Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bucksbee Mall (Spyware?) [Solved]


  • This topic is locked This topic is locked

#31
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Yes please. Remove all findings by AVAST. Let me know when it finish with the scan.
  • 0

Advertisements


#32
Psu22UL

Psu22UL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Done and removed. Still have at least something however; whenever I open Firefox/IE, it still brings up the virus redirect.
  • 0

#33
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Psu22UL,

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply
  • 0

#34
Psu22UL

Psu22UL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Sorry, been busy the last few days. I'll get the scan done, if I don't reply for a bit, my area is getting hit by a hurricane..so I might have no power for a bit.
  • 0

#35
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
That you for letting me know. I'll leave this topic open until you return. Take care!
  • 0

#36
Psu22UL

Psu22UL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
ComboFix 12-11-04.01 - Mama Bozz 11/04/2012 12:33:43.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2038.1030 [GMT -5:00]
Running from: c:\users\Mama Bozz\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Mama Bozz\AppData\Local\Temp\AFF1.tmp\F_IN_BOX.dll
c:\users\MAMABO~1\AppData\Local\Temp\AFF1.tmp\F_IN_BOX.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-10-04 to 2012-11-04 )))))))))))))))))))))))))))))))
.
.
2012-10-25 06:38 . 2012-10-25 06:38 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-24 12:56 . 2012-10-24 12:56 18912 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2012-10-24 12:56 . 2012-10-24 12:56 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-10-24 12:56 . 2012-10-24 12:56 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-10-24 12:56 . 2012-10-24 12:56 261600 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-10-24 12:56 . 2012-10-24 12:56 116192 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
2012-10-24 12:56 . 2012-10-24 12:56 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-10-24 12:56 . 2012-10-24 12:56 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-10-24 12:56 . 2012-10-24 12:56 96224 ----a-w- c:\program files\Mozilla Firefox\webapprt-stub.exe
2012-10-24 12:56 . 2012-10-24 12:56 157272 ----a-w- c:\program files\Mozilla Firefox\webapp-uninstaller.exe
2012-10-24 12:46 . 2012-11-04 17:13 -------- d-----w- c:\programdata\AVAST Software
2012-10-24 12:46 . 2012-10-24 12:46 -------- d-----w- c:\program files\AVAST Software
2012-10-24 01:26 . 2012-10-24 01:26 -------- d-----w- c:\programdata\Kaspersky Lab
2012-10-23 22:46 . 2012-10-23 22:46 -------- d-----w- C:\Malwarebytes
2012-10-23 22:45 . 2012-10-23 22:45 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Mozilla
2012-10-23 01:35 . 2012-10-23 01:35 -------- d-----w- c:\windows\Sun
2012-10-23 00:52 . 2012-10-23 00:52 -------- d-----w- c:\program files\ChicaLogic
2012-10-23 00:51 . 2012-10-23 02:10 -------- d-----w- c:\program files\OApps
2012-10-23 00:51 . 2012-10-23 00:51 -------- d-----w- c:\program files\Perion
2012-10-23 00:51 . 2012-10-23 00:51 450 ----a-w- C:\user.js
2012-10-23 00:51 . 2011-06-10 22:58 773968 ----a-w- c:\windows\system32\msvcr100.dll
2012-10-23 00:51 . 2011-06-10 22:58 421200 ----a-w- c:\windows\system32\msvcp100.dll
2012-10-23 00:51 . 2011-05-13 23:17 632656 ----a-w- c:\windows\system32\msvcr80.dll
2012-10-23 00:51 . 2011-05-13 23:17 479232 ----a-w- c:\windows\system32\msvcm80.dll
2012-10-23 00:51 . 2011-05-13 23:17 554832 ----a-w- c:\windows\system32\msvcp80.dll
2012-10-22 21:47 . 2012-10-22 21:47 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-22 21:47 . 2012-10-24 12:56 2559968 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-10-22 21:47 . 2012-10-24 12:56 192600 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-10-22 21:47 . 2012-10-24 12:56 115168 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-10-22 21:47 . 2012-10-24 12:56 124384 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-10-22 03:50 . 2012-10-22 03:50 -------- d-----w- c:\program files\Temp
2012-10-22 03:41 . 2012-10-22 03:41 -------- d-----w- c:\users\Mama Bozz\AppData\Local\Apple Computer
2012-10-22 03:40 . 2012-10-22 03:42 -------- d-----w- c:\users\Mama Bozz\AppData\Roaming\Apple Computer
2012-10-22 03:40 . 2012-08-21 17:01 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-10-22 03:38 . 2012-10-22 03:38 -------- d-----w- c:\program files\iPod
2012-10-22 03:38 . 2012-10-22 03:40 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-10-22 03:38 . 2012-10-22 03:40 -------- d-----w- c:\program files\iTunes
2012-10-22 03:38 . 2012-10-22 03:38 -------- d-----w- c:\programdata\Apple Computer
2012-10-22 03:37 . 2012-10-22 03:37 -------- d-----w- c:\users\Mama Bozz\AppData\Local\Apple
2012-10-22 03:37 . 2012-10-22 03:37 -------- d-----w- c:\program files\Apple Software Update
2012-10-22 03:32 . 2012-10-22 03:32 -------- d-----w- c:\program files\Bonjour
2012-10-22 03:32 . 2012-10-22 03:38 -------- d-----w- c:\program files\Common Files\Apple
2012-10-22 03:32 . 2012-10-22 03:36 -------- d-----w- c:\programdata\Apple
2012-10-22 03:27 . 2012-10-22 03:27 -------- d-----w- c:\users\Mama Bozz\AppData\Local\Wondershare
2012-10-22 03:27 . 2012-10-22 03:27 -------- d-----w- c:\program files\Common Files\Wondershare
2012-10-22 03:26 . 2012-10-22 03:26 -------- d-----w- c:\programdata\Wondershare
2012-10-22 03:26 . 2012-10-22 21:46 -------- d-----w- c:\program files\Wondershare
2012-10-22 03:26 . 2012-10-22 21:46 -------- d--h--w- c:\program files\Dr.Fone_Temp
2012-10-19 13:14 . 2012-10-19 13:14 -------- d-----w- C:\_OTL
2012-10-18 02:10 . 2012-10-18 02:10 -------- d-----w- C:\_OTM
2012-10-18 00:39 . 2012-10-18 00:39 -------- d-----w- c:\programdata\Belkin
2012-10-18 00:34 . 2012-08-21 17:01 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-10-17 12:13 . 2012-10-17 12:13 -------- d-----w- c:\users\Mama Bozz\jagexcache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-24 12:56 . 2012-10-24 12:56 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\YspService.exe" [2010-04-01 243000]
"Facebook Update"="c:\users\Mama Bozz\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-08-06 138096]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 133656]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-10-12 163840]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2012-02-23 1885088]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10u_Plugin.exe" [2011-06-29 243360]
.
c:\users\Mama Bozz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-4-15 2979144]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2011-7-20 296088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1788823742-1812840608-193563794-1000Core.job
- c:\users\Mama Bozz\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-06 17:50]
.
2012-10-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1788823742-1812840608-193563794-1000UA.job
- c:\users\Mama Bozz\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-06 17:50]
.
2012-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-24 09:16]
.
2012-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-24 09:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mystart.incredibar.com/mb185?a=6OyRVIqbPf&i=26
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://mystart.incredibar.com/mb185?a=6OyRVIqbPf&i=26
FF - prefs.js: keyword.URL - hxxp://mystart.incredibar.com/mb185/?loc=IB_DS&a=6OyRVIqbPf&&i=26&search=
FF - ExtSQL: 2012-09-25 14:20; [email protected]; c:\users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\extensions\[email protected]
FF - ExtSQL: 2012-10-22 20:51; [email protected]; c:\users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\extensions\[email protected]
FF - ExtSQL: 2012-10-22 20:51; [email protected]; c:\users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\extensions\[email protected]
FF - ExtSQL: 2012-10-24 08:46; [email protected]; c:\program files\AVAST Software\Avast\WebRep\FF
FF - ExtSQL: !HIDDEN! 2009-11-07 17:42; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyRVIqbPf&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - 2283ec6b00000000000000247e654a5e
FF - user.js: extensions.incredibar_i.instlDay - 15636
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1420:51
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6OyRVIqbPf
FF - user.js: extensions.incredibar_i.upn2n - 92262322741895333
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10678
FF - user.js: extensions.incredibar_i.ppd - 111
FF - user.js: extensions.autoDisableScopes - 0
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{517E0D3E-17A4-4592-926E-A082DB43B7D3} - (no file)
Toolbar-{06C7AD57-B655-418D-9AB8-9526A6D2E052} - (no file)
HKCU-Run-DW6 - (no file)
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
SafeBoot-04803550.sys
AddRemove-iBryte_browseforchange - c:\program files\iBryte\browseforchange\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-04 12:42
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\lxczcoms.exe
c:\program files\SafeConnect\scManager.sys
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-11-04 12:46:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-04 17:46
.
Pre-Run: 84,271,087,616 bytes free
Post-Run: 85,487,218,688 bytes free
.
- - End Of File - - 6A38582F9F840C5CEEA3EF4F2A3DFC68
  • 0

#37
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
How is your system now? Do you still get redirects?

If you do:

Still have at least something however; whenever I open Firefox/IE, it still brings up the virus redirect.


Can you please explain me how do you experience these redirects. What do you do when you start FF, where do you enter your search and what results you get back.

It may help if I know details on this.
  • 0

#38
Psu22UL

Psu22UL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
It seems to at least be faster now. What still happens is that whenever I open up FireFox or IE, the home page is the myincredibar page. Always along with an ad that I'm sure is a link to another virus.
  • 0

#39
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
OK. Test your system after these two steps and let me know results.

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

ClearJavaCache::

Registry::
hkey_current_user\SOFTWARE\Microsoft\Internet Explorer\Main
"Start Page"="www.google.com"

Firefox::
FF - ProfilePath - c:\users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://mystart.incredibar.com/mb185?a=6OyRVIqbPf&i=26
FF - prefs.js: keyword.URL - hxxp://mystart.incredibar.com/mb185/?loc=IB_DS&a=6OyRVIqbPf&&i=26&search=
FF - ExtSQL: 2012-10-22 20:51; [email protected]; c:\users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\extensions\[email protected]
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyRVIqbPf&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - 2283ec6b00000000000000247e654a5e
FF - user.js: extensions.incredibar_i.instlDay - 15636
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1420:51
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6OyRVIqbPf
FF - user.js: extensions.incredibar_i.upn2n - 92262322741895333
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10678
FF - user.js: extensions.incredibar_i.ppd - 111


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\\ComboFix.txt which I will require in your next reply.

Step 2

Please run adwCleaner one more time and post log like you did first time.

Step 3

Please don't forget to include these items in your reply:

  • Combofix log
  • adwCleaner log
It would be helpful if you could post each log in separate post using "Add Reply" button
  • 0

#40
Psu22UL

Psu22UL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
adw log:

# AdwCleaner v2.006 - Logfile created 11/05/2012 at 17:52:20
# Updated 30/10/2012 by Xplode
# Operating system : Windows Vista ™ Home Basic Service Pack 1 (32 bits)
# User : Mama Bozz - MAMABOZZ-PC
# Boot Mode : Normal
# Running from : C:\Users\Mama Bozz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W8HZICNW\adwcleaner[1].exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\user.js
File Deleted : C:\Users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\extensions\[email protected]
File Deleted : C:\Users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\searchplugins\MyStart Search.xml
Folder Deleted : C:\Program Files\OApps
Folder Deleted : C:\Users\Mama Bozz\AppData\LocalLow\incredibar.com
Folder Deleted : C:\Users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\extensions\[email protected]

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{336D0C35-8A85-403a-B9D2-65C292C39087}]

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.6001.18000

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://mystart.incredibar.com/mb185?a=6OyRVIqbPf&i=26 --> hxxp://www.google.com

-\\ Mozilla Firefox v12.0 (en-US)

Profile name : default
File : C:\Users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\prefs.js

C:\Users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\user.js ... Deleted !

Deleted : user_pref("browser.newtab.url", "hxxp://mystart.incredibar.com/mb185?a=6OyRVIqbPf&i=26");
Deleted : user_pref("browser.search.defaultenginename", "MyStart Search");
Deleted : user_pref("browser.search.selectedEngine", "MyStart Search");
Deleted : user_pref("browser.startup.homepage", "hxxp://mystart.incredibar.com/mb185?a=6OyRVIqbPf&i=26");
Deleted : user_pref("extensions.enabledAddons", "[email protected]:0.2,[email protected][...]
Deleted : user_pref("extensions.incredibar.admin", false);
Deleted : user_pref("extensions.incredibar.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar.cntry", "US");
Deleted : user_pref("extensions.incredibar.dfltLng", "");
Deleted : user_pref("extensions.incredibar.dfltSrch", false);
Deleted : user_pref("extensions.incredibar.did", "10678");
Deleted : user_pref("extensions.incredibar.envrmnt", "production");
Deleted : user_pref("extensions.incredibar.excTlbr", false);
Deleted : user_pref("extensions.incredibar.hdrMd5", "1AFE8E6479D5FA4325E7B8DEE854FA1B");
Deleted : user_pref("extensions.incredibar.hmpg", false);
Deleted : user_pref("extensions.incredibar.id", "2283ec6b00000000000000247e654a5e");
Deleted : user_pref("extensions.incredibar.installerproductid", "26");
Deleted : user_pref("extensions.incredibar.instlDay", "15636");
Deleted : user_pref("extensions.incredibar.instlRef", "");
Deleted : user_pref("extensions.incredibar.lastVrsnTs", "1.5.11.1420:51:24");
Deleted : user_pref("extensions.incredibar.mntrvrsn", "1.2.0");
Deleted : user_pref("extensions.incredibar.newTab", false);
Deleted : user_pref("extensions.incredibar.noFFXTlbr", false);
Deleted : user_pref("extensions.incredibar.ppd", "111");
Deleted : user_pref("extensions.incredibar.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar.productid", "26");
Deleted : user_pref("extensions.incredibar.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar.sg", "none");
Deleted : user_pref("extensions.incredibar.smplGrp", "none");
Deleted : user_pref("extensions.incredibar.tlbrId", "base");
Deleted : user_pref("extensions.incredibar.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6OyRVIqbPf&loc=IB_T[...]
Deleted : user_pref("extensions.incredibar.upn2", "6OyRVIqbPf");
Deleted : user_pref("extensions.incredibar.upn2n", "92262322741895333");
Deleted : user_pref("extensions.incredibar.vrsn", "1.5.11.14");
Deleted : user_pref("extensions.incredibar.vrsnTs", "1.5.11.1420:51:24");
Deleted : user_pref("extensions.incredibar.vrsni", "1.5.11.14");
Deleted : user_pref("extensions.incredibar_i.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar_i.dfltLng", "");
Deleted : user_pref("extensions.incredibar_i.did", "10678");
Deleted : user_pref("extensions.incredibar_i.excTlbr", false);
Deleted : user_pref("extensions.incredibar_i.id", "2283ec6b00000000000000247e654a5e");
Deleted : user_pref("extensions.incredibar_i.installerproductid", "26");
Deleted : user_pref("extensions.incredibar_i.instlDay", "15636");
Deleted : user_pref("extensions.incredibar_i.instlRef", "");
Deleted : user_pref("extensions.incredibar_i.ms_url_id", "");
Deleted : user_pref("extensions.incredibar_i.newTab", false);
Deleted : user_pref("extensions.incredibar_i.ppd", "111");
Deleted : user_pref("extensions.incredibar_i.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar_i.productid", "26");
Deleted : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar_i.smplGrp", "none");
Deleted : user_pref("extensions.incredibar_i.tlbrId", "base");
Deleted : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6OyRVIqbPf&loc=IB[...]
Deleted : user_pref("extensions.incredibar_i.upn2", "6OyRVIqbPf");
Deleted : user_pref("extensions.incredibar_i.upn2n", "92262322741895333");
Deleted : user_pref("extensions.incredibar_i.vrsn", "1.5.11.14");
Deleted : user_pref("extensions.incredibar_i.vrsnTs", "1.5.11.1420:51:24");
Deleted : user_pref("extensions.incredibar_i.vrsni", "1.5.11.14");
Deleted : user_pref("keyword.URL", "hxxp://mystart.incredibar.com/mb185/?loc=IB_DS&a=6OyRVIqbPf&&i=26&search="[...]
Deleted : user_pref("{336D0C35-8A85-403a-B9D2-65C292C39087}.ScriptData_WSG_blackList", "form=CONTLB|babsrc=too[...]
Deleted : user_pref("{336D0C35-8A85-403a-B9D2-65C292C39087}.ScriptData_WSG_whiteList", "{\"search.babylon.com\[...]

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Mama Bozz\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.12] : urls_to_restore_on_startup = [ "hxxp://mystart.incredibar.com/mb185?a=6OyRVIqbPf&i=26" ]
Deleted [l.40] : search_url = "hxxp://mystart.incredibar.com/mb185/?loc=IB_DS&search={searchTerms}&a=6OyRVIqbPf&i=26",
Deleted [l.1544] : urls_to_restore_on_startup = [ "hxxp://mystart.incredibar.com/mb185?a=6OyRVIqbPf&i=26" ]

*************************

AdwCleaner[S1].txt - [13773 octets] - [18/10/2012 08:25:07]
AdwCleaner[S2].txt - [7014 octets] - [05/11/2012 17:52:20]

########## EOF - C:\AdwCleaner[S2].txt - [7074 octets] ##########
  • 0

Advertisements


#41
Psu22UL

Psu22UL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
ComboFix 12-11-05.03 - Mama Bozz 11/05/2012 17:36:46.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2038.1104 [GMT -5:00]
Running from: c:\users\Mama Bozz\Desktop\ComboFix.exe
Command switches used :: c:\users\Mama Bozz\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\windows\system32\drivers\etc\lmhosts
.
.
((((((((((((((((((((((((( Files Created from 2012-10-05 to 2012-11-05 )))))))))))))))))))))))))))))))
.
.
2012-11-05 22:42 . 2012-11-05 22:42 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-11-05 22:42 . 2012-11-05 22:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-25 06:38 . 2012-10-25 06:38 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-24 12:56 . 2012-10-24 12:56 18912 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2012-10-24 12:56 . 2012-10-24 12:56 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-10-24 12:56 . 2012-10-24 12:56 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-10-24 12:56 . 2012-10-24 12:56 261600 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-10-24 12:56 . 2012-10-24 12:56 116192 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
2012-10-24 12:56 . 2012-10-24 12:56 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-10-24 12:56 . 2012-10-24 12:56 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-10-24 12:56 . 2012-10-24 12:56 96224 ----a-w- c:\program files\Mozilla Firefox\webapprt-stub.exe
2012-10-24 12:56 . 2012-10-24 12:56 157272 ----a-w- c:\program files\Mozilla Firefox\webapp-uninstaller.exe
2012-10-24 12:46 . 2012-11-04 17:13 -------- d-----w- c:\programdata\AVAST Software
2012-10-24 12:46 . 2012-10-24 12:46 -------- d-----w- c:\program files\AVAST Software
2012-10-24 01:26 . 2012-10-24 01:26 -------- d-----w- c:\programdata\Kaspersky Lab
2012-10-23 22:46 . 2012-10-23 22:46 -------- d-----w- C:\Malwarebytes
2012-10-23 22:45 . 2012-10-23 22:45 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Mozilla
2012-10-23 01:35 . 2012-10-23 01:35 -------- d-----w- c:\windows\Sun
2012-10-23 00:52 . 2012-10-23 00:52 -------- d-----w- c:\program files\ChicaLogic
2012-10-23 00:51 . 2012-10-23 02:10 -------- d-----w- c:\program files\OApps
2012-10-23 00:51 . 2012-10-23 00:51 -------- d-----w- c:\program files\Perion
2012-10-23 00:51 . 2012-10-23 00:51 450 ----a-w- C:\user.js
2012-10-23 00:51 . 2011-06-10 22:58 773968 ----a-w- c:\windows\system32\msvcr100.dll
2012-10-23 00:51 . 2011-06-10 22:58 421200 ----a-w- c:\windows\system32\msvcp100.dll
2012-10-23 00:51 . 2011-05-13 23:17 632656 ----a-w- c:\windows\system32\msvcr80.dll
2012-10-23 00:51 . 2011-05-13 23:17 479232 ----a-w- c:\windows\system32\msvcm80.dll
2012-10-23 00:51 . 2011-05-13 23:17 554832 ----a-w- c:\windows\system32\msvcp80.dll
2012-10-22 21:47 . 2012-10-22 21:47 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-22 21:47 . 2012-10-24 12:56 2559968 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-10-22 21:47 . 2012-10-24 12:56 192600 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-10-22 21:47 . 2012-10-24 12:56 115168 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-10-22 21:47 . 2012-10-24 12:56 124384 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-10-22 03:50 . 2012-10-22 03:50 -------- d-----w- c:\program files\Temp
2012-10-22 03:41 . 2012-10-22 03:41 -------- d-----w- c:\users\Mama Bozz\AppData\Local\Apple Computer
2012-10-22 03:40 . 2012-10-22 03:42 -------- d-----w- c:\users\Mama Bozz\AppData\Roaming\Apple Computer
2012-10-22 03:40 . 2012-08-21 17:01 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-10-22 03:38 . 2012-10-22 03:38 -------- d-----w- c:\program files\iPod
2012-10-22 03:38 . 2012-10-22 03:40 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-10-22 03:38 . 2012-10-22 03:40 -------- d-----w- c:\program files\iTunes
2012-10-22 03:38 . 2012-10-22 03:38 -------- d-----w- c:\programdata\Apple Computer
2012-10-22 03:37 . 2012-10-22 03:37 -------- d-----w- c:\users\Mama Bozz\AppData\Local\Apple
2012-10-22 03:37 . 2012-10-22 03:37 -------- d-----w- c:\program files\Apple Software Update
2012-10-22 03:32 . 2012-10-22 03:32 -------- d-----w- c:\program files\Bonjour
2012-10-22 03:32 . 2012-10-22 03:38 -------- d-----w- c:\program files\Common Files\Apple
2012-10-22 03:32 . 2012-10-22 03:36 -------- d-----w- c:\programdata\Apple
2012-10-22 03:27 . 2012-10-22 03:27 -------- d-----w- c:\users\Mama Bozz\AppData\Local\Wondershare
2012-10-22 03:27 . 2012-10-22 03:27 -------- d-----w- c:\program files\Common Files\Wondershare
2012-10-22 03:26 . 2012-10-22 03:26 -------- d-----w- c:\programdata\Wondershare
2012-10-22 03:26 . 2012-10-22 21:46 -------- d-----w- c:\program files\Wondershare
2012-10-22 03:26 . 2012-10-22 21:46 -------- d--h--w- c:\program files\Dr.Fone_Temp
2012-10-19 13:14 . 2012-10-19 13:14 -------- d-----w- C:\_OTL
2012-10-18 02:10 . 2012-10-18 02:10 -------- d-----w- C:\_OTM
2012-10-18 00:39 . 2012-10-18 00:39 -------- d-----w- c:\programdata\Belkin
2012-10-18 00:34 . 2012-08-21 17:01 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-10-17 12:13 . 2012-10-17 12:13 -------- d-----w- c:\users\Mama Bozz\jagexcache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-24 12:56 . 2012-10-24 12:56 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\YspService.exe" [2010-04-01 243000]
"Facebook Update"="c:\users\Mama Bozz\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-08-06 138096]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 133656]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-10-12 163840]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2012-02-23 1885088]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10u_Plugin.exe" [2011-06-29 243360]
.
c:\users\Mama Bozz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-4-15 2979144]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2011-7-20 296088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1788823742-1812840608-193563794-1000Core.job
- c:\users\Mama Bozz\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-06 17:50]
.
2012-11-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1788823742-1812840608-193563794-1000UA.job
- c:\users\Mama Bozz\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-06 17:50]
.
2012-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-24 09:16]
.
2012-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-24 09:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mystart.incredibar.com/mb185?a=6OyRVIqbPf&i=26
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://mystart.incredibar.com/mb185?a=6OyRVIqbPf&i=26
FF - prefs.js: keyword.URL - hxxp://mystart.incredibar.com/mb185/?loc=IB_DS&a=6OyRVIqbPf&&i=26&search=
FF - ExtSQL: 2012-09-25 14:20; [email protected]; c:\users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\extensions\[email protected]
FF - ExtSQL: 2012-10-22 20:51; [email protected]; c:\users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\extensions\[email protected]
FF - ExtSQL: 2012-10-22 20:51; [email protected]; c:\users\Mama Bozz\AppData\Roaming\Mozilla\Firefox\Profiles\wx53d9w5.default\extensions\[email protected]
FF - ExtSQL: 2012-10-24 08:46; [email protected]; c:\program files\AVAST Software\Avast\WebRep\FF
FF - ExtSQL: !HIDDEN! 2009-11-07 17:42; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyRVIqbPf&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - 2283ec6b00000000000000247e654a5e
FF - user.js: extensions.incredibar_i.instlDay - 15636
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1420:51
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6OyRVIqbPf
FF - user.js: extensions.incredibar_i.upn2n - 92262322741895333
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10678
FF - user.js: extensions.incredibar_i.ppd - 111
FF - user.js: extensions.autoDisableScopes - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-05 17:42
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-11-05 17:44:45
ComboFix-quarantined-files.txt 2012-11-05 22:44
ComboFix2.txt 2012-11-04 17:46
.
Pre-Run: 84,138,831,872 bytes free
Post-Run: 84,106,072,064 bytes free
.
- - End Of File - - 7008551732576579958F6D555F527ED5


Opening up the internet in any browser, now doesn't have the incredibar redirect anymore. Seems much better but I'll wait for your word before doing anything of importance on this computer.
  • 0

#42
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Psu22UL,

Your logs and system are clean now. I'm glad we fix up your computer.

Step 1

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

    :Commands
    [purity]
    [emptytemp]
    [resethosts]
    [clearallrestorepoints]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
Step 2

We need to clean up your PC from programs we used.

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end.

In case that any of the software we used in this fix still remains on your system please delete it manually (Right click on it and select Delete).

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Something to read

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

2. Make Backups of Important Files

Please read this article Home Computer Data Backup.

3. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
  • 0

#43
Psu22UL

Psu22UL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
All cleaned up, thank you very much!

A question about what all I should download to keep this computer safe..I was thinking about downloading the SpywareBlaster, MBAM, and Avast!Free (for now). Would any of those affect the other ones scans? I know you're only supposed to have one anti-virus, but I'm not sure if those would affect each other?
  • 0

#44
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
You can install all three but have only two real-time protection enabled. One antivirus and one antispyware. As you already know Avast is antivirus and MBAM and SpywareBlaster are antimalware softwares.

So, for example, you will have Avast and MBAM enabled and you will use SpywareBlaster only to start it manually and do scan of your PC.

Hope this helps.

Goodbye and stay safe :thumbsup:
  • 0

#45
Psu22UL

Psu22UL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Ah, ok, that's what I suspected. Thank you very much once again!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP