Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BrowseForTheCause removal


  • Please log in to reply
8 replies to this topic

#1 Ayleth

Ayleth

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 19 September 2014 - 04:55 PM

Somehow, this computer has contracted BrowseForTheCause. I cannot uninstall it.

 

Problems:

- Insane browser redirection as well as pop-ups with seemingly never ending "are you sure you want to close this tab? plz don't we'll give u muneez n shtuff" styled pop ups upon attempting to close the tab.

- Occasion temporary pop up when a link for something that can be purchased is hovered over, suggesting similar items it can find during a search.

 

Steps I have tried:

plain old uninstalling

the tutorial here http://www.malwareexperts.com/how-to-remove-browse-for-the-cause-virus/

Microsoft Security Essentials full scan

Malwarebytes

CCleaner

 

As of the most recent boot up of this computer, I have also been having issues with tabs in internet explorer. (The person who owns this computer only wants to use IE, so that's what I'm stuck using atm.)

if I right click, and click open in new tab, a new tab openswith the url typed in but nothing loads, it just remains a blank tab. Currently the only way I seem to be able to navigate using IE is to directly click on links as typing in urls doesn't seem to be working either.

 

Here is my DDS:

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 11.0.9600.17280
Run by McIntyre at 16:38:27 on 2014-09-19
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2022.854 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Microsoft Security Client\msseces.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
mStart Page = www.google.com
EB: F12 Developer Tools: {28BCCB9A-E66B-463C-82A4-09F320DE94D7} - c:\program files\internet explorer\F12Tools.dll
uRun: [uTorrent] "c:\users\mcintyre\appdata\roaming\utorrent\uTorrent.exe"  /MINIMIZED
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\tp-lin~1.lnk - c:\program files\tp-link\tp-link wireless configuration utility\TWCU.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 97.64.168.12 97.64.183.165
TCP: Interfaces\{64E5D0D7-9717-40DF-A78C-16A2AF184551} : NameServer = 76.73.6.108,50.7.75.28
TCP: Interfaces\{64E5D0D7-9717-40DF-A78C-16A2AF184551} : DHCPNameServer = 97.64.168.12 97.64.183.165
TCP: Interfaces\{8C958961-9D65-4A47-9CBF-C9F72DC60D5E} : NameServer = 76.73.6.108,50.7.75.28
TCP: Interfaces\{8C958961-9D65-4A47-9CBF-C9F72DC60D5E} : DHCPNameServer = 97.64.168.12 97.64.183.165
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 netfilter;netfilter;c:\windows\system32\drivers\netfilter.sys [2014-7-31 31744]
R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2013-8-28 1570816]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-9-9 108032]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-7-11 14848]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-7-11 49664]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-7-11 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2014-09-19 21:21:33	8806800	----a-w-	c:\programdata\microsoft\microsoft antimalware\definition updates\{810dedfc-b352-40d9-8711-ea3c72b6cab3}\mpengine.dll
2014-09-19 21:09:49	--------	d-----w-	C:\$RECYCLE.BIN
2014-09-19 20:59:03	98816	----a-w-	c:\windows\sed.exe
2014-09-19 20:59:03	256000	----a-w-	c:\windows\PEV.exe
2014-09-19 20:59:03	208896	----a-w-	c:\windows\MBR.exe
2014-09-12 02:54:43	736952	----a-w-	c:\programdata\microsoft\ehome\packages\sportsv2\sportstemplatecore-2\Microsoft.MediaCenter.Sports.UI.dll
2014-09-12 02:11:32	--------	d-----w-	c:\program files\iPod
2014-09-12 02:11:31	--------	d-----w-	c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-09-12 02:11:31	--------	d-----w-	c:\program files\iTunes
2014-09-10 03:46:28	2285056	----a-w-	c:\windows\system32\msmpeg2vdec.dll
2014-09-10 03:33:45	550912	----a-w-	c:\windows\system32\kerberos.dll
2014-09-10 03:33:45	1059840	----a-w-	c:\windows\system32\lsasrv.dll
2014-09-10 03:33:19	1987584	----a-w-	c:\windows\system32\d3d10warp.dll
2014-09-10 03:33:18	793600	----a-w-	c:\windows\system32\TSWorkspace.dll
2014-09-10 03:33:09	445952	----a-w-	c:\windows\system32\aepdu.dll
2014-09-10 03:33:08	302592	----a-w-	c:\windows\system32\aeinv.dll
2014-08-29 04:45:57	--------	d-----w-	c:\program files\005
2014-08-28 01:51:23	2352640	----a-w-	c:\windows\system32\win32k.sys
2014-08-28 01:51:22	305152	----a-w-	c:\windows\system32\gdi32.dll
2014-08-21 13:26:42	2425856	----a-w-	c:\windows\system32\wucltux.dll
2014-08-21 13:26:11	92672	----a-w-	c:\windows\system32\wudriver.dll
2014-08-21 13:25:57	33792	----a-w-	c:\windows\system32\wuapp.exe
2014-08-21 13:25:57	179656	----a-w-	c:\windows\system32\wuwebv.dll
.
==================== Find3M  ====================
.
2014-09-16 23:05:04	110296	----a-w-	c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-08-18 22:08:55	4232704	----a-w-	c:\windows\system32\jscript9.dll
2014-08-18 21:57:44	2724864	----a-w-	c:\windows\system32\mshtml.tlb
2014-08-18 21:57:30	4096	----a-w-	c:\windows\system32\ieetwcollectorres.dll
2014-08-18 21:46:26	454656	----a-w-	c:\windows\system32\vbscript.dll
2014-08-18 21:45:23	61952	----a-w-	c:\windows\system32\iesetup.dll
2014-08-18 21:44:44	51200	----a-w-	c:\windows\system32\ieetwproxystub.dll
2014-08-18 21:44:09	61952	----a-w-	c:\windows\system32\MshtmlDac.dll
2014-08-18 21:36:07	112128	----a-w-	c:\windows\system32\ieUnatt.exe
2014-08-18 21:36:05	108032	----a-w-	c:\windows\system32\ieetwcollector.exe
2014-08-18 21:35:24	597504	----a-w-	c:\windows\system32\jscript9diag.dll
2014-08-18 21:30:29	646144	----a-w-	c:\windows\system32\MsSpellCheckingFacility.exe
2014-08-18 21:22:48	60416	----a-w-	c:\windows\system32\JavaScriptCollectionAgent.dll
2014-08-18 21:08:54	2014208	----a-w-	c:\windows\system32\inetcpl.cpl
2014-08-18 21:07:44	1068032	----a-w-	c:\windows\system32\mshtmlmedia.dll
2014-08-18 20:46:48	1812992	----a-w-	c:\windows\system32\wininet.dll
2014-07-31 20:20:42	31744	----a-w-	c:\windows\system32\drivers\netfilter.sys
2014-07-25 07:35:46	875688	----a-w-	c:\windows\system32\msvcr120_clr0400.dll
2014-07-16 02:46:02	2048	----a-w-	c:\windows\system32\tzres.dll
2014-07-14 01:42:02	654336	----a-w-	c:\windows\system32\rpcrt4.dll
2014-07-09 01:29:32	6144	----a-w-	c:\windows\system32\KBDYAK.DLL
2014-07-09 01:29:31	6144	----a-w-	c:\windows\system32\KBDBASH.DLL
2014-06-30 22:14:53	8856	----a-w-	c:\windows\system32\icardres.dll
.
============= FINISH: 16:39:01.16 ===============

Attach.txt is... well...  attached

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Ayleth

Ayleth
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 23 September 2014 - 07:44 AM

bump



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:52 AM

Posted 24 September 2014 - 07:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#4 Ayleth

Ayleth
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 24 September 2014 - 04:17 PM

AdwCleanerlog file:

# AdwCleaner v3.310 - Report created 24/09/2014 at 15:59:42
# Updated 12/09/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)
# Username : McIntyre - GATEWAY
# Running from : C:\Users\McIntyre\Desktop\BFTC Removal\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : netfilter

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\McIntyre\AppData\Roaming\EZDownloader
File Deleted : C:\END
File Deleted : C:\Windows\system32\drivers\netfilter.sys
File Deleted : C:\Users\McIntyre\AppData\Roaming\LiveSupport.exe_log.txt
File Deleted : C:\Users\McIntyre\AppData\Roaming\regsvr32.exe_log.txt

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C4C4F1F4-3074-4CB6-9FB8-0A64273166F0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7C3B01BC-53A5-48A0-A43B-0C67731134B9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ABE0FED-50E7-4E42-A125-57C0A11DBCDE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EC2BAE47-25AF-4CE9-9E78-10627A49C9EA}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C670DCAE-E392-AA32-6F42-143C7FC4BDFD}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17280


*************************

AdwCleaner[R0].txt - [2621 octets] - [24/09/2014 15:52:12]
AdwCleaner[S0].txt - [2590 octets] - [24/09/2014 15:59:42]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2650 octets] ##########

FRST log:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-09-2014
Ran by McIntyre (administrator) on GATEWAY on 24-09-2014 16:07:16
Running from C:\Users\McIntyre\Desktop\BFTC Removal
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(BitTorrent Inc.) C:\Users\McIntyre\AppData\Roaming\uTorrent\uTorrent.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-09-01] (Apple Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [948440 2013-10-23] (Microsoft Corporation)
HKU\S-1-5-21-17713659-1750187351-235186097-1000\...\Run: [uTorrent] => C:\Users\McIntyre\AppData\Roaming\uTorrent\uTorrent.exe [1416016 2014-09-24] (BitTorrent Inc.)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-07-11] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TP-LINK Wireless Configuration Utility.lnk
ShortcutTarget: TP-LINK Wireless Configuration Utility.lnk -> C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
SearchScopes: HKCU - DefaultScope {C55FFBD8-2423-4A21-86A7-4B6540271E8F} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {C55FFBD8-2423-4A21-86A7-4B6540271E8F} URL = https://www.google.com/search?q={searchTerms}
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 97.64.168.12 97.64.183.165
Tcpip\..\Interfaces\{64E5D0D7-9717-40DF-A78C-16A2AF184551}: [NameServer] 76.73.6.108,50.7.75.28
Tcpip\..\Interfaces\{8C958961-9D65-4A47-9CBF-C9F72DC60D5E}: [NameServer] 76.73.6.108,50.7.75.28

FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

Chrome: 
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [280288 2013-10-23] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 athur; C:\Windows\System32\DRIVERS\athur.sys [1570816 2013-06-02] (Atheros Communications, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [45056 2012-12-13] (Apple, Inc.) [File not signed]
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
S3 BCMH43XX; system32\DRIVERS\bcmwlhigh6.sys [X]
S3 catchme; \??\C:\Users\McIntyre\AppData\Local\Temp\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-24 16:07 - 2014-09-24 16:07 - 00000000 ____D () C:\FRST
2014-09-24 15:51 - 2014-09-24 15:51 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2014-09-24 15:46 - 2014-09-24 15:59 - 00000000 ____D () C:\AdwCleaner
2014-09-19 16:39 - 2014-09-24 16:07 - 00000000 ____D () C:\Users\McIntyre\Desktop\BFTC Removal
2014-09-19 16:38 - 2014-09-19 16:38 - 00688992 ____R (Swearware) C:\Users\McIntyre\Downloads\dds.com
2014-09-19 16:14 - 2014-09-19 16:14 - 00009639 _____ () C:\ComboFix.txt
2014-09-19 15:59 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-09-19 15:59 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-09-19 15:59 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-09-19 15:59 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-09-19 15:59 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-09-19 15:59 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2014-09-19 15:59 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2014-09-19 15:59 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2014-09-19 15:56 - 2014-09-19 16:14 - 00000000 ____D () C:\Qoobox
2014-09-19 15:56 - 2014-09-19 16:12 - 00000000 ____D () C:\Windows\erdnt
2014-09-16 19:45 - 2014-09-24 16:01 - 00001200 _____ () C:\Windows\PFRO.log
2014-09-16 19:45 - 2014-09-24 16:01 - 00000280 _____ () C:\Windows\setupact.log
2014-09-16 19:45 - 2014-09-16 19:45 - 00000000 _____ () C:\Windows\setuperr.log
2014-09-16 17:40 - 2014-09-16 17:40 - 00001056 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-11 21:12 - 2014-09-11 21:12 - 00001753 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-09-11 21:12 - 2014-09-11 21:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-09-11 21:11 - 2014-09-11 21:12 - 00000000 ____D () C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-09-11 21:11 - 2014-09-11 21:12 - 00000000 ____D () C:\Program Files\iTunes
2014-09-11 21:11 - 2014-09-11 21:11 - 00000000 ____D () C:\Program Files\iPod
2014-09-09 22:47 - 2014-08-19 12:39 - 00327872 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-09-09 22:47 - 2014-08-18 17:26 - 17455104 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-09-09 22:47 - 2014-08-18 17:08 - 04232704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-09-09 22:47 - 2014-08-18 16:57 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-09-09 22:47 - 2014-08-18 16:57 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-09-09 22:47 - 2014-08-18 16:46 - 00454656 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-09-09 22:47 - 2014-08-18 16:45 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-09-09 22:47 - 2014-08-18 16:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-09-09 22:47 - 2014-08-18 16:44 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-09-09 22:47 - 2014-08-18 16:42 - 02185728 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-09-09 22:47 - 2014-08-18 16:39 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-09-09 22:47 - 2014-08-18 16:39 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-09-09 22:47 - 2014-08-18 16:37 - 00440320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-09-09 22:47 - 2014-08-18 16:36 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-09-09 22:47 - 2014-08-18 16:36 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-09-09 22:47 - 2014-08-18 16:35 - 00597504 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-09-09 22:47 - 2014-08-18 16:30 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-09-09 22:47 - 2014-08-18 16:27 - 00365056 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-09-09 22:47 - 2014-08-18 16:22 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-09-09 22:47 - 2014-08-18 16:19 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-09-09 22:47 - 2014-08-18 16:17 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-09-09 22:47 - 2014-08-18 16:17 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-09-09 22:47 - 2014-08-18 16:15 - 11769856 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-09-09 22:47 - 2014-08-18 16:09 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-09-09 22:47 - 2014-08-18 16:08 - 02014208 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-09-09 22:47 - 2014-08-18 16:08 - 00673792 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-09-09 22:47 - 2014-08-18 16:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-09-09 22:47 - 2014-08-18 15:46 - 01812992 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-09-09 22:47 - 2014-08-18 15:38 - 01190400 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-09-09 22:47 - 2014-08-18 15:36 - 00678400 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-09-09 22:46 - 2014-06-26 20:45 - 02285056 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2014-09-09 22:33 - 2014-09-04 20:52 - 00445952 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-09-09 22:33 - 2014-09-04 20:47 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-09-09 22:33 - 2014-08-01 06:35 - 00793600 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll
2014-09-09 22:33 - 2014-07-06 20:40 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-09-09 22:33 - 2014-07-06 20:40 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-09-09 22:33 - 2014-06-23 21:59 - 01987584 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-08-31 01:21 - 2014-08-31 01:21 - 00000000 ____D () C:\Users\McIntyre\Downloads\Blacksmith
2014-08-28 23:50 - 2014-09-16 18:04 - 00005337 _____ () C:\Windows\system32\application.log
2014-08-28 23:49 - 2014-08-31 11:02 - 00000000 ____D () C:\Users\McIntyre\Downloads\Middle Ages Reference Library
2014-08-28 23:48 - 2014-08-28 23:48 - 00000000 __RSH () C:\MSDOS.SYS
2014-08-28 23:48 - 2014-08-28 23:48 - 00000000 __RSH () C:\IO.SYS
2014-08-28 23:45 - 2014-09-16 17:32 - 00000000 ____D () C:\Program Files\005
2014-08-27 20:51 - 2014-08-22 20:46 - 00305152 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-08-27 20:51 - 2014-08-22 19:42 - 02352640 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-24 16:07 - 2014-09-24 16:07 - 00000000 ____D () C:\FRST
2014-09-24 16:07 - 2014-09-19 16:39 - 00000000 ____D () C:\Users\McIntyre\Desktop\BFTC Removal
2014-09-24 16:07 - 2013-09-05 03:42 - 00000000 ____D () C:\Users\McIntyre\AppData\Roaming\uTorrent
2014-09-24 16:06 - 2013-07-11 13:45 - 01681369 _____ () C:\Windows\WindowsUpdate.log
2014-09-24 16:01 - 2014-09-16 19:45 - 00001200 _____ () C:\Windows\PFRO.log
2014-09-24 16:01 - 2014-09-16 19:45 - 00000280 _____ () C:\Windows\setupact.log
2014-09-24 16:01 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-24 15:59 - 2014-09-24 15:46 - 00000000 ____D () C:\AdwCleaner
2014-09-24 15:52 - 2009-07-13 23:34 - 00023904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-24 15:52 - 2009-07-13 23:34 - 00023904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-24 15:51 - 2014-09-24 15:51 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2014-09-24 15:51 - 2013-07-11 12:31 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-09-24 15:51 - 2013-07-11 12:29 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-09-19 17:42 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
2014-09-19 16:38 - 2014-09-19 16:38 - 00688992 ____R (Swearware) C:\Users\McIntyre\Downloads\dds.com
2014-09-19 16:14 - 2014-09-19 16:14 - 00009639 _____ () C:\ComboFix.txt
2014-09-19 16:14 - 2014-09-19 15:56 - 00000000 ____D () C:\Qoobox
2014-09-19 16:14 - 2009-07-13 21:37 - 00000000 __RHD () C:\Users\Default
2014-09-19 16:14 - 2009-07-13 21:37 - 00000000 ___RD () C:\Users\Public
2014-09-19 16:12 - 2014-09-19 15:56 - 00000000 ____D () C:\Windows\erdnt
2014-09-19 16:09 - 2009-07-13 21:04 - 00000215 _____ () C:\Windows\system.ini
2014-09-19 16:08 - 2009-07-13 21:03 - 50069504 _____ () C:\Windows\system32\config\SOFTWARE.bak
2014-09-19 16:08 - 2009-07-13 21:03 - 13631488 _____ () C:\Windows\system32\config\SYSTEM.bak
2014-09-19 16:08 - 2009-07-13 21:03 - 00262144 _____ () C:\Windows\system32\config\SECURITY.bak
2014-09-19 16:08 - 2009-07-13 21:03 - 00262144 _____ () C:\Windows\system32\config\SAM.bak
2014-09-19 16:08 - 2009-07-13 21:03 - 00262144 _____ () C:\Windows\system32\config\DEFAULT.bak
2014-09-16 20:03 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-09-16 19:45 - 2014-09-16 19:45 - 00000000 _____ () C:\Windows\setuperr.log
2014-09-16 18:05 - 2014-08-13 18:24 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-16 18:04 - 2014-08-28 23:50 - 00005337 _____ () C:\Windows\system32\application.log
2014-09-16 17:56 - 2014-08-13 18:18 - 00000000 ____D () C:\Program Files\CCleaner
2014-09-16 17:52 - 2013-07-11 12:11 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2014-09-16 17:52 - 2013-07-11 12:10 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-09-16 17:50 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Branding
2014-09-16 17:40 - 2014-09-16 17:40 - 00001056 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-16 17:40 - 2014-08-13 18:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-16 17:40 - 2014-08-13 18:23 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-16 17:32 - 2014-08-28 23:45 - 00000000 ____D () C:\Program Files\005
2014-09-11 21:29 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-09-11 21:19 - 2013-07-11 11:52 - 00784670 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-11 21:12 - 2014-09-11 21:12 - 00001753 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-09-11 21:12 - 2014-09-11 21:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-09-11 21:12 - 2014-09-11 21:11 - 00000000 ____D () C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-09-11 21:12 - 2014-09-11 21:11 - 00000000 ____D () C:\Program Files\iTunes
2014-09-11 21:11 - 2014-09-11 21:11 - 00000000 ____D () C:\Program Files\iPod
2014-09-11 21:11 - 2013-08-28 15:25 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-09-09 22:46 - 2013-07-11 14:35 - 00000000 ____D () C:\Windows\system32\MRT
2014-09-09 22:46 - 2013-07-11 12:14 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-09-09 22:42 - 2013-07-11 13:17 - 98758480 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-09-09 22:41 - 2014-08-14 06:55 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-09-04 20:52 - 2014-09-09 22:33 - 00445952 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-09-04 20:47 - 2014-09-09 22:33 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-08-31 11:02 - 2014-08-28 23:49 - 00000000 ____D () C:\Users\McIntyre\Downloads\Middle Ages Reference Library
2014-08-31 01:21 - 2014-08-31 01:21 - 00000000 ____D () C:\Users\McIntyre\Downloads\Blacksmith
2014-08-29 00:07 - 2009-07-13 21:04 - 00000580 _____ () C:\Windows\win.ini
2014-08-28 23:48 - 2014-08-28 23:48 - 00000000 __RSH () C:\MSDOS.SYS
2014-08-28 23:48 - 2014-08-28 23:48 - 00000000 __RSH () C:\IO.SYS
2014-08-28 03:18 - 2009-07-13 23:33 - 00408000 _____ () C:\Windows\system32\FNTCACHE.DAT

Some content of TEMP:
====================
C:\Users\McIntyre\AppData\Local\Temp\Quarantine.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-09-19 17:34

==================== End Of Log ============================

There does not seem to be a change in the computers performance thus far.

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:52 AM

Posted 25 September 2014 - 08:01 AM

Your logs are clean.

Try this.

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

ipconfig /release

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.bleepingcomputer.com/tutorials/windows-elevated-command-prompt/
<<<>>>

If that fails to remove the Redirects try this.
...

Since only IInternet Explorer is uses check this.

Menu > Tools > Internet Options > General Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

How is it now?

#6 Ayleth

Ayleth
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 25 September 2014 - 04:56 PM

After resetting Internet Explorer the problems seem to be fixed, although the computer is still reporting that Browse For The Cause is still installed.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:52 AM

Posted 26 September 2014 - 07:52 AM


Check your proxy settings.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to Browser for the cause or any entry like this, 127.0.0.1:5577 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".
===

If the problem persist please post the exact error message.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:52 AM

Posted 02 October 2014 - 08:01 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 Ayleth

Ayleth
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 03 October 2014 - 07:29 AM

I have not yet had a chance to try the last fix yet. I have been very busy, but I should be able to get to it soon and will let you know monday or tuesday the results.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users