Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Annoying Codec-V


  • This topic is locked This topic is locked
11 replies to this topic

#1 whoawhoa

whoawhoa

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 06 December 2014 - 10:29 PM

Hi guys,

I'd really appreciate your help with this.

 

Codec-V places two banners at the top of whatever site I visit, and when I click on a link it redirects me to a blank page with a 'Powered by Codec-v' header while it also pops a new tab out that closes automatically after a few seconds. These are the only effects I've noticed so far and it's been almost ten days since it appeared.

I only use Mozilla Firefox.

 

Thanks in advance for your help!

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.19088  BrowserJavaVersion: 10.21.2
Run by Damian at 23:40:34 on 2014-12-06
Microsoft® Windows Vista™ Home Basic   6.0.6001.1.1252.54.3082.18.1978.342 [GMT -3:00]
.
AV: AVG AntiVirus Free Edition 2015 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2015 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ================
.
c:\PROGRA~1\AVG\AVG2015\avgrsx.exe
C:\Program Files\AVG\AVG2015\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG2015\avgidsagent.exe
C:\Program Files\AVG\AVG2015\avgwdsvc.exe
C:\Program Files\Nitro\Pro 8\NitroPDFDriverService8.exe
C:\Windows\system32\NLSSRV32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DFX\DFX.exe
C:\Program Files\AVG\AVG2015\avgui.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG2015\avgnsx.exe
C:\Program Files\AVG\AVG2015\avgemcx.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\DFX\Universal\Apps\DfxSharedApp32.exe
C:\Program Files\DFX\Universal\Apps\dfxItunesSong.exe
C:\Windows\system32\ctfmon.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.chesscafe.com/geurt/geurt.htm
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=es_ar&c=83&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=es_ar&c=83&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=es_ar&c=83&bd=Presario&pf=cnnb
uProxyServer = hxxp=127.0.0.1:56283
BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - LocalServer32 - <no file>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DFX] c:\program files\dfx\DFX.exe -startup
mRun: [AVG_UI] "c:\program files\avg\avg2015\avgui.exe" /TRAYONLY
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:149
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/es/mjss/MJSS.cab109791.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/es/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{46E55C6D-556F-4F3C-8B84-500E2EE9C0B4} : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{818A60F6-AF78-40D5-8526-C17493333CD8} : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{EEC89185-7355-4544-9388-BCAF4916A794} : DHCPNameServer = 200.49.130.29 200.49.130.28 172.20.2.20
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
IFEO: hpbc.exe - "c:\program files\tuneup utilities 2013\TUAutoReactivator32.exe"
IFEO: hphc.exe - "c:\program files\tuneup utilities 2013\TUAutoReactivator32.exe"
IFEO: hpsdpapp.exe - "c:\program files\tuneup utilities 2013\TUAutoReactivator32.exe"
IFEO: hpsi.exe - "c:\program files\tuneup utilities 2013\TUAutoReactivator32.exe"
IFEO: hpwucli.exe - "c:\program files\tuneup utilities 2013\TUAutoReactivator32.exe"
.
Note: multiple IFEO entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\damian\appdata\roaming\mozilla\firefox\profiles\rowl74qq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.livemocha.com/sihp|http://www.portuguesweb.com/saludos_en_portugues.html|http://www.google.com.mx/ig?referrer=ign&refresh=1
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\nitro\pro 8\npdf.dll
FF - plugin: c:\program files\nitro\pro 8\npnitroie.dll
FF - plugin: c:\program files\nitro\pro 8\npnitromozilla.dll
FF - plugin: c:\program files\nitro\pro 8\NPShellExtension.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\0\NP_wtapp.dll
FF - plugin: c:\users\damian\appdata\local\google\update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: !HIDDEN! 2009-09-14 00:44; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2014-6-18 147736]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2014-7-18 230680]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2014-10-5 98584]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2014-6-18 27416]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2014-6-18 121624]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2014-10-29 213784]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2014-6-18 21272]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2014-8-28 192792]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2014-10-10 200984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2015\avgidsagent.exe [2014-11-9 3488784]
R2 avgwd;WatchDog de AVG;c:\program files\avg\avg2015\avgwdsvc.exe [2014-11-9 298080]
R2 NitroDriverReadSpool8;NitroPDFDriverCreatorReadSpool8;c:\program files\nitro\pro 8\NitroPDFDriverService8.exe [2012-11-29 196616]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NLSSRV32.EXE [2012-9-24 69640]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-2 361808]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-8-2 193840]
R3 DFX11_1;DFX Audio Enhancer 11.1;c:\windows\system32\drivers\dfx11_1.sys [2012-8-29 24424]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-4 113664]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-6-17 128272]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2013\TuneUpUtilitiesDriver32.sys [2012-9-18 10088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-3 162408]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2013\TuneUpUtilitiesService32.exe [2012-9-19 1699168]
S3 GamesAppIntegrationService;GamesAppIntegrationService;c:\program files\wildtangent games\app\GamesAppIntegrationService.exe [2014-1-27 227904]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2014-11-24 20:02:28    --------    d-----w-    c:\users\damian\appdata\roaming\AVG2015
2014-11-24 19:55:35    --------    d-----w-    c:\programdata\AVG2015
2014-11-24 16:46:27    --------    d-----w-    c:\users\damian\appdata\local\Avg2015
.
==================== Find3M  ====================
.
2014-10-30 00:34:52    213784    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2014-10-10 17:13:58    200984    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
.
============= FINISH: 23:42:30.50 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:01:20 PM

Posted 07 December 2014 - 12:01 PM

Hi. I'm checking your log now and will reply with instructions soon.



#3 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:01:20 PM

Posted 07 December 2014 - 02:24 PM

Has the computer been sitting a while without use? Also, did you set this proxy?
ProxyServer = hxxp=127.0.0.1:56283

Now, please follow these steps:

1.- Click on Start, Control Panel
Click on Uninstall a program
Find Codec-C in the list of installed programs and click on the Uninstall button.

2.- Download AdwCleaner by Xplode onto your Desktop.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, this time click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt ('n' represents the most recent report).
3.- Download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.
4.- Download RogueKiller and Save to the desktop.

Note: Do NOT click the Delete button, unless otherwise instructed.
  • Close all windows and browsers
  • Double click on RogueKiller.exe to run the tool.
  • Press the scan button.
  • Once the scan is done, click on Report.
  • A log file will open, please copy/paste the context of that file into your next reply.


#4 whoawhoa

whoawhoa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 07 December 2014 - 10:53 PM

Hi Rootk,

 

I use my computer every day and I didn't set that proxy.

 

These are the reports:

 

 

 

Adwcleaner

# AdwCleaner v4.104 - Reporte Creado 07/12/2014 en 17:48:22
# Actualizado 05/12/2014 por Xplode
# Database : 2014-12-03.1 [Live]
# Sistema Operativo : Windows Vista ™ Home Basic Service Pack 1 (32 bits)
# Nombre de usuario : Damian - DAMIAN1
# Ejecutado desde : C:\Users\Damian\Desktop\AdwCleaner.exe
# Opción : Limpiar

***** [ Servicios ] *****


***** [ Archivos / Carpetas ] *****

Carpeta Borrar : C:\Save
Carpeta Borrar : C:\ProgramData\Premium
Carpeta Borrar : C:\ProgramData\Trymedia
Carpeta Borrar : C:\Program Files\yuna software
Carpeta Borrar : C:\Users\Damian\AppData\Local\PackageAware
Carpeta Borrar : C:\Users\Damian\Desktop\Save
Carpeta Borrar : C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\rowl74qq.default\Extensions\info@allpremiumplay.info
Carpeta Borrar : C:\Users\Damian\AppData\Local\Google\Chrome\User Data\Default\Extensions\joifgdlkhokekeaenpkaehbnjhncglbh
Archivo Borrar : C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\rowl74qq.default\user.js
Archivo Borrar : C:\Users\Damian\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.lyricsfreak.com_0.localstorage
Archivo Borrar : C:\Users\Damian\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.lyricsfreak.com_0.localstorage-journal

***** [ Tareas ] *****


***** [ Accesos directos ] *****

Acceso directo Desinfectado : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime\Uninstall QuickTime.lnk

***** [ Registro ] *****

Clave Borrar : HKLM\SOFTWARE\Google\Chrome\Extensions\joifgdlkhokekeaenpkaehbnjhncglbh
Clave Borrar : HKLM\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho
Clave Borrar : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Clave Borrar : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Clave Borrar : HKLM\SOFTWARE\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
Clave Borrar : HKLM\SOFTWARE\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
Clave Borrar : HKLM\SOFTWARE\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}
Clave Borrar : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Clave Borrar : HKLM\SOFTWARE\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
Clave Borrar : HKLM\SOFTWARE\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}
Clave Borrar : HKLM\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
Clave Borrar : HKLM\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Clave Borrar : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Clave Borrar : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Clave Borrar : HKCU\Software\AVG Secure Search
Clave Borrar : HKCU\Software\Conduit
Clave Borrar : HKCU\Software\Softonic
Clave Borrar : HKCU\Software\YahooPartnerToolbar
Clave Borrar : HKCU\Software\yuna software
Clave Borrar : HKLM\SOFTWARE\AVG Secure Search
Clave Borrar : HKLM\SOFTWARE\Trymedia Systems
Clave Borrar : HKLM\SOFTWARE\yuna software
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2EF17083-57D4-4D64-AE4F-55F32A2C4571}
Clave Borrar : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{2EF17083-57D4-4D64-AE4F-55F32A2C4571}

***** [ Navegadores ] *****

-\\ Internet Explorer v8.0.6001.19088


-\\ Mozilla Firefox v25.0 (es-ES)

[rowl74qq.default\prefs.js] - Linea borrada : user_pref("extensions.nurit5562nurit235.scode", "try{(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1url.indexOf(\"warnalert11.com\")>-1url.inde[...]
[rowl74qq.default\prefs.js] - Linea borrada : user_pref("extensions.snipit.askTbInstalled", false);

-\\ Google Chrome v

[C:\Users\Damian\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Borrar [Search Provider] : hxxp://www.softonic.com/s/{searchTerms}

*************************

AdwCleaner[R0].txt - [4282 octets] - [07/12/2014 17:14:32]
AdwCleaner[S0].txt - [4179 octets] - [07/12/2014 17:48:22]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4239 octets] ##########

 

 

 

Junkware Removal Tool

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Windows Vista ™ Home Basic x86
Ran by Damian on Sun 12/07/2014 at 18:28:37.86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"



~~~ Folders

Successfully deleted: [Folder] C:\ProgramData\Codec-C
Successfully deleted: [Folder] "C:\Users\Damian\AppData\Roaming\getrighttogo"
Successfully deleted: [Folder] "C:\Users\Damian\AppData\Roaming\thinstall"



~~~ FireFox

Emptied folder: C:\Users\Damian\AppData\Roaming\mozilla\firefox\profiles\rowl74qq.default\minidumps [427 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/07/2014 at 18:36:42.64
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

RogueKiller

RogueKiller V10.0.8.0 [Nov 20 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User : Damian [Administrator]
Mode : Scan -- Date : 12/08/2014  00:40:41

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pohci13F (\??\C:\Users\Damian\AppData\Local\Temp\pohci13F.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pohci13F (\??\C:\Users\Damian\AppData\Local\Temp\pohci13F.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pohci13F (\??\C:\Users\Damian\AppData\Local\Temp\pohci13F.sys) -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-314449426-3439008249-1090429773-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:56283  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-314449426-3439008249-1090429773-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EEC89185-7355-4544-9388-BCAF4916A794} | DhcpNameServer : 200.49.130.29 200.49.130.28 172.20.2.20 [ARGENTINA (AR)][ARGENTINA (AR)][(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EEC89185-7355-4544-9388-BCAF4916A794} | DhcpNameServer : 200.49.130.29 200.49.130.28 172.20.2.20 [ARGENTINA (AR)][ARGENTINA (AR)][(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{EEC89185-7355-4544-9388-BCAF4916A794} | DhcpNameServer : 200.49.130.29 200.49.130.28 172.20.2.20 [ARGENTINA (AR)][ARGENTINA (AR)][(Private Address) (XX)]  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 2 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] ::1             localhost

¤¤¤ Antirootkit : 10 (Driver: Loaded) ¤¤¤
[SSDT:Inl(Hook.SSDT)] NtTraceEvent[339] : Unknown @ 0x82865845
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_CREATE[0] : Unknown @ 0x85bb01f8
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_CLOSE[2] : Unknown @ 0x85bb01f8
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x85bb01f8
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x85bb01f8
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_POWER[22] : Unknown @ 0x85bb01f8
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x85bb01f8
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_PNP[27] : Unknown @ 0x85bb01f8
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\AnyDVD @ Unknown (\SystemRoot\System32\Drivers\cdrbsdrv.SYS)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtWriteVirtualMemory : C:\Program Files\AVG\AVG2015\avghookx.dll @ 0x6ba31000 (jmp 0xfffffffff4a080e8)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1600BEVT-60ZCT1 ATA Device +++++
--- User ---
[MBR] 15d5c07288eea6164bfb74c0d87cc9b6
[BSP] bc1b9406c42cde791932ca92d0961921 : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 143635 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 294166528 | Size: 8988 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_12082014_003553.log - RKreport_SCN_12082014_003555.log - RKreport_SCN_12082014_003556.log



#5 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:01:20 PM

Posted 10 December 2014 - 08:14 AM

Please follow these steps:

1.- Please re-run RogueKiller and press the Scan button.
Once the scan is done, click the Registry tab.
Place a checkmark on the following item:
 
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pohci13F (\??\C:\Users\Damian\AppData\Local\Temp\pohci13F.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pohci13F (\??\C:\Users\Damian\AppData\Local\Temp\pohci13F.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pohci13F (\??\C:\Users\Damian\AppData\Local\Temp\pohci13F.sys) -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-314449426-3439008249-1090429773-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:56283  -> Found
Click on the Delete button.
Then, click on Report and copy/paste the context of that file into your next reply.

2.- Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Please open Malwarebytes Anti-Malware
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Please update the database by clicking on the Update Now button as shown below.
Capture1_zps47821576.jpg
  • Following the update, Click Settings > Detection and Protection and make sure Scan for Rootkits it checked.
MBAM%20rootkit%20setting.jpg
  • Click on Dashboard, then click on the large green Scan Now button to begin the Threat Scan.If Malware or Potentially Unwanted Programs are found you will receive a Prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on View Detailed Log.
MBAMThreatScan_zpsc6c6daeb.jpg
  • After viewing the results, please click on the Copy to Clipboard button > OK.
    MBAMScanLog_zps21b494ad.jpg
  • Return to our forum. Paste your log into your next reply.
  • Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.
3.- Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes and if it finds anything, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#6 whoawhoa

whoawhoa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 13 December 2014 - 02:01 PM

Hi again.

It's been almost a week since I don't experience the issues I mentioned in the first post. Could it be the problem is fixed?

 

 

RogueKiller

RogueKiller V10.1.0.0 [Dec 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User : Damian [Administrator]
Mode : Delete -- Date : 12/13/2014  03:20:57

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pohci13F -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pohci13F -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pohci13F -> Deleted
[PUM.Proxy] HKEY_USERS\S-1-5-21-314449426-3439008249-1090429773-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:56283  -> Deleted
[PUM.HomePage] HKEY_USERS\S-1-5-21-314449426-3439008249-1090429773-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EEC89185-7355-4544-9388-BCAF4916A794} | DhcpNameServer : 200.49.130.29 200.49.130.28 172.20.2.20 [ARGENTINA (AR)][ARGENTINA (AR)][(Private Address) (XX)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EEC89185-7355-4544-9388-BCAF4916A794} | DhcpNameServer : 200.49.130.29 200.49.130.28 172.20.2.20 [ARGENTINA (AR)][ARGENTINA (AR)][(Private Address) (XX)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{EEC89185-7355-4544-9388-BCAF4916A794} | DhcpNameServer : 200.49.130.29 200.49.130.28 172.20.2.20 [ARGENTINA (AR)][ARGENTINA (AR)][(Private Address) (XX)]  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 2 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] ::1             localhost

¤¤¤ Antirootkit : 10 (Driver: Loaded) ¤¤¤
[SSDT:Inl(Hook.SSDT)] NtTraceEvent[339] : Unknown @ 0x8287a845
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_CREATE[0] : Unknown @ 0x85bb01f8
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_CLOSE[2] : Unknown @ 0x85bb01f8
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x85bb01f8
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x85bb01f8
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_POWER[22] : Unknown @ 0x85bb01f8
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x85bb01f8
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\iastorv.sys - IRP_MJ_PNP[27] : Unknown @ 0x85bb01f8
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\AnyDVD @ Unknown (\SystemRoot\System32\Drivers\cdrbsdrv.SYS)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\System32\Drivers\AnyDVD.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1600BEVT-60ZCT1 ATA Device +++++
--- User ---
[MBR] 15d5c07288eea6164bfb74c0d87cc9b6
[BSP] bc1b9406c42cde791932ca92d0961921 : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 143635 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 294166528 | Size: 8988 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_12082014_003553.log - RKreport_SCN_12082014_003555.log - RKreport_SCN_12082014_003556.log - RKreport_SCN_12082014_004041.log
RKreport_SCN_12132014_031712.log

 

 

Malwarebytes

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/13/2014
Scan Time: 10:06:05 AM
Logfile: malwarebytes 121214.txt
Administrator: Yes

Version: 0.00.0.0000
Malware Database: v2014.12.13.04
Rootkit Database: v2014.12.08.03
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows Vista Service Pack 1
CPU: x86
File System: NTFS
User: Damian

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 357008
Time Elapsed: 14 min, 32 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Deep Rootkit Scan: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

ESET Scanner

C:\AdwCleaner\Quarantine\C\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\rowl74qq.default\user.js.vir    JS/SecurityDisabler.A.Gen potentially unwanted application    deleted - quarantined
C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\rowl74qq.default\prefs-3.js    JS/SecurityDisabler.A.Gen potentially unwanted application    deleted - quarantined
C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\rowl74qq.default\prefs-4.js    JS/SecurityDisabler.A.Gen potentially unwanted application    deleted - quarantined
C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\rowl74qq.default\prefs-5.js    JS/SecurityDisabler.A.Gen potentially unwanted application    deleted - quarantined
C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\rowl74qq.default\prefs.js    JS/SecurityDisabler.A.Gen potentially unwanted application    deleted - quarantined
C:\Windows\System32\Adobe\Shockwave 11\gt.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined



#7 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:01:20 PM

Posted 13 December 2014 - 05:57 PM

Your logs looks OK. However, I would like you to run another scan to make sure there are no leftovers.
Please open DDS and run a new scan, then post the DDS.txt log into your next reply.

#8 whoawhoa

whoawhoa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 13 December 2014 - 09:24 PM

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.19088  BrowserJavaVersion: 10.21.2
Run by Damian at 23:17:05 on 2014-12-13
#Option MBR scan  is disabled.
Microsoft® Windows Vista™ Home Basic   6.0.6001.1.1252.54.3082.18.1978.861 [GMT -3:00]
.
AV: AVG AntiVirus Free Edition 2015 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2015 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ================
.
c:\PROGRA~1\AVG\AVG2015\avgrsx.exe
C:\Program Files\AVG\AVG2015\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG2015\avgidsagent.exe
C:\Program Files\AVG\AVG2015\avgwdsvc.exe
C:\Program Files\Nitro\Pro 8\NitroPDFDriverService8.exe
C:\Windows\system32\NLSSRV32.EXE
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\AVG\AVG2015\avgnsx.exe
C:\Program Files\AVG\AVG2015\avgemcx.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DFX\DFX.exe
C:\Program Files\AVG\AVG2015\avgui.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\DFX\Universal\Apps\DfxSharedApp32.exe
C:\Program Files\DFX\Universal\Apps\dfxItunesSong.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.chesscafe.com/geurt/geurt.htm
uDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DFX] c:\program files\dfx\DFX.exe -startup
mRun: [AVG_UI] "c:\program files\avg\avg2015\avgui.exe" /TRAYONLY
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:149
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/es/mjss/MJSS.cab109791.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/es/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{46E55C6D-556F-4F3C-8B84-500E2EE9C0B4} : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{818A60F6-AF78-40D5-8526-C17493333CD8} : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{EEC89185-7355-4544-9388-BCAF4916A794} : DHCPNameServer = 200.49.130.29 200.49.130.28 172.20.2.20
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
IFEO: hpbc.exe - "c:\program files\tuneup utilities 2013\TUAutoReactivator32.exe"
IFEO: hphc.exe - "c:\program files\tuneup utilities 2013\TUAutoReactivator32.exe"
IFEO: hpsdpapp.exe - "c:\program files\tuneup utilities 2013\TUAutoReactivator32.exe"
IFEO: hpsi.exe - "c:\program files\tuneup utilities 2013\TUAutoReactivator32.exe"
IFEO: hpwucli.exe - "c:\program files\tuneup utilities 2013\TUAutoReactivator32.exe"
.
Note: multiple IFEO entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\damian\appdata\roaming\mozilla\firefox\profiles\rowl74qq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.livemocha.com/sihp|http://www.portuguesweb.com/saludos_en_portugues.html|http://www.google.com.mx/ig?referrer=ign&refresh=1
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\nitro\pro 8\npdf.dll
FF - plugin: c:\program files\nitro\pro 8\npnitroie.dll
FF - plugin: c:\program files\nitro\pro 8\npnitromozilla.dll
FF - plugin: c:\program files\nitro\pro 8\NPShellExtension.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\users\damian\appdata\local\google\update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: !HIDDEN! 2009-09-14 00:44; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2014-6-18 147736]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2014-7-18 230680]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2014-10-5 98584]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2014-6-18 27416]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2014-6-18 121624]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2014-10-29 213784]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2014-6-18 21272]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2014-8-28 192792]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2014-10-10 200984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2015\avgidsagent.exe [2014-11-9 3488784]
R2 avgwd;WatchDog de AVG;c:\program files\avg\avg2015\avgwdsvc.exe [2014-11-9 298080]
R2 NitroDriverReadSpool8;NitroPDFDriverCreatorReadSpool8;c:\program files\nitro\pro 8\NitroPDFDriverService8.exe [2012-11-29 196616]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NLSSRV32.EXE [2012-9-24 69640]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-2 361808]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-8-2 193840]
R3 DFX11_1;DFX Audio Enhancer 11.1;c:\windows\system32\drivers\dfx11_1.sys [2012-8-29 24424]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-4 113664]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-6-17 128272]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2013\TuneUpUtilitiesDriver32.sys [2012-9-18 10088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-12-13 969016]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-3 162408]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2013\TuneUpUtilitiesService32.exe [2012-9-19 1699168]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-12-13 23256]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-12-13 51928]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-12-13 1871160]
.
=============== Created Last 30 ================
.
2014-12-13 16:04:58    --------    d-----w-    c:\program files\ESET
2014-12-13 06:53:45    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-13 06:53:09    75480    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-12-13 06:53:09    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-12-13 06:53:09    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-12-13 06:53:09    --------    d-----w-    c:\programdata\Malwarebytes
2014-12-13 06:53:09    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-12-08 23:56:07    --------    d-----w-    c:\users\damian\appdata\local\CrashDumps
2014-12-08 03:29:45    35064    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-12-08 03:29:41    --------    d-----w-    c:\programdata\RogueKiller
2014-12-07 21:28:05    --------    d-----w-    c:\windows\ERUNT
2014-12-07 20:14:21    --------    d-----w-    C:\AdwCleaner
2014-11-24 20:02:28    --------    d-----w-    c:\users\damian\appdata\roaming\AVG2015
2014-11-24 19:55:35    --------    d-----w-    c:\programdata\AVG2015
2014-11-24 16:46:27    --------    d-----w-    c:\users\damian\appdata\local\Avg2015
.
==================== Find3M  ====================
.
2014-10-30 00:34:52    213784    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2014-10-10 17:13:58    200984    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
.
============= FINISH: 23:18:26.54 ===============
 



#9 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:01:20 PM

Posted 15 December 2014 - 12:24 PM

Your log looks OK, so If the computer is running fine and you're not having any other problem, then follow these final steps:

Create a System restore point.

Open System by clicking the Start button , right-clicking Computer, and then clicking Properties.
In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
Click the System Protection tab, and then click Create.
In the System Protection dialog box, type a description, and then click Create.

Remove ESET Online Scanner:

Click on Start, Control Panel
Click on Uninstall a program
Find Eset Online Scanner in the list of installed programs and click on the Uninstall button.

Run Delfix

This program will remove the tools used and its logs. If anything remains, you can delete manually delete them.
Please download Delfix and save it to your desktop.
Double click on Delfix.exe to run the tool and click on the Run button.

Finally, to help protect your computer in the future I recommend you to read this article: So how did I get infected in the first place?. I also recommend running Secunia PSI. It will monitor the software you have installed and let you know when something needs to be updated.

Be sure to post back if you have any more problems.



#10 whoawhoa

whoawhoa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 15 December 2014 - 07:30 PM

All done

 

Thanks a lot for your help, Rootk!



#11 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:01:20 PM

Posted 15 December 2014 - 08:04 PM

You are welcome!



#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:12:20 PM

Posted 26 January 2015 - 11:16 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users