Component (Version: 15.0.4535.1004)
OpenAL
PeerBlock 1.1 (r518) (Version: 1.1.0.518)
PunkBuster Services (Version: 0.991)
RAIDar 4.3.4 (Version: 4.3.4)
Realtek Ethernet Controller Driver (Version: 7.48.823.2011)
Realtek Ethernet Diagnostic Utility (Version: 1.00.0000)
Realtek High Definition Audio Driver (Version: 6.0.1.6482)
RIFT
SHIELD Streaming (Version: 1.7.306)
Sonos Controller (Version: 24.0.69180)
Spybot - Search & Destroy (Version: 2.2.25)
Steam (Version: 1.0.0.0)
Synology Assistant (remove only)
Tomb Raider
TwonkyMedia (Version: 4.4.4.0)
Unity Web Player (Version: )
Uplay (Version: 2.0)
USBKVM Switcher 2.12
Visual Studio 2010 x64 Redistributables (Version: 13.0.0.1)
VLC media player 2.0.6 (Version: 2.0.6)
Vuze (Version: 4.9.0.0)
Vuze (Version: 5.3.0.0)
WinRAR 4.00 (64-bit) (Version: 4.00.0)
 
========================= Memory info: ===================================
 
Percentage of memory in use: 19%
Total physical RAM: 16335.93 MB
Available physical RAM: 13183.56 MB
Total Pagefile: 32670.05 MB
Available Pagefile: 29375.26 MB
Total Virtual: 4095.88 MB
Available Virtual: 3971.96 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:232.79 GB) (Free:42.78 GB) NTFS
3 Drive e: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.04 GB) NTFS
4 Drive f: (Big Bertha) (Fixed) (Total:1862.92 GB) (Free:1585.92 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\PURPLECARROT-PC
 
Administrator            Guest                    Purple Carrot            
Sonos                    
 
 
**** End of log ****


#4 Poyzen

Poyzen
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Cheshire, UK
  • Local time:03:16 PM

Posted 17 March 2014 - 04:05 PM

This is from RKill:

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 03/17/2014 08:45:45 PM in x64 mode. (Safe Mode)
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)
 
 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Automatic (Delayed Start)
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.
 
 * HOSTS file entries found: 
 
  127.0.0.1 www.007guard.com
  127.0.0.1 007guard.com
  127.0.0.1 008i.com
  127.0.0.1 www.008k.com
  127.0.0.1 008k.com
  127.0.0.1 www.00hq.com
  127.0.0.1 00hq.com
  127.0.0.1 010402.com
  127.0.0.1 www.032439.com
  127.0.0.1 032439.com
  127.0.0.1 www.0scan.com
  127.0.0.1 0scan.com
  127.0.0.1 1000gratisproben.com
  127.0.0.1 www.1000gratisproben.com
  127.0.0.1 1001namen.com
  127.0.0.1 www.1001namen.com
  127.0.0.1 100888290cs.com
  127.0.0.1 www.100888290cs.com
  127.0.0.1 www.100sexlinks.com
  127.0.0.1 100sexlinks.com
 
  20 out of 15492 HOSTS entries shown.
  Please review HOSTS file for further entries.
 
Program finished at: 03/17/2014 08:45:55 PM
Execution time: 0 hours(s), 0 minute(s), and 10 seconds(s)

This is from ADWCleaner:

 

# AdwCleaner v3.022 - Report created 17/03/2014 at 20:52:38
# Updated 13/03/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Purple Carrot - PURPLECARROT-PC
# Running from : C:\Users\Purple Carrot\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Program Files (x86)\Vuze
Folder Deleted : C:\Users\Purple Carrot\AppData\Roaming\OpenCandy
File Deleted : C:\END
File Deleted : C:\Users\PURPLE~1\AppData\Local\Temp\Uninstall.exe
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKCU\Software\AVG Nation toolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKLM\Software\AVG Nation toolbar
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Conduit
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16518
 
 
-\\ Google Chrome v33.0.1750.146
 
[ File : C:\Users\Purple Carrot\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [1471 octets] - [17/03/2014 20:47:31]
AdwCleaner[S0].txt - [1260 octets] - [17/03/2014 20:52:38]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1320 octets] ##########

And this is from RogueKiller:

 

RogueKiller V8.8.11 [Mar 14 2014] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Purple Carrot [Admin rights]
Mode : Scan -- Date : 03/17/2014 20:57:23
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : AVG-Secure-Search-Update_0913b (C:\Users\Purple Carrot\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid ac056fa194f747d3976551a735cbeb18-ad1491be2ce6c122f6b66faa90e70c2decf7d34c --CMPID 0913b [-][x][x][x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1321165288-479343382-441872140-1000\[...]\Run : AVG-Secure-Search-Update_0913b (C:\Users\Purple Carrot\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid ac056fa194f747d3976551a735cbeb18-ad1491be2ce6c122f6b66faa90e70c2decf7d34c --CMPID 0913b [-][x][x][x]) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[EXT RUN][SUSP PATH] HKLM\Vicky_ON_F:\[...]\Run : Java Update (%TEMP%\javbin.exe [x]) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
-> F:\windows\system32\config\SYSTEM | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> F:\windows\system32\config\SOFTWARE | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> F:\windows\system32\config\SECURITY | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> F:\windows\system32\config\SAM | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> F:\windows\system32\config\DEFAULT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> F:\Users\Default\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> F:\Users\Vicky\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> F:\Documents and Settings\Default\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> F:\Documents and Settings\Purple Carrot\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) ATA WDC WD20EARX-00P SCSI Disk Device +++++
--- User ---
[MBR] e237b7973c6288558e7712ef70299f42
[BSP] 4311f869fad4cbb98dfca32ff2d86269 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x8] Not enough storage is available to process this command. )
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ SCSI) ATA Samsung SSD 840 SCSI Disk Device +++++
--- User ---
[MBR] 7fe480559df83041674c07b6baec0be5
[BSP] 1aa7e2a4ce1598affcf037022492e0ce : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 238373 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x8] Not enough storage is available to process this command. )
 
Finished : << RKreport[0]_S_03172014_205723.txt >>


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:16 AM

Posted 17 March 2014 - 04:27 PM

Hello and you're welcome.

Next
Reset IE to its defaults
  • Close all programs and disconnect any USB or external drives before running the tool.
  • Double-click RogueKiller.exe to run the tool again (Vista or 7 users: Right-click and select Run As Administrator).
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", this time click the Delete button.
  • Copy and paste the report that opens into your next reply.
    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex)
    • The highest number of [X], is the most recent Delete
thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
How is it now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Poyzen

Poyzen
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Cheshire, UK
  • Local time:03:16 PM

Posted 17 March 2014 - 06:45 PM

It's fixed.   :thumbup2:   IE is now running a lot faster, and search results in Google actually go where they should go.

 

The Windows Explorer problem is still there, but I've realised that's related to a connectivity issue with my NAS, it's fine when I right click anything other than my NAS folders.  I'll sort that out tomorrow, I've got a pretty good idea of what's wrong there.

 

Thank you SO much for your help, you've saved me a lot of teeth grinding and frustration.



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:16 AM

Posted 17 March 2014 - 06:56 PM

You're welcome from all of Bleepingcomputer!!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users