Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help removing SnapDo/WebSearch. [Closed] [Solved]


  • This topic is locked This topic is locked

#46
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

Yes go ahead and do the update then I would like you to rerun OTL for me and send me the fresh scan for me.

Run New OTL Scan


  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
  • 0

Advertisements


#47
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#48
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hello.

After last Microsoft Security Updates i don't think i had any instance of Windows Security Center acting up about MS SE and/or Firewall.

Also i don't see the Intellitext links anymore, not on this computer and not on the laptop. Though from Firefox Ghostery addon on the laptop i know Intellitext still is used on your website.




I thought it would be better to not yet use the Microsoft solutions concearning not being able to install kb 2833941 (security-update for MS .NET Framework 1.1 sp1 for Windows XP, Vista and Server 2008 x86). The mrFixit i found first did not work, can't open the file. A few days later i had more time to adress this new problem, it seems there's a damaged or missing MSDT (MS Diagnostics Tool) on this computer. MSDT should be able to open the mrFixit. (Glad to not see to many untrustworthy sites offering info & downloads). I could not find good info or download for MSDT.

Please Microsoft (and Google and therefore i presume also Apple) take care for better translations (no wonder ppl try Babylon translations). The Microsoft update-pages in Dutch often make no sence. I translated a bit (using that as a methode to better learn the steps to be taken) but after a few lines the question to translate did not appear anymore. Glad i translated as a guest and not logged in, in hindsight i do not fully trust that annymore, might have picked up something what couses the following :

1st mrFixit is : ?!?What?!?the button on that page (when i write this) now opens the very same page it's on, instead of a Fixit-downloadpage!?! Underneath the button it says "Microsoft Fix it Microsoft Fix it 50123" ("Microsoft Fix it" written twice on English page).
[Edit]This Fixit was "windowsupdate.diagcab".
Given the nature of kb 2833941 (security-update for MS .NET Framework 1.1 sp1 for Windows XP, Vista and Server 2008 x86) : the used browser was IE, default browser in Owner-account[endEdit]



The before mentioned mrFixit was solution nr.1 from kb/976982/en-US about [Error codes "0x80070643" or "0x643" when installing .NET Framework updates].


Now i also found kb/923100/en-au about [Windows Update error code "0x643" or Windows Installer error code "1603" when installing various .Net Frameworks], which mentioned


another mrFixit at kb/971187/en-US [How to fix MSI software update registration corruption issues] . I did not try downloading the 2nd mrFixit for i was not sure whichone to use.




2nd mrFixit is : Diagnose and fix program installing and uninstalling problems automatically, linkid = 9779673.

On both pages kb/976982/en and kb/923100/en-au a 2nd repair-option is given to uninstall all .NET Frameworks v 1.1 up to 3.5 and re-install them. On the 3rd page (kb/971187/en-US) the 2nd repair-option is to modify the Registry. I don't know if that would be needed besides it's something i am not accostumed to.




Questions :

If i'ld gotten to the 2nd Fixit before, i think i would've wanted to try thatone 1st. Shall i?

And do i need to download a new OTL installer or is the previous-one still up to date?




Thank You.

I'll edit this post in a few minutes with the filename of the 1st Fixit : windowsupdate.diagcab

Edited by Admirgency, 17 July 2013 - 10:22 AM.

  • 0

#49
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello


The best thing I have seen when you have trouble with >NET updates is to uninstall off the .nets from add/remove and then run this removal tool - http://blogs.msdn.co...28/8904493.aspx

after that is to go and install them one at a time


gringo
  • 0

#50
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
July 18_19th 2013

19˝ hours of work today..... Another of our "responsable" employees suddenly quit. Now i realy have to do most everything here exept for cleaning and making coffee/thee/limonade. Well, that's to be expected in an aid-organisation who draws personel from it's target-group. Luckily i had company from visitors and our Polish employees all night. Besides i'm in a position to buy food and juice with petty cash.

I downloaded more passible needed files then i actually used. I downloaded from this computer Guest-account → Firefox.

There was no option for repairing .NET Framework 1.1 via Configurationscreen. I did not try the repair-tool, thought it was a .cab-file which i can not open with damaged or missing MSDT. I uninstalled .Net FrWs via Configscreen. Starting with languige pack for 4.0 and 3.5, in that order. Then .Net FrW 4 Client Profile, .NET FrW 3.5, 3.0, 2.0 and 1.1 with respective Service Packs. No problems there. I did not use the Uninstall Tool for in all .NET FrW blogs from A. Stebner he warns it's a tool only to use as a last resort.

Installation of the .NET FrW's on itself was no problem either, however after installation of 4 Client profile the Windows Security Center started giving messages again at every reboot, for either MS SE or Firewall not being enabled though not at the same time (reboot). Mostly it was about firewall which enabled a few seconds later.

Among Security Updates (29 total) via Windows Update i noticed kb2564958, security update for Windows XP :

CVE-2011-1247, & Microsoft Security Bulletin MS11-075 - Important

Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699) Published: Tuesday, October 11, 2011 | Updated: Tuesday, October 25, 2011. I have to explain : When i got to work here a year ago, no computer was updated, exept for Google-services on this computer (as well as Imesh, Isearch and Bearsearch on the public computers). There were various malware-families present at each computer. One public computer was taken hostage and it's acting up again now, can't get to MS Update-site manually but automatic updates do roll in on that public comp.

This work-computer might have been without kb2564958 all this time. I'll check tomorrow or sometime this weekend.

With Optional updates (12 incl. MS SE defenitions), Languigepack for .NET FrW 3.0 didn't want to install, sorry i forgot to check what error-code.

Chekked at laptop (for i needed to copy transcripts from MS11-075 + some more, and OTL-download) with Avast freeware, and on this computer with Mbam and MS SE, this computers back-up files did not show an infection. (I don't think our organisations will be unified under one administration to ask the new boardmembers to finally pay for more elaborate security software, in time for the publication of next years versions).


OTL produced a Txt-file but not the Extras :

OTL logfile created on: 19-7-2013 3:11:25 - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Eigenaar\Bureaublad
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

759.48 Mb Total Physical Memory | 387.42 Mb Available Physical Memory | 51.01% Memory free
2.11 Gb Paging File | 1.74 Gb Available in Paging File | 82.55% Paging File free
Paging file location(s): C:\pagefile.sys 1440 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 22.10 Gb Free Space | 59.29% Space Free | Partition Type: NTFS

Computer Name: POWERMATE | User Name: Eigenaar | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Eigenaar\Bureaublad\18july - OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Google\Update\1.3.21.153\GoogleCrashHandler.exe (Google Inc.)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\Program Files\Microsoft\BingBar\7.2.233.0\SeaPort.EXE (Microsoft Corporation.)
PRC - C:\Program Files\TSST Korea\FW LiveUpdate\FWManager.exe ( )
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
PRC - C:\Program Files\Wireless\WPS\jswtrayutil.exe ()
PRC - C:\Program Files\Wireless\WPS\jswpbapi.exe (Wireless)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\TSST Korea\FW LiveUpdate\LiveUpdate.dat ()
MOD - C:\Program Files\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files\OpenOffice.org 3\program\libxslt.dll ()
MOD - C:\Program Files\Wireless\WPS\jswscapploc.dll ()
MOD - C:\Program Files\Wireless\WPS\jswtrayutil.exe ()
MOD - C:\Program Files\WinRAR\RarExt.dll ()


========== Services (SafeList) ==========

SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (BBUpdate) -- C:\Program Files\Microsoft\BingBar\7.2.233.0\SeaPort.EXE (Microsoft Corporation.)
SRV - (BBSvc) -- C:\Program Files\Microsoft\BingBar\7.2.233.0\BBSvc.EXE (Microsoft Corporation.)
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\psia.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia)
SRV - (jswpsapi) -- C:\Program Files\Wireless\WPS\jswpsapi.exe (wireless)
SRV - (jswpbapi) -- C:\Program Files\Wireless\WPS\jswpbapi.exe (Wireless)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\catchme.sys File not found
DRV - (dc3d) -- C:\WINDOWS\system32\drivers\dc3d.sys (Microsoft Corporation)
DRV - (cpudrv) -- C:\Program Files\SystemRequirementsLab\cpudrv.sys ()
DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)
DRV - (fssfltr) -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys (Microsoft Corporation)
DRV - (JSWSCIMD) -- C:\WINDOWS\system32\drivers\jswscimd.sys (Atheros Communications, Inc.)
DRV - (AR9271) -- C:\WINDOWS\system32\drivers\athuw.sys (Atheros Communications, Inc.)
DRV - (HTCAND32) -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys (HTC, Corporation)
DRV - (STAC97NA) -- C:\WINDOWS\system32\drivers\stac97na.sys (SigmaTel Inc.)
DRV - (STAC97NH) -- C:\WINDOWS\system32\drivers\stac97nh.sys (SigmaTel Inc.)
DRV - (BrPar) -- C:\WINDOWS\system32\drivers\BRPAR.SYS (Brother Industries Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = nl
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 04 48 20 B2 A1 5C CD 01 [binary data]
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledAddons: %7Bd40f5e7b-d2cf-4856-b441-cc613eeffbe3%7D:1.68
FF - prefs.js..extensions.enabledAddons: %7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20130515
FF - prefs.js..extensions.enabledAddons: firefox%40ghostery.com:2.9.6
FF - prefs.js..extensions.enabledAddons: adblockpopups%40jessehakanen.net:0.8
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:22.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}:6.0.30
FF - prefs.js..extensions.enabledItems: {EEE6C361-6118-11DC-9C72-001320C79847}:1.5.0.2
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:12.0.0.1912
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/DownloadManager,version=1.1: C:\WINDOWS\ [2013-07-19 01:19:59 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2166.3772\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.6: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.7: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013-07-05 13:13:51 | 000,000,000 | ---D | M]

[2010-05-11 15:00:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Extensions
[2013-07-05 13:24:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions
[2013-07-05 13:24:17 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2013-07-05 13:24:20 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions\[email protected]
[2013-07-05 13:24:20 | 000,116,577 | ---- | M] () (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions\[email protected]
[2012-07-08 11:38:38 | 000,020,591 | ---- | M] () (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2013-07-05 13:23:23 | 000,870,680 | ---- | M] () (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2013-07-05 13:24:17 | 000,138,614 | ---- | M] () (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
[2011-04-01 11:10:10 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\searchplugins\bing.xml
[2013-07-05 13:13:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013-07-05 13:15:19 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2012-06-28 17:42:00 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2011-12-24 21:58:59 | 000,001,111 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\vandale-nl.xml
[2011-12-24 21:58:59 | 000,001,106 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-nl.xml

========== Chrome ==========


O1 HOSTS File: ([2013-05-25 02:51:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.2.233.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.2.233.0\BingExt.dll (Microsoft Corporation.)
O4 - HKLM..\Run: [jswtrayutil] C:\Program Files\Wireless\WPS\jswtrayutil.exe ()
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Name of App] C:\Program Files\TSST Korea\FW LiveUpdate\FWManager.exe ( )
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - Startup: C:\Documents and Settings\Eigenaar\Menu Start\Programma's\Opstarten\OpenOffice.org 3.4.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Gast\Menu Start\Programma's\Opstarten\OpenOffice.org 3.4.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1271944706703 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1341578474781 (MUWebControl Class)
O16 - DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} http://download.micr...loadManager.cab (Microsoft Download Manager ActiveX control)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.syste...el_4.5.11.0.cab (SysInfo Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 195.241.77.55 195.241.77.58
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3C14C12F-FE35-4086-8935-5AD09B3BDF73}: DhcpNameServer = 192.168.1.254 195.241.77.55 195.241.77.58
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F414C247-0F38-435E-8997-36B5A343C769}: DhcpNameServer = 192.168.1.254 195.241.77.55 195.241.77.58
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (Mijn huidige introductiepagina) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010-04-22 13:42:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (pgdfgsvc C 1)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013-07-19 03:06:53 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\18july - OTL.exe
[2013-07-18 22:14:25 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2013-07-18 21:58:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2013-07-18 21:58:28 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2013-07-18 21:58:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-US
[2013-07-18 21:58:10 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2013-07-18 21:44:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\URTTemp
[2013-07-10 13:01:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MRT
[2013-07-07 12:18:26 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eigenaar\Onlangs geopend
[2013-07-05 13:13:41 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013-06-25 21:57:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eigenaar\Bureaublad\RK_Quarantine
[2013-06-25 16:15:31 | 002,237,968 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Eigenaar\Bureaublad\12-25junetdsskiller.exe
[2013-06-21 19:03:04 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\11-21juneOTL.exe
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013-07-19 03:01:13 | 000,000,460 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{19634F2B-6041-4CFB-B933-71C9576E8275}.job
[2013-07-19 02:56:00 | 000,000,940 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013-07-19 02:38:02 | 000,001,048 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013-07-19 02:34:35 | 000,000,386 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013-07-19 02:34:16 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013-07-19 02:26:24 | 000,000,479 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Application Data\TSSTLiveUpdateConfig.ini
[2013-07-19 02:24:58 | 000,001,044 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013-07-19 02:24:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013-07-19 02:17:07 | 000,600,062 | ---- | M] () -- C:\WINDOWS\System32\perfh013.dat
[2013-07-19 02:17:07 | 000,501,462 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013-07-19 02:17:07 | 000,121,316 | ---- | M] () -- C:\WINDOWS\System32\perfc013.dat
[2013-07-19 02:17:07 | 000,088,310 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013-07-18 23:08:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\18july - OTL.exe
[2013-07-18 22:05:55 | 000,168,304 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013-07-18 20:54:14 | 000,000,283 | ---- | M] () -- C:\WINDOWS\Brownie.ini
[2013-07-16 12:06:06 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013-07-16 10:38:19 | 000,127,984 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\2windowsupdate.diagcab
[2013-07-10 14:58:31 | 000,127,984 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\14a-10july 2ndTuesday-windowsupdate.diagcab
[2013-07-10 12:26:51 | 000,001,912 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2013-07-10 12:21:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013-06-25 16:17:17 | 000,911,360 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\13-25juneRogueKiller.exe
[2013-06-25 16:15:58 | 002,237,968 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Eigenaar\Bureaublad\12-25junetdsskiller.exe
[2013-06-21 18:54:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\11-21juneOTL.exe
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013-07-16 10:38:15 | 000,127,984 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\2windowsupdate.diagcab
[2013-07-10 14:58:27 | 000,127,984 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\14a-10july 2ndTuesday-windowsupdate.diagcab
[2013-07-10 12:46:24 | 000,000,386 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013-07-08 08:28:53 | 000,168,304 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013-06-25 16:16:57 | 000,911,360 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\13-25juneRogueKiller.exe
[2013-05-25 02:30:02 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013-05-25 02:30:02 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013-05-25 02:30:02 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013-05-25 02:30:02 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013-05-25 02:30:02 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013-03-14 11:29:25 | 000,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2013-03-14 11:29:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2013-03-14 11:29:23 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\brlmw03a.ini
[2013-03-14 11:29:21 | 000,014,496 | ---- | C] () -- C:\WINDOWS\HL-5240.INI
[2013-03-14 11:28:40 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\bd5240.dat
[2013-03-14 11:27:45 | 000,000,283 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2013-03-13 11:46:36 | 000,000,479 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Application Data\TSSTLiveUpdateConfig.ini
[2012-09-12 15:43:07 | 000,004,706 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2012-08-10 15:06:30 | 000,268,519 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\census.cache
[2012-08-10 15:05:52 | 000,180,312 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\ars.cache
[2012-08-10 12:48:24 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\housecall.guid.cache
[2012-07-07 23:13:52 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\fusioncache.dat
[2012-07-06 14:44:15 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012-07-05 04:40:25 | 000,294,527 | ---- | C] () -- C:\WINDOWS\System32\shimg.dll
[2011-11-20 20:10:40 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat

========== ZeroAccess Check ==========

[2011-03-24 11:50:20 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008-04-15 02:32:40 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009-02-09 12:56:06 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008-04-15 02:32:46 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012-07-08 18:19:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2012-02-09 13:26:06 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012-08-10 12:42:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2010-11-10 13:13:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ICIDU
[2012-08-07 15:56:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kingsoft
[2012-07-08 18:17:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011-11-14 18:39:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Playrix Entertainment
[2012-07-09 22:38:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\ElevatedDiagnostics
[2012-08-07 15:44:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Foxit Software
[2010-11-15 14:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\ICAClient
[2012-08-07 15:57:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Kingsoft
[2010-05-11 15:08:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\OpenOffice.org
[2013-05-07 12:11:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Oracle
[2013-05-12 15:39:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Uniblue
[2012-07-07 21:28:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Windows Desktop Search
[2012-07-09 17:46:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Windows Search
[2012-07-25 15:23:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gast\Application Data\OpenOffice.org
[2012-11-26 11:51:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gast\Application Data\Uniblue
[2012-07-17 06:49:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gast\Application Data\Windows Desktop Search
[2013-02-19 13:21:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gast\Application Data\Windows Search
[2013-05-14 14:47:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Werkaccount\Application Data\Windows Desktop Search

========== Purity Check ==========



< End of report >
  • 0

#51
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Pity, via WU → update-history i can't see past Febr. 2012 anymore. I'll give the backstory as far as the notes i still have show + a little i can remember.


On this work-comp there was to many AV installed : MS SE, AVG, Avira, Spyware Doctor and Mbam (likewise with different cocktails on the public comp's though only AV and no AM/ASp there). On this comp only all Google-services (Chrome, Aps, Earth and Picassa) and MS SE were up to date. Concerning MS updates this comp was in the best shape between all computers here. It had been badly updated before 18th of jan 2012, with intervals of several months. There-after WU did not get any chance in March an not much in febr..

I got here to update since the 15th of May. Though i was allowed to fight the malware on public computers & installing Guest-accounts instead of unprotected owner-accounts to work from, it wasn't until August that i could do the same for this computer and the offline comp (the latter having illegal installed Windows XP Pro, MS warning at every reboot clearly visible for all employees. The laptop wasn't the 1st with illegal Windows Product Key). All computers were heavily infected. Because all computers had different cocktails of AV installed, i don't think i overlooked any result being False Positive. Lukicsel, Ransom.foreign and exp/java-2012-0507 variants were present on all computers, plus each of them their own blend of different malware.

We were lucky the other employees (incl. the one who'd "taken care of the computers" before i did) did not touch the 2 workcomputers then, and that i had already cleaned the ransomed public comp. The other 2 employees + the computergeek from a sister-organization did not even know how to get into Safe Modus thus they damaged the other public computers. We bought new-ones.

I started with updating Windows. 24 essential updates rolled in, a.w. updates for .NET FrW up to version 3.5. The combination of AVG and Avira hindered kb 890830 (MS Tool for Removal of Malicious Software) with automatic update as well as with manual update, in regular modus that is. In Safe Modus i could mannualy download, install and run kb890830. It found nothing.

Then i uninstalled the excessive AV/AM and I updated Avira,. Present on this comp were : Tr/Lukicsel.I.284, .I.285 and .L.10, Exp/2012-0507.CW, Java/Dldr.Treams.BX, Tr/LockscreenHA.A.1 and Tr/Ransom.foreign.pfy, with a total of 39 detections of them. (The public computers harboured much more, especially variants of exp/2012-0507. But then again, Isearch Imesh and Bearsearch were installed there). All Quarantined.

Furthermore Avira gave 79 warnings of invalid paths, amongst which Aviras own quick-scan and an awful lot of MS drWatson. I could not manage to save the Avira log-file anywhere while i tried on multiple places and copy/pasted into Word and Wordpad (did not experience that with any other document or tekst-file).

I had already bought a (self-burned) XP-disk from a local store (for the public comps) and i used it to repair what it could fid. Then i ran Kaspersky ResQdisk to scan Boot Sectors and Hidden Objects, found nothing. Then Full Scan found 2 instances of a HEUR:Trojan.win32.Generic, both quarantined.

1 essential update (for Visual C++2010 sp1, and after another reboot .Net FrW 4 Client Profile (amongst 12 optional updates) rolled in. And 1 more reboot later 5 security-updates for .Net FrW 4 ClPr. Again 1 more reboot and 2 essential updates, 1 for Windows XP and 1 for Outlook, + 2 optional updates came in. My notes don't show at which point i uninstalled Avira and installed Spybot S&D. Since then, 14 months ago, we did not seem to have any problems.

With the prospect of studying at GeeksToGo University during work-hours i started here, but with the absence of all the responsible (and Dutch-speaking) employees, i did not have the time. And now this.

It started (?again) with Google Mail. Suddenly some-one or -thing had altered the settings on this computer in Chrome, as well as in each and every account from the payed coördinator and his wife, to remember the accounts & passwords. I reset them all to not remember. But then my new account (handled via Gmail) on our own domain would not work. Though each time i closed my account and re-opened imediatly to check the password, the next day it would not work anymore. As our website has not been updated since 2009, i don't use that mail-acc.. And naturally the website on my profile and beneath my posts is not the website from the organization here (WOT site-advisor now shows green for trustworthiness, grey for vendor reliability, privacy and child safety) (i also work for the org. fr the website on my profile, when there's not to much work here, which did not happen a lot last year).

I could not find the (? a) root of the problems on our work-comp until i made the Work-account (limited rights). SnapDo became visible, complemented by the remnants of AVG and Avira protected Search-engines. That's about it, why i need your expertise. I can not handle this myself. Again a Big Thank You, Gringo.
  • 0

#52
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Admirgency


That report looks great - was it done in the account with the problem?


Gringo
  • 0

#53
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
No, Isearch and SnapDo are still present.
in Owner-acc. -> Chrome : only Avira.ask.com, IE and Firefox look clean of them.
In Work-acc. -> Chrome : SnapDo and Ask., IE & Firefoxx look clean of them.
in Guest-acc. -> Chrome : Ask and Isearch (AVG), Isearch in the place where SnapDo is in the follow-order in Work-acc. . Ask in IE, Firefoxx looks clean of them.
,i have nothing against Ask, but it is a remnant of uninstalled Avira freeware. Isearch is remnant of uninstalled AVG freeware, even if not i would want Isearch gone asap.
  • 0

#54
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello


in Owner-acc. -> Chrome : only Avira.ask.com, IE and Firefox look clean of them.

in chrome where is it at - start page or search provider?


Gringo
  • 0

#55
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
In Owner, Avira.ask is Startpage as well as (non-default) search-engine. Google is standard search-engine.
  • 0

Advertisements


#56
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
watch this to set the home page -



Gringo
  • 0

#57
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
(Gees, NoScript already shows more on your site then any other. Upon opening this page this afternoon there were 18 entries. Now for this answer i have 2 more on your homepage).

Owner-acc. Chrome startpage is changed to Google.nl, no problem. I just didn't see that as important before. A Startpage is just an insertion of another web-adress, but....
Question : If i'ld remove the Ask, Isearch and SnapDo search-engines (though they are not visible in Configscreen->Software) from Chrome options, then the engines would still be installed on the computer, right? That is what worries me.
  • 0

#58
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
NO - they are only web addresses - the actual search does not happen on the computer


Gringo
  • 0

#59
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Sorry you had to wait another few days for me reporting on such a simple task. It's been a real manic monday , becouse of the last employee who quit coming back being manic, i lost some marbles too. Luckily the weekend before i already ordered myself to not mind about our project or computers (normaly i'ld perform pc-check-ups in the weekends). Besides i could go to a regular AA-meeting and next day to NA-discussion-meeting to grab back those marbles. And next week we'll be temporaly moving our operations to a sister-organisation, which is kind of the planning for next year anyway. Thus next week i can talk Dutch with ppl again instead of hearing mainly Polish, Russian, Romanesc, Romanian and Bulgarian mixed with some broken Dutch, broken English, broken German and broken French. That'll be a releafe i tell ya!
So please have some patience when i do not answer this thread in time. I have to be carefull not to burn-out too, not to mention the risk of loosing the very first year of being clean in my 50 years life.


Ask, Isearch and SnapDo searches are now removed from Google (as well as the double entry for Bing in IE) in the various accounts.
I had to re-read this entire thread, didn't realy know what was going on here anymore. I'll have to check back on that .NET Framework 1.1 security-update that didn't install properly (and on that one public comp where i can go to MS Update-pages again but 3 security-updates kept re-installing every day the week after July MS Security updates incl. one where attackers had a chance to falsify computer-status messages, but that's not this computer).

You mentioned last OTL-log looked good. Is there one more scan to be run or can we begin the clean-up process of used scans now? There are the skipped entries from TDSS Killer (post 40 in this thread), and Spyware S&D as well as Mbam installed on the workcomp now.

Thank you.
  • 0

#60
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

lets do one double check and then I will remove all our tools



Now I would like you to rerun malwarebytes for me


Double-click the Malwarebytes icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, If anything is found then click Show Results to view the results.
Be sure that everything is Checked (ticked)
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidentally close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

------------------------------------------------

And last I would like you to run an Online scan for me


Eset Online Scanner

best when IE is used

Go to http://www.eset.com/onlinescan/ to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish


When the scan is complete

If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found


If threats were found
click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish
close program
copy and paste the report here



When you reply back to me please attach the MBAM and Eset report and let me know how the computer is doing at this time
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP