Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

partner37 mydomainadvisor redirect virus/malware [Solved]


  • This topic is locked This topic is locked

#16
iolande

iolande

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hey there

Ran combofix. No messages came up. The log is as follows

Thanks :)


ComboFix 12-09-23.03 - Lisa 24/09/2012 15:00:51.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4091.2188 [GMT 10:00]
Running from: c:\users\Lisa\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\blekkotb_031\blEKkotb_019x.dll
c:\program files (x86)\Common Files\Acer GameZone online.ico
c:\users\Lisa\AppData\Local\Microsoft\Windows\Temporary Internet Files\simpleadblock.msi
c:\users\Lisa\AppData\Roaming\.#
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2012-08-24 to 2012-09-24 )))))))))))))))))))))))))))))))
.
.
2012-09-24 05:13 . 2012-09-24 05:13 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-24 05:13 . 2012-09-24 05:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-21 22:09 . 2012-08-24 10:14 816640 ----a-w- c:\windows\system32\jscript.dll
2012-09-21 22:09 . 2012-08-24 10:12 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-09-21 22:09 . 2012-08-24 10:24 499200 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll
2012-09-21 22:09 . 2012-08-24 06:52 387584 ----a-w- c:\program files (x86)\Internet Explorer\jsdbgui.dll
2012-09-21 22:09 . 2012-08-24 06:53 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
2012-09-21 22:09 . 2012-08-24 10:25 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2012-09-21 22:09 . 2012-08-24 11:15 17810944 ----a-w- c:\windows\system32\mshtml.dll
2012-09-21 22:09 . 2012-08-24 10:39 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-09-20 21:39 . 2012-09-20 21:40 -------- d-----w- c:\program files (x86)\Norton PC Checkup 3.0
2012-09-20 05:33 . 2012-09-20 05:33 -------- d-----w- c:\users\Lisa\AppData\Roaming\PCCUStubInstaller
2012-09-18 03:32 . 2012-09-18 03:32 -------- d-----w- c:\programdata\OZtion
2012-09-16 01:09 . 2012-09-16 02:33 -------- d-----w- c:\users\Lisa\NinjaLister
2012-09-16 01:09 . 2012-09-16 01:09 -------- d-----w- c:\users\Lisa\AppData\Roaming\main.542EE8ACF7F339584A023BE012CB4512BACF448C.1
2012-09-16 01:09 . 2012-09-16 01:09 -------- d-----w- c:\program files (x86)\eBid Ninja Lister
2012-09-13 20:48 . 2012-09-13 20:50 -------- d-----w- c:\program files (x86)\EndNote X5
2012-09-12 06:40 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-12 06:40 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\rndismpx.sys
2012-09-12 06:40 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-12 06:40 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-12 06:40 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2012-09-12 06:40 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-12 06:40 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-12 06:40 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-23 00:33 . 2012-09-23 00:33 264547 ----a-w- C:\TDSSKiller.2.8.10.0_23.09.2012_09.33.48_log.zip
2012-09-21 00:50 . 2012-04-13 08:17 73136 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-21 00:50 . 2012-04-13 08:17 696240 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-12 20:44 . 2010-10-03 04:11 64462936 ----a-w- c:\windows\system32\MRT.exe
2012-09-07 07:04 . 2011-08-21 02:34 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-21 09:13 . 2011-12-17 23:43 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-21 09:13 . 2011-12-17 23:43 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-21 09:13 . 2011-12-17 23:43 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:13 . 2012-04-01 11:56 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-08-21 09:13 . 2011-12-17 23:43 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-21 09:13 . 2011-12-17 23:43 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-21 09:12 . 2011-12-17 23:42 41224 ----a-w- c:\windows\avastSS.scr
2012-08-21 09:12 . 2011-12-17 23:42 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-08-21 09:12 . 2011-08-19 07:16 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-08-12 07:37 . 2012-08-12 07:37 32768 ----a-r- c:\users\Lisa\AppData\Roaming\Microsoft\Installer\{E518C80C-C549-40E1-844C-669ED64195D3}\_2A43A261E660_4D89_9812_E0B6AEBBE4CE.exe
2012-08-03 08:37 . 2012-06-15 02:45 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2012-08-03 08:37 . 2012-06-25 09:43 336208 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-07-26 09:11 . 2012-06-19 09:49 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2012-07-26 09:11 . 2012-06-15 02:45 336208 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-07-18 18:15 . 2012-08-16 03:07 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-04 22:16 . 2012-08-16 03:07 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-07-04 22:13 . 2012-08-16 03:07 59392 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 22:13 . 2012-08-16 03:07 136704 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:14 . 2012-08-16 03:07 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-07-03 16:21 . 2012-07-29 05:38 19600 ----a-w- c:\windows\system32\drivers\aswKbd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BOSMirror]
@="{BED4D884-FB41-43F4-8C92-E21B6707C996}"
[HKEY_CLASSES_ROOT\CLSID\{BED4D884-FB41-43F4-8C92-E21B6707C996}]
2010-03-05 02:19 182784 ----a-w- c:\program files (x86)\Telstra\BigPond Online Storage\bosiconoverlay.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-09-11 05:41 120104 ----a-w- c:\program files (x86)\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"FileHippo.com"="c:\program files (x86)\FileHippo.com\UpdateChecker.exe" [2010-08-09 248832]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"KiesHelper"="c:\program files (x86)\Samsung\Kies\KiesHelper.exe" [2012-03-06 943504]
"KiesPDLR"="c:\program files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-03-06 21392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-24 588648]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2009-09-24 261888]
"EgisTecLiveUpdate"="c:\program files (x86)\EgisTec Egis Software Update\EgisUpdate.exe" [2009-08-04 199464]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-10 98304]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-11-01 1094736]
"ArcadeDeluxeAgent"="c:\program files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2009-10-06 419112]
"PlayMovie"="c:\program files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2009-10-06 181480]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-03-18 421888]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-08 1157976]
"BOS_TransferManager"="c:\program files (x86)\Telstra\BigPond Online Storage\bostransfermanager.exe" [2010-03-05 718336]
"BOS_MirrorSync"="c:\program files (x86)\Telstra\BigPond Online Storage\BosMirrorSync.exe" [2010-03-05 617472]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2011-11-14 273528]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2012-03-06 3508624]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"Anti-phishing Domain Advisor"="c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-05-03 217256]
.
c:\users\Lisa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-18 272528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-17 135664]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-21 250288]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2011-12-08 36328]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2010-09-13 20552]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-06-29 132608]
R3 ExpressAccountsService;Express Accounts;c:\program files (x86)\NCH Software\ExpressAccounts\expressaccounts.exe [2011-02-02 2135044]
R3 ExpressInvoiceService;Express Invoice;c:\program files (x86)\NCH Software\ExpressInvoice\expressinvoice.exe [2011-02-02 1699332]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-17 135664]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2009-06-29 116096]
R3 InventoriaService;Inventoria Stock Manager;c:\program files (x86)\NCH Software\Inventoria\inventoria.exe [2011-02-02 1363972]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-07 114144]
R3 MWLService;MyWinLocker Service;c:\program files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [2009-09-11 305448]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-05 216064]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-12-08 157672]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-12-08 16872]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-12-08 177640]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys [2011-12-08 146920]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2010-09-13 16392]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-18 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 aswKbd;aswKbd; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2009-06-03 22576]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2009-06-03 20016]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2009-06-03 60464]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-12-10 202752]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-09-30 844320]
S2 Greg_Service;GRegService;c:\program files (x86)\Acer\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-07 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-07 676936]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe [2012-07-17 132056]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-09-24 62720]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.17.20\ccSvcHst.exe [2011-11-07 126392]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2009-07-04 240160]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-20 317480]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-07 25928]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 00:50]
.
2012-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-17 11:35]
.
2012-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-17 11:35]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-09-11 05:44 137512 ----a-w- c:\program files (x86)\EgisTec\MyWinLocker 3\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"mwlDaemon"="c:\program files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2009-09-11 349480]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-08-06 8060960]
"PLFSetI"="c:\windows\PLFSetI.exe" [2009-11-20 200704]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-09-30 823840]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 2306448]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2012-03-06 3508624]
"BestMatch Advisor Agent"="c:\program files (x86)\BestMatch Advisor\BestMatch.Agent.exe" [2011-05-25 576512]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com.au/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0c09&m=aspire_5738&r=27360610n306l0478z145t4531i23o
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Lisa\AppData\Roaming\Mozilla\Firefox\Profiles\e13an8ht.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com.au
FF - prefs.js: keyword.URL - hxxp://blekko.com/ws/?source={SourceID}&tbp=url&toolbarid=blekkotb_031&u=USERGUID&q=
FF - user.js: extentions.y2layers.installId - 6c9ea3dd-0f15-483d-9793-183c5a41c595
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-23133931.sys
BHO-{3706EE7C-3CAD-445D-8A43-03EBC3B75908} - c:\program files (x86)\Expat Shield\HssIE\ExpatIE_64.dll
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~1\UNWISE.EXE
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.17.20\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.17.20\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{8769ADCE-DBA5-48E9-AFB5-67B12CDF2E61}"=hex:51,66,7a,6c,4c,1d,38,12,a0,ae,7a,
83,97,95,87,0d,d0,a3,24,f1,29,81,6a,75
"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}"=hex:51,66,7a,6c,4c,1d,38,12,3a,25,4d,
8a,1f,e3,d1,0d,d3,3b,92,3f,05,d7,c9,12
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9FDDE16B-836F-4806-AB1F-1455CBEFF289}"=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,
9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61,
f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:ca,28,51,35,4f,95,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,18,83,85,e5,3b,4e,42,9f,61,46,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,18,83,85,e5,3b,4e,42,9f,61,46,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000009
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
.
**************************************************************************
.
Completion time: 2012-09-24 15:29:01 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-24 05:29
.
Pre-Run: 324,584,046,592 bytes free
Post-Run: 325,471,133,696 bytes free
.
- - End Of File - - 946C2BAA68CF618883F465624B8B7186
  • 0

Advertisements


#17
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Hi iolande. I just finished looking at your Combofix log. It looks clean. Are you still having redirects?
  • 0

#18
iolande

iolande

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi there

None yet, which I hope is a good sign!

Thankyou so much for your help :-)
  • 0

#19
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Hi iolande. The next step is to uninstall Blekko Search Bar, run a scan with an online virus scanner, and run a scan with Malwarebytes. Also if you don't use Yontoo we will get rid of that too. Please do the following:

Step 1

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

  • Go to the start menu
  • Type programs and features
  • Press enter
  • Select the blekko search bar entry
  • Click the uninstall button and follow the instructions

If you don't use Yontoo do the same for it - it's entry will say Yontoo

Step 2

  • Go to here
  • Click the download button under Kaspersky Security Scan
  • Download and run the file
  • It will start to download the Kaspersky Security Scan program data
  • Once downloaded the installer will begin
  • Click Next
  • Accept the License Agreement
  • Click Install
  • The program will now install
  • Click Finish
  • Kaspersky Security Scan will now start

    Posted Image
  • Click the Full Scan button

    Posted Image
  • The scan will take about an hour or two depending on the amount of data on your hard drive
  • If the scan detects problems it will open a Problems found window
  • Click Details to generate a scan results report

    Posted Image
  • Once the scan is complete do the following:
    • For XP: Navigate to C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\KSS2\DataRoot
      For Vista/7: Navigate to C:\ProgramData\Kaspersky Lab\KSS2\DataRoot
    • Right-click on the HtmlReport folder --> Click Send to --> Click Compressed (zipped) folder
    • Attach the HtmlReport zipped folder to your next post
      Posted Image
      Posted Image
      Posted Image
  • You can now close Kaspersky Security Scan

Step 3

  • Run Malwarebytes Anti-Malware
  • Go to the Update tab
  • Click Check for Updates to update your definitions
  • Go to the Scanner tab
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Things to see in your next post:
Kaspersky Security Scan log
MBAM log
computer status (if you are still getting redirects

  • 0

#20
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Forgot to mention if we are symptom free these are the last major steps! :thumbsup:
  • 0

#21
iolande

iolande

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi there

I removed those toolbars. I didn't even know the Yootoo thing was there :blink:

Kaspersky keeped seizing up at 15%. I ran it a couple of times and even left it on all night last night to make sure, but still no go :confused:

Malwarebytes says:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.27.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Lisa :: LISA-PC [administrator]

28/09/2012 7:09:30 AM
mbam-log-2012-09-28 (07-09-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208295
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
  • 0

#22
iolande

iolande

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
oh yeah, forgot to mention. No redirects for a few days now :-)
  • 0

#23
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
let's try doing an eset scan instead of kaspersky. I'll get back to you tomorrow with instructions.
  • 0

#24
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Here's the instructions for ESET scan. Please do the following:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan...

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then right-click the downloaded file and select Run as Administrator.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install (if using Internet Explorer).
  • Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this may take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files (x86)/ESET/ESET Online Scanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Things to see in your next post:
C:\Program Files (x86)/ESET/ESET Online Scanner\log.txt

  • 0

#25
iolande

iolande

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi there

okay, 3 threats were found. I haven't done anything with them. Here is the log:


[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=1572aa2e7ef35d4da6c6061ae3ae19d7
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-09-29 11:54:33
# local_time=2012-09-30 09:54:33 (+1000, E. Australia Standard Time)
# country="Australia"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1280 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776573 100 94 930 100585568 0 0
# compatibility_mode=8192 67108863 100 0 746 746 0 0
# scanned=284413
# found=3
# cleaned=0
# scan_time=7155
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I
C:\Users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Lisa\AppData\Local\Mozilla\Firefox\Profiles\e13an8ht.default\Cache\D\76\0FD60d01 HTML/ScrInject.B.Gen virus (unable to clean) 00000000000000000000000000000000 I
  • 0

Advertisements


#26
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Hi iolande. Just want to update you - will have the final instructions for you tomorrow. Then we are done! Score one for the good guys! :thumbsup:
  • 0

#27
iolande

iolande

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
YAY!

thanks so much for all your help. I can't wait to feel secure with my computer again :thumbsup:
  • 0

#28
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Hi iolande. Now that we're done scanning for and disinfecting malware it's time to clean up. I noticed you have outdated an outdated java install. You will want to upgrade this to prevent possible infection through it in the future.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Java components and upgrade the application. Also recently an exploit in Java was discovered that will not be fixed until mid-October or so so if you don't use Java you might want to disable it according to here or uninstall it using the following instructions (just don't download and install Java according to the last steps in the instructions). You could get infected with malware through the Java exploit.

Upgrading Java :
Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, then click Remove JRE.
  • Run the built-in uninstallers for all copies of java listed
  • Click the Next button
  • Click the Next button again
  • Click the Java Manual Download link
  • A browser window will open with the Java download page
  • Click the Windows Offline (32-bit) or Windows Offline (64-bit) link to download Java (based on your browser type)
  • Run the installer
  • Close JavaRa

Please use your computer a couple hours at least and make sure there are no remaining symptoms. If there are no symptoms proceed with the following instructions. One final step to take in disinfecting your computer is to purge all system restore points. This ensures that you will not get reinfected by files hiding in the system restore points. We will also clean your temp files and get rid of a file detected by ESET scan. To do this follow these instructions:

  • Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    C:\Users\Lisa\AppData\Local\Mozilla\Firefox\Profiles\e13an8ht.default\Cache\D\76\0FD60d01
    
    :Commands
    [EMPTYTEMP]
  • Then click the Run Fix button at the top
  • OTL may ask to reboot the machine. Please do so if asked.
  • Post the log it produces in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run. Make sure to grab the contents of this file before following the cleanup procedure described next.

To manually create a new Restore Point
  • Go to Control Panel
  • Select View by Small icons in the upper right
  • Select System
  • On the left select Advanced System Settings on the left and accept the warning if you get one
  • Select the System Protection tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System page
  • Select Performance Information and Tools at the bottom left
  • On the left select Open Disk Cleanup
  • Accept the warning if you get one
  • In the drop down box select your main drive i.e. C and press OK
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Copies section click Clean up
  • Click Delete in the pop up
  • Select OK
  • Select Delete
You are now done

We will now clean up Combofix.
Press the Windows key and the R key at the same time
Copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall

You can now remove all the tools that were used to disinfect your computer by running OTL and clicking the CleanUp button.

Now that your computer is disinfected it is important to keep it that way. What follows are guidelines to keeping your computer malware-free.

You absolutely must have an antivirus program installed. This is important because the antivirus program runs in the background of the computer and prevents viruses from both infecting the computer and doing malicious things to the computer. This can prevent many infections in the first place. Just as a city without police would be chaotic so would a computer with an anti-virus program. I recommend the free programs Avira AntiVir Personal and avast! Free Anti-Virus . Also make absolutely sure to only have one anti-virus installed as more than one can slow your computer, create software conflicts, and increase your vulnerability to viruses and malware.

It is also advised to have an anti-spyware program as well. I recommend the paid version of Malwarebytes' Anti-Malware. This program complementing your anti-virus can protect your computer from most infections out there. Make absolutely sure to only have one anti-spyware installed as more than one can slow your computer, create software conflicts, and increase your vulnerability to viruses and malware.

A program to add additional protection is Spybot Search and Destroy. It provides passive protection. You can download it here. To use it to protect your computer install it then do the following regularly at your concenience (once a week is adequate):
  • Run Spybot S&D
  • Click "Search for Updates"
  • Click "Continue"
  • Click "Download" - ignore if it says "please select some update files from the list first"
  • Click "OK" in update window if it prompts you
  • Click "Exit" in update window when update finishes or if Spybot said "please select some update files from the list first"
  • Go back to Spybot main window
  • Close Internet Explorer/Firefox/Chrome if they are open
  • Click "Immunize"
  • Wait for the progress meter to complete
  • Click the "Immunize" button with the plus sign next to it towards the top of the window
  • Wait for the progress meter to complete
  • Close the program
And one last program to add additional protection is Panda USB vaccine. This program disables the autorun rile on removable devices. You can vaccinate both a computer and a removable device. To download and run refer to here.

Another important thing to have installed is a firewall to secure communications to and from your computer. The firewall prevents inbound communications from the Internet to your computer that could be malicious in nature. Some firewalls also regulate outbound communications from your computer to the Internet that could be malicious as well. Inbound communications can take advantage of security holes in software running on your computer to gain control of your computer and infect you with malware. Outbound communications can be from malware on your computer to malicious websites on the Internet, containing information about your computer usage and even your passwords. For these reasons it is essential to the security of your computer to install a firewall. Make sure to only install one firewall as any more than that would prove to be redundant - one firewall is just as effective as multiple ones. Also more than one firewall could cause software conflicts. This applies to the Windows firewall as well - if you use a third-party firewall make sure to disable the Windows firewall. I recommend ZoneAlarm Free Firewall or Comodo Firewall. Beware when installing these firewalls for bundled toolbars that install alongside the firewall unless you deselect the option to install them.

Besides these measures, an equally important step to take to protect your computer from malware is to update all programs regularly including Windows Updates. Windows, Java, Adobe Flash, PDF readers, and other programs have security holes in them that leave your computer vulnerable to malicious code from hackers that could infect your computer with malware when taken advantage of. Updates close these holes. For this reason it is important to always update programs when prompted. Windows Updates is enabled by default in Windows and Java, Flash, and others have auto-update programs enabled by default as well. You will not have to worry about setting up the auto-update feature for these programs unless you altered the settings to begin with. Make sure as well to never update a program via e-mail - companies will never send e-mails to update their products.

One last thing to consider is to exercise caution when browsing the web and viewing e-mails. Try to stay away from non-reputable websites including websites for software piracy and pornography. By staying away from these websites you decrease your chances of malware infection significantly. To help you exercise caution in your browsing habits you can download and install Web of Trust into your web browser here. This program will install in your browser and color code the website you are viewing to inform you if it is safe or not; green means safe, yellow means proceed with caution, and red means danger. Viewing e-mails should also be done with caution. If you don't recognize an email as one from a known or requested source then you will be safer to avoid opening it. File attachments should be opened only with extreme caution as they can contain files that exploit security holes on your computer and infect you with malware. Never open an attachment unless you are expecting it or you verify that the sender intended to send it to you. Also make sure to scan the attachment before opening it.

You might want to use an alternate browser than Internet Explorer. Firefox and Google Chrome are excellent candidates. They are more secure than Internet Explorer and are just as functional. You can download Google Chrome here and Firefox here.

Something just as important as preventing infection by malware is to backup your data. You can read about different methods here.

Some articles you might be interested in reading to reiterate points I have addressed in this post as well as make new points follow:
By following these steps you should ensure that you most likely will never get infected with malware again. Good luck and safe browsing!

-Josh
  • 0

#29
iolande

iolande

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hey there

All done! Hopefully I will be okay as I don't intentionally go on to any gambling/porn/game sites, but you never know!

Many thanks for all your help
:-)
  • 0

#30
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
You're welcome. Good luck! :thumbsup:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP