[rippit]

Hello,

Two days ago I attempted to install a youtube downloader.

My Kaspersky AV advised not to open unless its from a trusted source. Very foolishly I decided to open it.

A few warning messages appeared and my internet homepage changed.

I uninstalled said program immediately and ran a Malwarebytes scan and then a full kaspersky scan this morning.
The MalwareBytes scan returned nine infected items and apparently handled them. The Kaspersky scan showed no issues.
My home page is now safely set to "about:blank" however when I open a new tab the adress bar populates with "C:\Program Files (x86)\YoutubeDownloader.org\YoutubeDownloader\index.htm"

I have run HJT and OTL and obtained output from both.

Kindly assist please.  OTL.Txt   82.73KB   184 downloads  Extras.Txt   34.34KB   181 downloads

[Advertisements]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome to Geeks to Go.

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Windows 7 Advice:

All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.

The Operating System in use comes with a inbuilt utility called User Access Control(UAC) when prompted by this with anything I ask you to do carry out please select the option Allow.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Next:

Now please go to Start(Windows 7 Orb) >> Control Panel >> Programs and Features and remove the following (if present):

Adobe Reader 9.4.4 MUI <-- We will update this in due course
HiJackThis <-- Not 64 bit compatible.
YouTube Downloader - Accelerator Pro 1.0 <-- Has undesirable characteristics.
IMVU Inc Toolbar <-- As above.

To do so click once on each of the above and click on Uninstall/Change and follow the prompts

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please go here and download ERUNT.
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Right-click on erunt-setup.exe and select Run as Administrator to Install ERUNT by following the prompts.
• Use the default install settings but say No to the portion that asks you to add ERUNT to the Start-Up folder.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
• Make sure that at least the first two check boxes are selected.
• Click on OK
• Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Custom OTL Script:

• Right-click OTL.exe and select Run as Administrator to start the program.
• Copy the lines from the quote-box(do not include the word quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:OTL
O2 - BHO: (IMVU Inc Toolbar) - {90b49673-5506-483e-b92b-ca0265bd9ca8} - C:\Program Files (x86)\IMVU_Inc\prxtbIMVU.dll (Conduit Ltd.)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (IMVU Inc Toolbar) - {90b49673-5506-483e-b92b-ca0265bd9ca8} - C:\Program Files (x86)\IMVU_Inc\prxtbIMVU.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (IMVU Inc Toolbar) - {90B49673-5506-483E-B92B-CA0265BD9CA8} - C:\Program Files (x86)\IMVU_Inc\prxtbIMVU.dll (Conduit Ltd.)
O4 - HKCU..\Run: [FocoLink] File not found
O4 - HKCU..\Run: [NTServiceManager] File not found
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\RP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk ()
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
[2011/05/18 13:10:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2011/05/18 13:10:37 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/05/18 12:37:36 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{BCCB4F1A-8240-4EA5-9A49-B7ED2ADE0461}
[2011/05/18 12:30:39 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{4CE2C915-162B-4C55-A2E0-93C8461189F2}
[2011/05/18 09:15:21 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Roaming\PlayFirst
[2011/05/17 23:50:07 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{DC16DCEB-6AD3-4B84-97DE-B9AA40198DD1}
[2011/05/15 20:36:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\YouTubeDownloaderAccPro
[2011/05/15 20:36:06 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YouTube Downloader - Accelerator Pro
[2011/05/15 13:46:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free YouTube Downloader
[2011/05/15 13:46:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Free YouTube Downloader
[2011/05/15 11:54:22 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{BD190144-717A-46AE-87FC-C856B860B91F}
[2011/05/13 20:44:24 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{E64F2C2E-3667-4953-964D-C7BD76184BF3}
[2011/05/12 20:52:39 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{85036BE6-41B0-46CC-B780-71CA0E059570}
[2011/05/12 06:09:45 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{D50C2753-C06B-4A8E-9E61-AB93694A5A3E}
[2011/05/08 08:21:51 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{CA057302-8C1A-47DF-9DEC-C60D6AA1B139}
[2011/05/07 20:21:13 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{D045A05F-7147-43CC-888E-0E826ABB0ADE}
[2011/05/06 21:27:47 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{85EFE847-4BD6-408C-B49C-BB2B7810FD77}
[2011/05/06 06:24:07 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{C46F6770-9ADD-47CE-9111-ECA06F2C378B}
[2011/05/05 06:48:36 | 000,000,000 | ---D | C] -- C:\289bb745c63793052b
[2011/05/05 06:24:17 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{3C6A255B-C614-4F5D-8D1E-BE9BA5BEAB38}
[2011/05/01 13:22:55 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{078951CA-C567-4348-981E-EC1C66E2C453}
[2011/04/28 22:40:23 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{FD0C3738-A3E4-4943-B5D7-E3621C614EA5}
[2011/04/27 09:12:22 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{A036FB8E-8517-452F-A1B6-C41558EA0702}
[2011/04/26 10:14:19 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{23C06D62-AB4A-41E5-B95E-6897562FBCB9}
[2011/04/25 20:03:10 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{20658051-405C-49DA-A896-6BD5A5C08A1D}
[2011/04/24 22:03:46 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{78CC6204-EF50-4B25-888F-24D323DA466C}
[2011/04/23 19:32:37 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{9F658E07-F927-4BDC-BA31-8D90786BF55B}
[2011/04/23 06:44:43 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{3DDC9F32-0F3F-4A93-9C83-0879A5E19A9C}
[2011/04/21 19:34:06 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{FF69ED4F-3670-4A4D-A538-F9ACF71CDA72}
[2011/04/20 20:42:51 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{CE667516-8572-4D59-95CE-A84615C16E77}
[2011/04/20 06:41:58 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{28738B7F-F0CA-4D62-963E-ADCA85690342}
[2011/04/19 11:54:23 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{B7D62BC4-8B80-4776-B6F7-D0C53829A7B2}
[2011/04/19 09:13:27 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{BD601ACF-0B45-45F1-9B07-6605AD41682E}
[2011/04/18 21:12:50 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{BB047B94-9C2C-4E88-B17A-BB6722E63011}
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[2011/05/18 13:10:37 | 000,002,961 | ---- | C] () -- C:\Users\RP\Desktop\HiJackThis.lnk
@Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:CDFF58FE
@Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:93EB7685
@Alternate Data Stream - 140 bytes -> C:\ProgramData\Temp:4D066AD2
@Alternate Data Stream - 134 bytes -> C:\ProgramData\Temp:1A60DE96
@Alternate Data Stream - 129 bytes -> C:\ProgramData\Temp:E1F04E8D
@Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:5D7E5A8F
@Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:E3C56885

:Files
ipconfig /flushdns /c
C:\Program Files (x86)\YoutubeDownloader.org

:Commands
[Purity]
[ResetHosts]
[EmptyFlash]
[EmptyTemp]
[CreateRestorePoint]
[Reboot]

• Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
• Then click the red Run Fix button.
• Let the program run unhindered.
• If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

Note: Remember to right click MBAM and select Run As Administrator.

• Launch the application, Check for Updates >> Perform quick scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

• How is your computer performing now, any further symptoms and or problems encountered?
• OTL Log from the Custom Script.
• Malwarebytes Anti-Malware Log.

[Dakeyras]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome to Geeks to Go.

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Windows 7 Advice:

All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.

The Operating System in use comes with a inbuilt utility called User Access Control(UAC) when prompted by this with anything I ask you to do carry out please select the option Allow.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Next:

Now please go to Start(Windows 7 Orb) >> Control Panel >> Programs and Features and remove the following (if present):

Adobe Reader 9.4.4 MUI <-- We will update this in due course
HiJackThis <-- Not 64 bit compatible.
YouTube Downloader - Accelerator Pro 1.0 <-- Has undesirable characteristics.
IMVU Inc Toolbar <-- As above.

To do so click once on each of the above and click on Uninstall/Change and follow the prompts

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please go here and download ERUNT.
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Right-click on erunt-setup.exe and select Run as Administrator to Install ERUNT by following the prompts.
• Use the default install settings but say No to the portion that asks you to add ERUNT to the Start-Up folder.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
• Make sure that at least the first two check boxes are selected.
• Click on OK
• Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Custom OTL Script:

• Right-click OTL.exe and select Run as Administrator to start the program.
• Copy the lines from the quote-box(do not include the word quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:OTL
O2 - BHO: (IMVU Inc Toolbar) - {90b49673-5506-483e-b92b-ca0265bd9ca8} - C:\Program Files (x86)\IMVU_Inc\prxtbIMVU.dll (Conduit Ltd.)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (IMVU Inc Toolbar) - {90b49673-5506-483e-b92b-ca0265bd9ca8} - C:\Program Files (x86)\IMVU_Inc\prxtbIMVU.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (IMVU Inc Toolbar) - {90B49673-5506-483E-B92B-CA0265BD9CA8} - C:\Program Files (x86)\IMVU_Inc\prxtbIMVU.dll (Conduit Ltd.)
O4 - HKCU..\Run: [FocoLink] File not found
O4 - HKCU..\Run: [NTServiceManager] File not found
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\RP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk ()
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
[2011/05/18 13:10:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2011/05/18 13:10:37 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/05/18 12:37:36 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{BCCB4F1A-8240-4EA5-9A49-B7ED2ADE0461}
[2011/05/18 12:30:39 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{4CE2C915-162B-4C55-A2E0-93C8461189F2}
[2011/05/18 09:15:21 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Roaming\PlayFirst
[2011/05/17 23:50:07 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{DC16DCEB-6AD3-4B84-97DE-B9AA40198DD1}
[2011/05/15 20:36:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\YouTubeDownloaderAccPro
[2011/05/15 20:36:06 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YouTube Downloader - Accelerator Pro
[2011/05/15 13:46:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free YouTube Downloader
[2011/05/15 13:46:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Free YouTube Downloader
[2011/05/15 11:54:22 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{BD190144-717A-46AE-87FC-C856B860B91F}
[2011/05/13 20:44:24 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{E64F2C2E-3667-4953-964D-C7BD76184BF3}
[2011/05/12 20:52:39 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{85036BE6-41B0-46CC-B780-71CA0E059570}
[2011/05/12 06:09:45 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{D50C2753-C06B-4A8E-9E61-AB93694A5A3E}
[2011/05/08 08:21:51 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{CA057302-8C1A-47DF-9DEC-C60D6AA1B139}
[2011/05/07 20:21:13 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{D045A05F-7147-43CC-888E-0E826ABB0ADE}
[2011/05/06 21:27:47 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{85EFE847-4BD6-408C-B49C-BB2B7810FD77}
[2011/05/06 06:24:07 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{C46F6770-9ADD-47CE-9111-ECA06F2C378B}
[2011/05/05 06:48:36 | 000,000,000 | ---D | C] -- C:\289bb745c63793052b
[2011/05/05 06:24:17 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{3C6A255B-C614-4F5D-8D1E-BE9BA5BEAB38}
[2011/05/01 13:22:55 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{078951CA-C567-4348-981E-EC1C66E2C453}
[2011/04/28 22:40:23 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{FD0C3738-A3E4-4943-B5D7-E3621C614EA5}
[2011/04/27 09:12:22 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{A036FB8E-8517-452F-A1B6-C41558EA0702}
[2011/04/26 10:14:19 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{23C06D62-AB4A-41E5-B95E-6897562FBCB9}
[2011/04/25 20:03:10 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{20658051-405C-49DA-A896-6BD5A5C08A1D}
[2011/04/24 22:03:46 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{78CC6204-EF50-4B25-888F-24D323DA466C}
[2011/04/23 19:32:37 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{9F658E07-F927-4BDC-BA31-8D90786BF55B}
[2011/04/23 06:44:43 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{3DDC9F32-0F3F-4A93-9C83-0879A5E19A9C}
[2011/04/21 19:34:06 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{FF69ED4F-3670-4A4D-A538-F9ACF71CDA72}
[2011/04/20 20:42:51 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{CE667516-8572-4D59-95CE-A84615C16E77}
[2011/04/20 06:41:58 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{28738B7F-F0CA-4D62-963E-ADCA85690342}
[2011/04/19 11:54:23 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{B7D62BC4-8B80-4776-B6F7-D0C53829A7B2}
[2011/04/19 09:13:27 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{BD601ACF-0B45-45F1-9B07-6605AD41682E}
[2011/04/18 21:12:50 | 000,000,000 | ---D | C] -- C:\Users\RP\AppData\Local\{BB047B94-9C2C-4E88-B17A-BB6722E63011}
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[2011/05/18 13:10:37 | 000,002,961 | ---- | C] () -- C:\Users\RP\Desktop\HiJackThis.lnk
@Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:CDFF58FE
@Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:93EB7685
@Alternate Data Stream - 140 bytes -> C:\ProgramData\Temp:4D066AD2
@Alternate Data Stream - 134 bytes -> C:\ProgramData\Temp:1A60DE96
@Alternate Data Stream - 129 bytes -> C:\ProgramData\Temp:E1F04E8D
@Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:5D7E5A8F
@Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:E3C56885

:Files
ipconfig /flushdns /c
C:\Program Files (x86)\YoutubeDownloader.org

:Commands
[Purity]
[ResetHosts]
[EmptyFlash]
[EmptyTemp]
[CreateRestorePoint]
[Reboot]

• Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
• Then click the red Run Fix button.
• Let the program run unhindered.
• If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

Note: Remember to right click MBAM and select Run As Administrator.

• Launch the application, Check for Updates >> Perform quick scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

• How is your computer performing now, any further symptoms and or problems encountered?
• OTL Log from the Custom Script.
• Malwarebytes Anti-Malware Log.

[rippit]

Thanks for your help Dakeyras.

After running everything as stipulated I still have the problem of my IE attempting to access "C:\Program Files (x86)\YoutubeDownloader.org\YoutubeDownloader\index.htm" when I open a new tab (CTRL+T), generating the generic "Internet Explorer cannot display the webpage" display.

Attached are the requested files.

Attached Files

•  05222011_133026.log   20.88KB   234 downloads
•  mbam-log-2011-05-22 (13-42-30).txt   903bytes   180 downloads

Edited by rippit, 22 May 2011 - 06:32 AM.

[Dakeyras]

Hi.

You're most welcome and thanks for the update also!

OK...Carry out the below please and let myself know if still the same issues, thank you.

Reset IE8:

• Please download this Microsoft FixIt and save it to the desktop.
• Double click on MicrosoftFixit50195.exe select I Agree and click on Next.
• Follow the on-screen prompts.
• You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
• Next time IE8 is launched you will be prompted to reapply settings again, this is normal.

Note: Any add-ons will require to be reapplied after the above reset.

[rippit]

Thanks again Dakeyras.
Unfortunately this still does not fix the problem.

My IE was completely reset, but the problem when opening a new tab still exists.

[Dakeyras]

Hi.

OK lets proceed as follows, also are you using a Router at all?

Scan With RKUnHooker:

• Please Download Rootkit Unhooker Save it to your desktop.
• Now double-click on RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan.
• Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
• Wait till the scanner has finished and then click File, Save Report.
• Save the report somewhere where you can find it. Click Close.
• Copy the entire contents of the report and paste it in a reply here.

Note: You may get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

[rippit]

Not using a router.

I get the following errors trying to use Rootkit Unhooker
Error loading driver,NTSTATUS code: 0xC000036B

[Dakeyras]

Hi.

Scan with TDSSKiller:

Please download TDSSKiller.zip and extract (unzip) it to your Desktop.

• Right-click on TDSSKiller.exe and select Run as Administrator to launch it.
• Click on Start Scan, the scan will run.
• When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
• Now click on Report to open the log file created by TDSSKiller in your root directory C:\
• To find the log go to Start > Computer > C:
• Post the contents of that log in your next reply please.

Note: Do not have TDSSKiller remove anything if found at this point in time!

[rippit]

No Threats found.
Log attached  TDSSKiller.2.5.1.0_24.05.2011_06.05.30_log.txt   65.87KB   211 downloads

[Dakeyras]

Hi.

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs <-- Click on this link.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activity and asks to reboot the system, please allow this to be done.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper

When completed the above, please post back the following in the order asked for:

• How is your computer performing now, any other symptoms and or problems encountered?
• ComboFix Log.

[rippit]

Hi Dakeyras,

I ran combofix and the issue still persists.

Log attached

 ComboFix.txt   21.35KB   182 downloads

[Dakeyras]

Hi.

Please check for me if the same error occurs when you open a new tab with Internet Explorer (64-bit) please, to launch the aforementioned:-

Start(Windows 7 Orb) >> All Programs >> Internet Explorer (64-bit)

Next:

I notice Windows Defender apears to be active...this will actually hinder the Malware Removal process and will be in conflict with Kaspersky Internet Security and actually lesson overall online protection. Unfortunately it cannot be uninstalled because it is a integral part of the Windows 7 Operating System, anyway it would be best to disable it as follows:-

• Launch Windows Defender via Start(Windows 7 Orb), Control Panel, Windows Defender and go to Tools >> Options.
• There will be a list of configuration options.
• Scroll down to the end of the list to Administrator options.
• Deselect the Use Windows Defender box and press the Save button.
• Now you will receive a notification saying that Windows Defender is turned off.
• Click on Save then Close on the Notification that appears.

A graphical tutorial explaining the above can be viewed here.

RegQuery:

Please download RegQuery by Noviciate to your desktop.

• Copy the following registry keypath by highlighting the text and pressing CTRL and C at the same time

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]

• Right-click RegQuery.exe and select Run as Administrator to run the program
• Paste the text you have copied using CRTL and V, into the textbox
• Click the Query button
• A Notepad file will open. Please paste the contents in your next reply
• You may now close the RegQuery program

[rippit]

Hi Dakayeras.
Thanks again for your help thus far.
I have disabled windows defender.
When using 64bit IE the problem does not occur.

Below is the output from Regquery:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"blank"="res://mshtml.dll/blank.htm"
"NoAdd-onsInfo"="res://ieframe.dll/noaddoninfo.htm"
"InPrivate"="res://ieframe.dll/inprivate.htm"
"NavigationFailure"="res://ieframe.dll/navcancl.htm"
"NoAdd-ons"="res://ieframe.dll/noaddon.htm"
"Home"=dword:0000010e
"PostNotCached"="res://ieframe.dll/repost.htm"
"DesktopItemNavigationFailure"="res://ieframe.dll/navcancl.htm"
"NavigationCanceled"="res://ieframe.dll/navcancl.htm"
"Tabs"="C:\\Program Files (x86)\\YoutubeDownloader.org\\YoutubeDownloader\\index.htm"
"OfflineInformation"="res://ieframe.dll/offcancl.htm"
"SecurityRisk"="res://ieframe.dll/securityatrisk.htm"

Edited by rippit, 25 May 2011 - 12:52 PM.

[Dakeyras]

Hi.

Thanks again for your help thus far.

You're welcome and thanks for the update also!

OK the below custom OTL script should rectify the tab issues. So when you open a new tab it will be blank like your home-page. Now if in the future you change your home page to say a browser search engines home page and want a new tab to open with that page you would do so as follows...

Launch IE >> Tools >> Internet Options >> General >> next to Tabs click on Settings

Under When a new Tab is opened, open >> select from the drop down menu the setting/page you wish >> OK.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

Please navigate to Start(Windows 7 Orb) >> All Programs >> ERUNT >> Right-click on ERUNT select Run as Administrator.

• Click on OK within the pop-up menu.
• In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
• System registry
• Current user registry
• Next click on OK
• When the Question pop-up appears click on Yes
• After a short duration the Registry backup is complete! popup will appear
• Now click on OK. A backup has been created.

Note: If you have uninstalled ERUNT since we last used it, please inform myself before proceeding any further.

Custom OTL Script:

• Right-click OTL.exe and select Run as Administrator to start the program.
• Copy the lines from the quote-box(do not copy the word quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm "

:Commands
[EmptyTemp]
[CreateRestorePoint]
[Reboot]

• Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
• Then click the red Run Fix button.
• Let the program run unhindered.
• If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

Note: Remember to right click MBAM and select Run As Administrator.

• Launch the application, Check for Updates >> Perform quick scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

• How is your computer performing now, any further symptoms and or problems encountered?
• OTL Log from the Custom Script.
• Malwarebytes Anti-Malware Log.

[rippit]

Hi Dakeyras.

The problem no longer occurs!!!!

Thank you so much for all your assistance!

 mbam-log-2011-05-26 (18-08-47).txt   890bytes   168 downloads  05262011_175432.log   3.79KB   176 downloads