Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM keeps finding DefaultSearch after removing it


  • This topic is locked This topic is locked
10 replies to this topic

#1 sammykady

sammykady

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 14 August 2014 - 12:05 PM

I've removed DefaultSearch program multiple times, but it keeps coming back. Also, each time I startup the computer for the last two weeks, I am getting one or more net.exe command shells running. I've read the posting instructions and tried to follow them.

 

I'm pasting the results of dds.  Thanks so much for your help!

 

********

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.17207  BrowserJavaVersion: 1.6.0_71
Run by ****** at 12:00:23 on 2014-08-14
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8052.5653 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\PROGRA~2\PHAROS~1\Core\CTskMstr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\Smc.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Boxcryptor\Boxcryptor.exe
C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
C:\Program Files (x86)\SSH Communications Security\SSH Tectia\SSH Tectia Client\ssh-broker-gui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\SSH Communications Security\SSH Tectia\SSH Tectia Broker\ssh-broker-g3.exe
C:\Program Files\CCleaner\CCleaner64.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\SymCorpUI.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\SmcGui.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\SavUI.exe
C:\Users\Amanda\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
mWinlogon: Userinit = userinit.exe,
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll
BHO: Symantec Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\IPS\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_71\bin\ssv.dll
BHO: Adobe Acrobat Create PDF Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\urlredir.dll
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\grooveex.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.6.0_71\bin\jp2ssv.dll
BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
uRun: [Boxcryptor.exe] "C:\Program Files (x86)\Boxcryptor\Boxcryptor.exe"
uRun: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
uRun: [Fitbit Connect] "C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe" /autorun
mRun: [Fitbit Connect] "C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe" /autorun
StartupFolder: C:\Users\Amanda\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Amanda\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupPrinters.bat
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\TECTIA~1.LNK - C:\Program Files (x86)\SSH Communications Security\SSH Tectia\SSH Tectia Client\ssh-broker-gui.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\onbttnie.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_71-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0071-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_71-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_71-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{13C16A3E-A563-44FE-BD3E-51CFF8088D17} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{13C16A3E-A563-44FE-BD3E-51CFF8088D17}\348627963747F607865627027556962757072E08993702960586F6E656 : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{13C16A3E-A563-44FE-BD3E-51CFF8088D17}\34D455D2355434552554 : DHCPNameServer = 128.2.1.10 128.2.1.11
TCP: Interfaces\{13C16A3E-A563-44FE-BD3E-51CFF8088D17}\34D455D27455543545 : DHCPNameServer = 128.2.1.10 128.2.1.11
TCP: Interfaces\{13C16A3E-A563-44FE-BD3E-51CFF8088D17}\74F6F676C6560235471627265736B637 : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{13C16A3E-A563-44FE-BD3E-51CFF8088D17}\A4D4D43524 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{CCA01395-BA67-4513-9452-BD9013BC52B6} : DHCPNameServer = 192.168.1.1
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\msosb.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SSODL: EldosMountNotificator-cbfs4 - {E2E5F978-5620-4837-9B1D-D3E1AA529065} - C:\Windows\SysWOW64\cbfsMntNtf4.dll
STS: Virtual Storage Mount Notification - {E2E5F978-5620-4837-9B1D-D3E1AA529065} - C:\Windows\SysWOW64\cbfsMntNtf4.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.125\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\ochelper.dll
x64-BHO: Adobe Acrobat Create PDF Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\urlredir.dll
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\office15\grooveex.dll
x64-BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll
x64-TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\onbttnie.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\ochelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-SSODL: EldosMountNotificator-cbfs4 - {E2E5F978-5620-4837-9B1D-D3E1AA529065} - C:\Windows\System32\cbfsMntNtf4.dll
x64-STS: Virtual Storage Mount Notification - {E2E5F978-5620-4837-9B1D-D3E1AA529065} - C:\Windows\System32\cbfsMntNtf4.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\SymDS64.sys [2013-5-25 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\SymEFA64.sys [2013-5-25 1139800]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\BASHDefs\20140801.011\BHDrvx64.sys [2014-8-11 1530160]
R1 cbfs4;cbfs4;C:\Windows\System32\drivers\cbfs4.sys [2014-4-4 387776]
R1 ccSettings_{E1A40A89-2B89-44FA-9E96-395B7D7F03AC};Symantec Endpoint Protection 12.1.3001.165.105 Settings Manager;C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\ccSetx64.sys [2013-5-25 169048]
R1 IDSVia64;IDSVia64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\IPSDefs\20140811.011\IDSviA64.sys [2014-8-12 525016]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\Ironx64.sys [2013-5-25 224416]
R1 SYMNETS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\symnets.sys [2013-5-25 433752]
R2 ClickToRunSvc;Microsoft Office ClickToRun Service;C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe [2014-4-4 2356912]
R2 Fitbit Connect;Fitbit Connect Service;C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [2014-5-19 1436192]
R2 rimspci;rimspci;C:\Windows\System32\drivers\rimspe64.sys [2009-10-26 61952]
R2 SepMasterService;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe [2013-5-25 144368]
R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [2013-7-19 557968]
R3 e1kexpress;Intel® Network Connections Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2013-11-13 497424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-6-11 142128]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2014-4-3 158976]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2009-9-15 6952960]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
R3 vpnpbus;EldoS PnP Virtual Bus driver;C:\Windows\System32\drivers\vpnpbus.sys [2014-4-4 18624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 acsock;acsock;C:\Windows\System32\drivers\acsock64.sys [2013-7-19 112080]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 FlexNet Licensing Service 64;FlexNet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2014-4-26 1471792]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-7-9 111616]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2014-3-2 178760]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-5-2 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-5-2 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2014-5-2 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2013-3-18 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2014-4-3 1255736]
S4 IDFEndpointService;Identity Finder Endpoint Service;C:\Program Files (x86)\Identity Finder 5\idfEndpoint.exe [2011-8-1 9098240]
S4 SAS Document Conversion Server;SAS Document Conversion Server;C:\Program Files\SASHome\SASTextAnalyticsDocumentConversion\12.3\_tgwinsvc_wrapper.exe [2013-3-25 19968]
.
=============== Created Last 30 ================
.
2014-08-12 17:05:30 -------- d-----w- C:\Users\Amanda\AppData\Local\Toggl
2014-08-12 15:57:41 -------- d-----w- C:\Users\Amanda\AppData\Roaming\Kopsik
2014-08-12 15:57:28 -------- d-----w- C:\Program Files (x86)\Toggl
2014-08-06 23:30:36 -------- d-----w- C:\Windows\pss
2014-08-06 23:20:30 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-07-22 02:19:47 -------- d-----w- C:\Users\Amanda\New Folder
.
==================== Find3M  ====================
.
2014-07-17 13:43:21 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-07-17 13:43:21 699056 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-06-30 02:09:33 519168 ----a-w- C:\Windows\System32\aepdu.dll
2014-06-30 02:04:49 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-06-27 18:50:42 464160 ----a-w- C:\Windows\System32\plsapp64.dll
2014-06-19 01:06:55 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-06-19 01:06:24 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-06-19 00:42:57 548352 ----a-w- C:\Windows\System32\vbscript.dll
2014-06-19 00:42:49 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-06-19 00:41:52 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-06-19 00:41:16 83968 ----a-w- C:\Windows\System32\MshtmlDac.dll
2014-06-19 00:24:30 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-06-19 00:24:12 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-06-19 00:23:53 752640 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-06-19 00:14:28 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-06-18 23:59:04 38400 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-06-18 23:56:37 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-06-18 23:51:38 5721088 ----a-w- C:\Windows\System32\jscript9.dll
2014-06-18 23:38:40 455168 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-06-18 23:37:23 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-06-18 23:36:35 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-06-18 23:35:55 62464 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2014-06-18 23:27:45 1249280 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2014-06-18 23:27:07 2040832 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-06-18 23:23:27 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-06-18 23:22:40 592896 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-06-18 23:06:10 32256 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-06-18 22:58:27 2266112 ----a-w- C:\Windows\System32\wininet.dll
2014-06-18 22:52:18 4254720 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-06-18 22:46:23 1068032 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2014-06-18 22:45:59 1964544 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-06-18 22:13:59 1791488 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-06-18 02:18:30 692736 ----a-w- C:\Windows\System32\osk.exe
2014-06-18 01:51:32 646144 ----a-w- C:\Windows\SysWow64\osk.exe
2014-06-18 01:10:36 3157504 ----a-w- C:\Windows\System32\win32k.sys
2014-06-06 10:10:34 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-06-06 09:44:17 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-06-05 14:45:15 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-06-05 14:26:58 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-06-05 14:25:49 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-05-30 08:08:52 210944 ----a-w- C:\Windows\System32\wdigest.dll
2014-05-30 08:08:49 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2014-05-30 08:08:47 340992 ----a-w- C:\Windows\System32\schannel.dll
2014-05-30 08:08:41 314880 ----a-w- C:\Windows\System32\msv1_0.dll
2014-05-30 08:08:41 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2014-05-30 08:08:36 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-05-30 08:08:31 22016 ----a-w- C:\Windows\System32\credssp.dll
2014-05-30 07:52:51 172032 ----a-w- C:\Windows\SysWow64\wdigest.dll
2014-05-30 07:52:49 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2014-05-30 07:52:45 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2014-05-30 07:52:41 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2014-05-30 07:52:40 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2014-05-30 07:52:36 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
2014-05-30 07:52:30 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
2014-05-30 06:45:52 497152 ----a-w- C:\Windows\System32\drivers\afd.sys
.
============= FINISH: 12:00:32.38 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:17 PM

Posted 19 August 2014 - 04:27 AM

Hi sammykady,

Welcome to the BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum. :welcome:
My name is Mako and I will be helping you with your computer problems.

Before we begin, please note the following:

  • Please stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • The instructions given are for your system only!
  • Please do not run any tools until requested! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • If you don't understand something don't hesitate to ask before running the tools.
  • As you may have noticed: I live in Belgium. Meaning that due to the time difference it can take some time before I'm able to get back to you. Please allow me 24h to reply to your topic before sending me a PM or giving this topic a bump.

Now let's get started...

:step1: ====Removing the Search Protect program==== 

 

Go to Start > Control Panel > Software and delete the following programs (if present):

 

  • Search Protect

 

 

:step2: ======Zoek.exe======

Take action to disable your antivirus and antispyware programs, as they may conflict with Zoek.exe
>> Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Download 51a612a8b27e2-Zoek.pngzoek.exe to your desktop

  • If Internet Explorer, any other browser, or a security program issues a warning indicating the file is unsafe, please ignore, since it is a false warning.

Using Zoek.exe

  • On the Desktop, double-click Zoek.exe to start the tool.
    Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
    Give the program a few seconds to appear.
  • Copy and paste the following script in the code box:
  • Note: This script is written for usage on this system only, do not use it on any other computer even if the problems are similar.
    filesrcm;
    startupall;
    chromelook;
    firefoxlook;
    skipfix-iedefaults;
    uninstall-list;
    emptyfolderscheck;delete
    emptyclsid;
    
  • Click the "Run script" button and wait patiently.
  • When finished the logfile will be opened in notepad.
  • If a reboot is needed the logfile will be opened after reboot.
  • The zoek-results.log can also be found on your systemdrive.
  • Please post the logfile for further review in your next comment.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#3 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:17 PM

Posted 21 August 2014 - 04:23 PM

Hello sammykady,

 

I haven't heard from you since you've opened this thread at BleepingComputer's.

Please reply within the next 48h, otherwise this thread will be closed.

 

Respectfully,

Mako


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#4 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:17 PM

Posted 23 August 2014 - 04:15 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#5 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:17 PM

Posted 10 September 2014 - 04:39 AM

Hello sammykady,

 

I've re-opened this topic on your request by PM.

Could you please attach the Zoek.exe log file with the instructions present in post #2.

 

Kind regards,

Mako 


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#6 sammykady

sammykady
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 10 September 2014 - 08:12 AM

Hi, Mako, I'm not going to install zoek. It's a virus! Clearly you're not trying to help me.


Edited by sammykady, 10 September 2014 - 08:14 AM.


#7 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:17 PM

Posted 10 September 2014 - 08:25 AM

Hello sammykady,

 

Zoek.exe is a totally harmless tool but is often considered by anti-virus programs as malicious because it's had no program certificate. The same can be said for a lot of other tools we malware fighters use since the tools are frequently made by one person.

This is exactly why our instructions mention to disable all your protection software. Otherwise they could be blocking the tools functionality.

 

 

Take action to disable your antivirus and antispyware programs, as they may conflict with Zoek.exe

>> Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Download 51a612a8b27e2-Zoek.pngzoek.exe to your desktop

  • If Internet Explorer, any other browser, or a security program issues a warning indicating the file is unsafe, please ignore, since it is a false warning.

 

Bleeping Computer is a very trustworthy website and its helpers mean definitely no harm to you. We would never instruct you to use doubtful tools on your computer.

Feel free to take a look in other topics here at Bleeping Computer's or on other forums. You will see the usage of Zoek.exe quite often :wink: .


Edited by Mako, 10 September 2014 - 08:26 AM.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#8 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:17 PM

Posted 12 September 2014 - 10:05 AM

Hi,

 

Unfortunately I'll need a little bit more feedback from you.

Are you willing to continue this operation? Are you having problems executing the instructions?

 

Please respond within the next 12h, otherwise this thread will be closed again.


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#9 sammykady

sammykady
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 12 September 2014 - 06:53 PM

Hi, Mako, I'd prefer not to install zoek. If that's required, I don't want to pursue this process. Thanks for your time, Sam

#10 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:17 PM

Posted 21 September 2014 - 11:25 AM

Hello sammykady,
 
First off: my apologies for this late reply. I was on a holiday and forgot to pass this thread to one of my colleagues.  :oopsign:
It's your choice which tools you want to use and which you don't. But like I've said before: other tools may give you the same security warning as the one from Zoek.exe. All tools are definitely safe to use but because they are lacking a security certificate some AV software flags them.
 
Should you still need/want help with your machine, please download the following tool:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

Once again: I'm sorry for this late reply.

Respectfully,
Mako


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#11 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:17 PM

Posted 29 September 2014 - 11:43 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users