Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Sneeky malware, browser hijack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 26th, 2011, 12:59 pm

Gary R.:

Here's the DDS.txt log:


.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_17
Run by Rachel Mindel at 12:55:26 on 2011-07-26
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3998.1940 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbvcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Users\Malky\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
BHO: FBLayouts Plugin: {ff4e1d1d-705b-4379-ab33-22d98c1abf55} - C:\Program Files (x86)\FBLayouts\fblayouts.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRun: [WinPatrol] "C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
mRunOnce: [Uninstall Adobe Download Manager] "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
mRunOnce: [GrpConv] grpconv -o
mRunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
mRunOnce: [OTL] "C:\Users\Malky\Downloads\OTL.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
LSP: C:\Windows\system32\wpclsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{04E103AE-BDC5-497F-933A-C5E6AA0E1F20} : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{8BD21D8B-16AE-4A4D-BE90-91571A8D5AF2} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{C2370A83-364F-4105-905A-275EB21DFC24} : DhcpNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
BHO-X64: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
BHO-X64: FBLayouts Plugin: {FF4E1D1D-705B-4379-AB33-22D98C1ABF55} - C:\Program Files (x86)\FBLayouts\fblayouts.dll
BHO-X64: FBLayouts Plugin - No File
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun-x64: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRun-x64: [WinPatrol] "C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
mRunOnce-x64: [Uninstall Adobe Download Manager] "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
mRunOnce-x64: [GrpConv] grpconv -o
mRunOnce-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
mRunOnce-x64: [OTL] "C:\Users\Malky\Downloads\OTL.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R1 70416131;70416131;C:\Windows\system32\DRIVERS\70416131.sys --> C:\Windows\system32\DRIVERS\70416131.sys [?]
R1 74558331;74558331;C:\Windows\system32\DRIVERS\74558331.sys --> C:\Windows\system32\DRIVERS\74558331.sys [?]
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R1 setup_9.0.0.722_03.07.2011_17-11drv;setup_9.0.0.722_03.07.2011_17-11drv;C:\Windows\system32\DRIVERS\7455833.sys --> C:\Windows\system32\DRIVERS\7455833.sys [?]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/07/20 03:27:04];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-28 146928]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-10-25 42184]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 lxbv_device;lxbv_device;C:\Windows\system32\lxbvcoms.exe -service --> C:\Windows\system32\lxbvcoms.exe -service [?]
R2 SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-4-28 120832]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\AESTSr64.exe [?]
S3 bckwfs;Blue Coat K9 Web Protection;C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe [2010-12-20 1845520]
S3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-1-13 222512]
S3 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-23 135664]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-23 135664]
S3 NETw3v64;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw3v64.sys --> C:\Windows\system32\DRIVERS\NETw3v64.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2008-1-20 21504]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2009-1-13 365952]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-3 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-07-26 16:02:50 -------- d-----w- C:\Users\Rachel Mindel\AppData\Local\temp
2011-07-26 15:26:03 98816 ----a-w- C:\Windows\sed.exe
2011-07-26 15:26:03 518144 ----a-w- C:\Windows\SWREG.exe
2011-07-26 15:26:03 256000 ----a-w- C:\Windows\PEV.exe
2011-07-26 15:26:03 208896 ----a-w- C:\Windows\MBR.exe
2011-07-26 15:25:52 -------- d-----w- \Qoobox
2011-07-26 12:32:48 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C7384B1A-EA7F-44D2-8F84-CAD5EFAF2E49}\mpengine.dll
2011-07-25 14:41:58 -------- d-----w- C:\Program Files (x86)\ESET
2011-07-25 13:27:02 -------- d-----w- C:\HpUpdate
2011-07-25 13:27:02 -------- d-----w- \HpUpdate
2011-07-24 22:41:05 -------- d-----w- C:\_OTL
2011-07-24 22:41:05 -------- d-----w- \_OTL
2011-07-17 15:52:08 -------- d-----w- C:\Program Files\Bonjour
2011-07-17 15:52:08 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-07-15 02:41:41 -------- d-----w- C:\Program Files (x86)\Mamutu
2011-07-15 02:36:06 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2011-07-13 17:38:17 2764288 ----a-w- C:\Windows\System32\win32k.sys
2011-07-13 17:38:14 85504 ----a-w- C:\Windows\System32\csrsrv.dll
2011-07-13 17:38:14 451072 ----a-w- C:\Windows\System32\winsrv.dll
2011-07-11 02:34:22 -------- d-----w- C:\Windows\Profiles
2011-07-07 14:39:22 -------- d-----w- C:\ProcAlyzer Dumps
2011-07-07 14:39:22 -------- d-----w- \ProcAlyzer Dumps
2011-07-06 18:52:54 -------- d-----w- C:\Program Files (x86)\VS Revo Group
2011-07-06 15:41:13 -------- d-----w- C:\ProgramData\InstallMate
2011-07-06 15:41:13 -------- d-----w- C:\Program Files (x86)\BillP Studios
2011-07-04 16:02:25 -------- d-----w- C:\Program Files\CCleaner
2011-07-03 17:13:38 352784 ----a-w- C:\Windows\System32\drivers\7455833.sys
2011-07-03 17:13:38 157712 ----a-w- C:\Windows\System32\drivers\74558331.sys
2011-07-03 15:14:37 352784 ----a-w- C:\Windows\System32\drivers\7041613.sys
2011-07-03 15:14:37 157712 ----a-w- C:\Windows\System32\drivers\70416131.sys
2011-07-01 23:25:25 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-01 21:17:56 -------- d-----w- C:\Malwarebytes
2011-07-01 21:17:56 -------- d-----w- \Malwarebytes
2011-07-01 21:17:49 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-30 03:51:12 600920 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-06-30 03:35:31 654928 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2011-06-30 03:35:31 42064 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2011-06-30 03:35:31 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2011-06-30 03:20:23 344576 ----a-w- C:\Windows\System32\schannel.dll
2011-06-30 03:20:23 276992 ----a-w- C:\Windows\SysWow64\schannel.dll
2011-06-29 16:26:50 -------- d-----w- C:\ProgramData\Kaspersky Lab
.
==================== Find3M ====================
.
2011-07-06 23:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-07-04 11:43:53 40112 ----a-w- C:\Windows\avastSS.scr
2011-07-04 11:32:24 64856 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-05-24 23:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-05-13 22:58:22 17720 ----a-w- C:\Windows\System32\HPMDPCoInst12.dll
2011-05-13 22:58:16 30008 ----a-w- C:\Windows\System32\drivers\hpdskflt.sys
2011-05-13 22:58:10 30520 ----a-w- C:\Windows\System32\hpservice.exe
2011-05-13 22:58:04 20792 ----a-w- C:\Windows\System32\accelerometerdll.DLL
2011-05-13 22:57:58 43320 ----a-w- C:\Windows\System32\drivers\Accelerometer.sys
2011-05-02 17:16:14 739328 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-05-02 17:13:21 975360 ----a-w- C:\Windows\System32\inetcomm.dll
2011-04-29 13:41:02 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-04-29 13:40:56 145920 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-04-29 13:39:34 275456 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-04-29 13:39:34 135680 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-04-29 13:39:31 107008 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
.
============= FINISH: 12:56:09.46 ===============
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am
Advertisement
Register to Remove

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 26th, 2011, 1:03 pm

Gary R:

(If I remember correctly the ESET scan takes a very long time. I'll start it now and send it to you this evening...)

Mory (Seep34)

Here's the Attach.txt log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 7/20/2009 5:42:57 AM
System Uptime: 7/26/2011 11:09:04 AM (1 hours ago)
.
Motherboard: Quanta | | 3627
Processor: Intel(R) Core(TM)2 Duo CPU T6500 @ 2.10GHz | CPU | 2100/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 285 GiB total, 121.152 GiB free.
D: is FIXED (NTFS) - 13 GiB total, 1.681 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP267: 7/17/2011 9:37:14 PM - Windows Backup
RP268: 7/20/2011 4:17:45 PM - OTL Restore Point - 7/20/2011 4:17:45 PM
RP269: 7/22/2011 2:18:14 AM - Windows Update
RP270: 7/26/2011 8:31:57 AM - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player 11.5
Aleks 3.12
Apple Application Support
Apple Software Update
avast! Free Antivirus
Backyard Soccer MLS Edition
BufferChm
Compatibility Pack for the 2007 Office system
Conduit Engine
Convert AVI to MP4 1.3
CustomerResearchQFolder
CyberLink DVD Suite
D4300
D4300_Help
DeviceDiscovery
DeviceManagementQFolder
DJ_SF_03_D4300_ProductContext
DJ_SF_03_D4300_Software
DJ_SF_03_D4300_Software_Min
DX-Ball 1.09
ESET Online Scanner v3
ESU for Microsoft Vista
eSupportQFolder
Eusing Free Registry Cleaner
FBLayouts Plugin
FormatFactory 2.20
FreshDiagnose
FreshUI
GEAR driver installer for x86 and x64
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hoyle Word Games 2
HP Active Support Library
HP Common Access Service Library
HP Customer Experience Enhancements
HP Games
HP Help and Support
HP MediaSmart DVD
HP MediaSmart Music/Photo/Video
HP MediaSmart SlingPlayer
HP MediaSmart TV
HP MediaSmart Webcam
HP Photosmart Essential 2.5
HP Quick Launch Buttons 6.40 L1
HP Total Care Advisor
HP Total Care Setup
HP Update
HP User Guides 0126
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPProductAssistant
HPSSupply
IDT Audio
iPhone Configuration Utility
Juno Preloader
LabelPrint
LightScribe System Software 1.14.17.1
Malwarebytes' Anti-Malware version 1.51.1.1800
MarketResearch
Microsoft Live Search Toolbar
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Microsoft WSE 3.0 Runtime
Monopoly
Mozilla Firefox (3.5.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee Reveal
NetAssistant
NetZero Preloader
ooVoo
ooVoo Toolbar (Remove Toolbar Only)
Picasa 3
Power2Go
PowerDirector
PriceGong 2.1.0
PSSWCORE
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek USB 2.0 Card Reader
Revo Uninstaller 1.92
Safari
School Tycoon
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype web features
Skype™ 4.2
Slingbox - Watch Your TV Anywhere
SlingPlayer
SmartWebPrintingOC
Snood 4
SolutionCenter
Sound Effects
SPORE Creature Creator Trial Edition
Status
StepMania (remove only)
The Sims™ 3
Toolbox
TrayApp
UnloadSupport
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VideoToolkit01
Voozie Maker
WebReg
WhiteBoardMeeting
Windows Media Player Firefox Plugin
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
7/26/2011 8:36:31 AM, Error: Service Control Manager [7031] - The avast! Antivirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
7/26/2011 11:48:51 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
7/26/2011 11:46:09 AM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
7/26/2011 11:34:34 AM, Error: Service Control Manager [7034] - The hpqcxs08 service terminated unexpectedly. It has done this 2 time(s).
7/26/2011 11:25:49 AM, Error: Service Control Manager [7034] - The hpqcxs08 service terminated unexpectedly. It has done this 1 time(s).
7/26/2011 11:25:49 AM, Error: Service Control Manager [7034] - The HP CUE DeviceDiscovery Service service terminated unexpectedly. It has done this 1 time(s).
7/26/2011 11:11:14 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: bckd SABKUTIL
7/26/2011 11:11:13 AM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
7/24/2011 6:58:52 PM, Error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
7/24/2011 11:22:11 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SAS Core Service service to connect.
7/24/2011 11:22:11 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the LightScribeService Direct Disc Labeling Service service to connect.
7/24/2011 11:22:11 PM, Error: Service Control Manager [7000] - The SAS Core Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/20/2011 3:25:02 PM, Error: Service Control Manager [7034] - The Spybot-S&D 2 Hooks Service service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Gary R » July 26th, 2011, 3:48 pm

Looking better.

There's still a few things in your logs we need to deal with, but I'll wait to see your E-Set log before posting my next set of instructions.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 27th, 2011, 12:16 am

Gary R., here's the ESET log. Looks like our sneeky demons are still with us.

Let me confirm with you, that you had wanted me to use the same ESET settings that you had instructed me to use previously; meaning that I was to NOT check the "Remove found threats" option. I assume that's because you want to see if the other programs succeeded in eradicating the trojans and their ilk; is that correct?

What now?

Mory (Seep34)



ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=02b7977b2fd37e4ebd44cd49f1bd9239
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-25 06:01:16
# local_time=2011-07-25 02:01:16 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=770 16774141 100 0 0 0 0 0
# compatibility_mode=5892 16776638 100 56 0 148204778 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=321031
# found=14
# cleaned=0
# scan_time=10803
C:\Users\Malky\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo\contentscript.js Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\65891f0d-52139baa probably a variant of Win32/Agent.KORPJCX trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\73769d5f-217ebd5f probably a variant of Win32/Agent.KORPJCX trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\1c8e61e8-7b97a298 probably a variant of Java/Exploit.CVE-2009-3867.AC trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\Documents\FFSetup220[2]\FFSetup220.exe Win32/Adware.ADON application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Rachel Mindel\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo\contentscript.js Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Rachel Mindel\AppData\Roaming\Mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\07242011_184105\C_Users\Rachel Mindel\AppData\Roaming\mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=02b7977b2fd37e4ebd44cd49f1bd9239
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-26 07:50:26
# local_time=2011-07-26 03:50:26 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=770 16774141 100 0 0 0 0 0
# compatibility_mode=5892 16776637 100 56 0 148298832 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=315944
# found=13
# cleaned=0
# scan_time=9700
C:\Qoobox\Quarantine\C\Users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar.vir JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar.vir JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar.vir JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo\contentscript.js Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Rachel Mindel\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo\contentscript.js Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Rachel Mindel\AppData\Roaming\Mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\07242011_184105\C_Users\Rachel Mindel\AppData\Roaming\mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\07262011_083631\C_Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\65891f0d-52139baa probably a variant of Win32/Agent.KORPJCX trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\07262011_083631\C_Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\73769d5f-217ebd5f probably a variant of Win32/Agent.KORPJCX trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\07262011_083631\C_Users\Malky\Documents\FFSetup220[2]\FFSetup220.exe Win32/Adware.ADON application (unable to clean) 00000000000000000000000000000000 I
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Gary R » July 27th, 2011, 1:58 am

  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
Code: Select all
DDS::
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRunOnce: [OTL] "C:\Users\Malky\Downloads\OTL.exe"
BHO-X64: 0x1 - No File
BHO-X64: AcroIEHelperStub - No File
BHO-X64: FBLayouts Plugin - No File
BHO-X64: HP Smart BHO Class - No File
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRunOnce-x64: [OTL] "C:\Users\Malky\Downloads\OTL.exe"

File::
C:\Windows\System32\drivers\7041613.sys
C:\Windows\system32\DRIVERS\70416131.sys
C:\Windows\system32\DRIVERS\74558331.sys
C:\Windows\system32\DRIVERS\7455833.sys
c:\program files (x86)\MAMUTU\a2accx64.sys

Folder::
C:\Program Files (x86)\Mamutu
C:\Users\Rachel Mindel\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo
C:\Users\Rachel Mindel\AppData\Roaming\Mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}

Driver::
7041613
70416131
74558331
setup_9.0.0.722_03.07.2011_17-11drv
a2acc

  • Click Format and ensure Wordwrap is unchecked.
  • Save as CFScript.txt to your Desktop.

Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please. (it can also be found at C:\Combofix.txt)
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 27th, 2011, 12:59 pm

Hi Gary R. It's not been fun. I started to run the COMBOFIX before disabling my anti-virus software. It took me many hours to try to get to a point where I can run COMBOFIX, properly.

This is the COMBOFIX log. I had gotten a message that Avast was still active, but for this run it was completely disabled. I see that the log lists it as "enabled." That was not the case and there was no interference from any of the protective programs.

I hope we're getting closer to getting a clean machine. I keep seeing familiar names on the logs of bugs or files that I thought we had eliminated...

I hope this yields alot of worthwhile info...

Mory (seep34)

PS. BTW, at the end of the scan there was a message saying that the program needed to upload the malware for further analysis (these are not the exact words of the message). I don't know where COMBOFIX uploaded the info to...


ComboFix 11-07-27.01 - Rachel Mindel 07/27/2011 12:09:18.4.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3998.2404 [GMT -4:00]
Running from: c:\users\Malky\Downloads\ComboFix.exe
Command switches used :: c:\users\Malky\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files (x86)\MAMUTU\a2accx64.sys"
"c:\windows\System32\drivers\7041613.sys"
"c:\windows\system32\DRIVERS\70416131.sys"
"c:\windows\system32\DRIVERS\7455833.sys"
"c:\windows\system32\DRIVERS\74558331.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files (x86)\Mamutu
c:\users\Malky\Documents\~WRL2151.tmp
c:\users\Rachel Mindel\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo
c:\users\Rachel Mindel\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo\contentscript.js
c:\users\Rachel Mindel\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo\manifest.json
c:\users\Rachel Mindel\AppData\Roaming\Mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}
c:\users\Rachel Mindel\AppData\Roaming\Mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest
c:\users\Rachel Mindel\AppData\Roaming\Mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\install.rdf
c:\windows\System32\drivers\7041613.sys
c:\windows\system32\DRIVERS\70416131.sys
c:\windows\system32\DRIVERS\7455833.sys
c:\windows\system32\DRIVERS\74558331.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_70416131
-------\Legacy_74558331
-------\Legacy_A2ACC
-------\Legacy_SETUP_9.0.0.722_03.07.2011_17-11DRV
-------\Service_70416131
-------\Service_74558331
-------\Service_a2acc
-------\Service_setup_9.0.0.722_03.07.2011_17-11drv
.
.
((((((((((((((((((((((((( Files Created from 2011-06-27 to 2011-07-27 )))))))))))))))))))))))))))))))
.
.
2011-07-27 16:35 . 2011-07-27 16:35 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-27 16:35 . 2011-07-27 16:35 -------- d-----w- c:\users\Sarah Sheindel\AppData\Local\temp
2011-07-27 16:35 . 2011-07-27 16:35 -------- d-----w- c:\users\Rachel Mindel\AppData\Local\temp
2011-07-27 16:35 . 2011-07-27 16:35 -------- d-----w- c:\users\Nechama Deena\AppData\Local\temp
2011-07-27 16:35 . 2011-07-27 16:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-27 12:49 . 2011-07-27 14:18 -------- d-----w- C:\AComboFixA
2011-07-26 12:32 . 2011-07-13 04:53 8578896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C7384B1A-EA7F-44D2-8F84-CAD5EFAF2E49}\mpengine.dll
2011-07-26 12:26 . 2011-07-26 12:27 -------- d-----w- c:\users\Malky\AppData\Roaming\HpUpdate
2011-07-25 14:41 . 2011-07-25 14:41 -------- d-----w- c:\program files (x86)\ESET
2011-07-25 13:27 . 2011-07-26 01:52 -------- d-----w- C:\HpUpdate
2011-07-24 22:41 . 2011-07-24 22:41 -------- d-----w- C:\_OTL
2011-07-18 00:55 . 2011-07-18 00:55 -------- d-----w- c:\windows\Hewlett-Packard
2011-07-17 15:52 . 2011-07-17 15:52 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-07-17 15:52 . 2011-07-17 15:52 -------- d-----w- c:\program files\Bonjour
2011-07-17 15:52 . 2011-07-17 15:52 -------- d-----w- c:\program files (x86)\Bonjour
2011-07-15 02:36 . 2011-07-15 02:36 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-07-13 17:38 . 2011-06-02 13:50 2764288 ----a-w- c:\windows\system32\win32k.sys
2011-07-13 17:38 . 2011-04-20 16:03 451072 ----a-w- c:\windows\system32\winsrv.dll
2011-07-13 17:38 . 2011-04-20 15:58 85504 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-13 13:10 . 2011-07-13 13:10 -------- d-----w- c:\users\Malky\AppData\Local\Yahoo
2011-07-11 02:34 . 2011-07-11 02:34 -------- d-----w- c:\windows\Profiles
2011-07-07 14:39 . 2011-07-07 14:39 -------- d-----w- C:\ProcAlyzer Dumps
2011-07-06 18:52 . 2011-07-06 18:52 -------- d-----w- c:\program files (x86)\VS Revo Group
2011-07-06 16:55 . 2011-07-06 16:55 -------- d-----w- c:\users\Malky\AppData\Roaming\WinPatrol
2011-07-06 15:41 . 2011-07-06 15:41 -------- d-----w- c:\users\Rachel Mindel\AppData\Roaming\WinPatrol
2011-07-06 15:41 . 2011-07-06 15:41 -------- d-----w- c:\programdata\InstallMate
2011-07-06 15:41 . 2011-07-06 15:41 -------- d-----w- c:\program files (x86)\BillP Studios
2011-07-04 16:02 . 2011-07-04 16:02 -------- d-----w- c:\program files\CCleaner
2011-07-04 14:51 . 2011-07-04 14:55 -------- d-----w- c:\users\Malky\AppData\Roaming\QuickScan
2011-07-04 14:16 . 2011-07-04 14:16 -------- d-----w- C:\Google
2011-07-01 23:25 . 2011-07-01 23:25 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-01 21:17 . 2011-07-01 21:17 -------- d-----w- C:\Malwarebytes
2011-07-01 21:17 . 2011-07-06 23:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-30 03:51 . 2011-07-04 11:43 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-06-30 03:51 . 2011-07-04 11:36 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-30 03:35 . 2009-07-14 18:31 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2011-06-30 03:35 . 2009-07-14 18:18 654928 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-06-30 03:35 . 2009-07-14 18:18 42064 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-06-30 03:20 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
2011-06-30 03:20 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
2011-06-29 16:26 . 2011-07-03 17:14 -------- d-----w- c:\programdata\Kaspersky Lab
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-05-26 15:31 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-04 11:43 . 2010-10-25 18:00 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:43 . 2010-10-25 18:00 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-07-04 11:36 . 2010-10-25 18:02 288088 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-04 11:35 . 2010-10-25 18:01 45400 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-04 11:32 . 2010-10-25 18:01 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-04 11:32 . 2010-10-25 18:01 64856 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-07-04 11:32 . 2010-10-25 18:02 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-24 23:14 . 2010-05-27 12:33 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-13 22:58 . 2011-05-13 22:58 17720 ----a-w- c:\windows\system32\HPMDPCoInst12.dll
2011-05-13 22:58 . 2008-03-27 19:10 30008 ----a-w- c:\windows\system32\drivers\hpdskflt.sys
2011-05-13 22:58 . 2008-03-18 23:25 30520 ----a-w- c:\windows\system32\hpservice.exe
2011-05-13 22:58 . 2008-04-17 16:58 20792 ----a-w- c:\windows\system32\accelerometerdll.DLL
2011-05-13 22:57 . 2011-05-13 22:57 43320 ----a-w- c:\windows\system32\drivers\Accelerometer.sys
2011-05-02 17:16 . 2011-06-15 12:30 739328 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-05-02 17:13 . 2011-06-15 12:30 975360 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 13:41 . 2011-06-15 12:31 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 13:40 . 2011-06-15 12:31 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-29 13:39 . 2011-06-15 12:31 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-29 13:39 . 2011-06-15 12:31 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 13:39 . 2011-06-15 12:31 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-26_15.49.08 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2011-07-26 15:09 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-27 15:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2011-07-26 15:09 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-27 15:59 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-26 15:09 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-27 15:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-07-27 16:03 80286 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-09-04 19:09 . 2011-07-27 16:03 18180 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-976231018-1287267316-1729043825-1000_UserData.bin
- 2009-09-04 19:09 . 2011-07-26 15:14 18180 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-976231018-1287267316-1729043825-1000_UserData.bin
+ 2009-07-20 09:43 . 2011-07-27 13:28 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-20 09:43 . 2011-07-26 15:16 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-07-26 15:16 . 2011-07-27 13:28 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-07-26 15:16 . 2011-07-26 15:16 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-20 09:43 . 2011-07-27 13:28 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-20 09:43 . 2011-07-26 15:16 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-07-15 02:36 . 2011-07-27 13:28 16384 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
- 2011-07-15 02:36 . 2011-07-26 15:16 16384 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
- 2011-07-26 15:09 . 2011-07-26 15:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-27 15:59 . 2011-07-27 15:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-07-26 15:09 . 2011-07-26 15:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-27 15:59 . 2011-07-27 15:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 15:45 . 2011-07-27 16:03 100902 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 12:46 . 2011-07-26 15:15 612786 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2011-07-27 16:07 612786 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2011-07-26 15:15 108058 c:\windows\system32\perfc009.dat
+ 2006-11-02 12:46 . 2011-07-27 16:07 108058 c:\windows\system32\perfc009.dat
- 2010-03-28 19:45 . 2011-07-26 15:08 411136 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2010-03-28 19:45 . 2011-07-27 15:58 411136 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-02-21 05:52 . 2011-07-26 15:08 293816 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-02-21 05:52 . 2011-07-27 15:58 293816 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-06-30 03:39 . 2011-07-26 15:08 1199696 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-976231018-1287267316-1729043825-1000-8192.dat
+ 2011-06-30 03:39 . 2011-07-27 15:58 1199696 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-976231018-1287267316-1729043825-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-11-18 966656]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2942976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-12-25 189736]
"UCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Uninstall Adobe Download Manager"="c:\windows\system32\rundll32.exe" [2006-11-02 44544]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
c:\users\Malky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [x]
R1 SABKUTIL;SABKUTIL;c:\program files\SUPERAntiSpyware\SABKUTIL.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\AESTSr64.exe [x]
R3 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2010-12-20 1845520]
R3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-11-19 222512]
R3 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-24 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-24 135664]
R3 NETw3v64;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw3v64.sys [x]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2008-01-21 27648]
R3 Recovery Service for Windows;Recovery Service for Windows;c:\program files (x86)\SMINST\BLService.exe [2008-12-18 365952]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/07/20 03:27];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-29 01:04 146928]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 lxbv_device;lxbv_device;c:\windows\system32\lxbvcoms.exe [2007-04-25 566704]
S2 SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-04-28 120832]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-24 01:35]
.
2011-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-24 01:35]
.
2011-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-976231018-1287267316-1729043825-1000Core.job
- c:\users\Malky\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-03 01:04]
.
2011-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-976231018-1287267316-1729043825-1000UA.job
- c:\users\Malky\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-03 01:04]
.
2011-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-976231018-1287267316-1729043825-1002Core.job
- c:\users\Nechama Deena\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-15 06:45]
.
2011-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-976231018-1287267316-1729043825-1002UA.job
- c:\users\Nechama Deena\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-15 06:45]
.
2010-04-02 c:\windows\Tasks\HPCeeScheduleForMalky.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-01-13 19:34]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF29718.cfxxe" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-11 153624]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-11 225816]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-11 200216]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 182784]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-04 442368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"combofix"="c:\combofix\CF29718.cfxxe" [X]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.0.1
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Rachel Mindel\AppData\Roaming\Mozilla\Firefox\Profiles\jswapa5i.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files (x86)\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-RunOnce-OTL - c:\users\Malky\Downloads\OTL.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-07-27 12:38:40
ComboFix-quarantined-files.txt 2011-07-27 16:38
ComboFix2.txt 2011-07-26 16:02
.
Pre-Run: 129,276,649,472 bytes free
Post-Run: 129,181,286,400 bytes free
.
- - End Of File - - C00270F0A5BAE006F2CFCAE3F71BB880
Upload was successful
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Gary R » July 27th, 2011, 3:34 pm

The files that Combofix uploaded go to the program's creator, who constantly upgrades it's capabilities by analysing files that were scripted for removal rather than being automatically removed on the first scan.

The latest CF log looks good .... HOW IS YOUR COMPUTER BEHAVING NOW ?
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 28th, 2011, 11:30 am

Hi Gary R.,

Congratulations!!!

My first issue, dealing with the malware that keeps on sneaking back onto the computer and reinfecting it--after they were supposedly knocked off--was solved (according to the tea leaves that you've read in the log files).

My second issue, dealing with the browser (Google) hijack, seems to have been resolved early in the process--which was a big relief.

The third issue, dealing with the administrator/user structure, is still open. When logging into the computer, I'm ased to type in a user name (and password). No choices are given. On my other computers, you get to choose from among the various users (with their cute pictures/icons). The kids told me to type in one of the names and hit enter; the account is not password protected. I don't know how to get into any of the other accounts. Whenever I'm prompted to enter an administrator's password, the adminstrator name pops up and I enter the administrator's password (that the kids told me). It works. However, the computer doesn't accept that user name at login time. When I checked the files using Windows Explorer, this administrator's account is not even listed under users (on the C: drive). At times, I've been denied access to certain files or prevented from taking certain actions, because I didn't have sufficient privileges. If I can never log into an administrator's account, then I can't make any changes/additions/deletions to the user accounts, access sensitive folders, or run programs that only allow an administrator to run them. Many actions don't ask for an administrator's password--they simply rejected. I don't know how things got to this point and I don't know if it was the result of an infection (I don't use this computer, so I'm not attuned to these issues), but I feel that having access to the administrator's account is a very important security concern. Any suggestions?

I'll be only too happy to turn the computer over to the kids, however, I'd feel more comfortable doing so, if you could resolve several questions that arose during the process of working together during the past couple of weeks.

First, is there a way that I could learn to understand how your maneuvers/fixes worked and how you got rid of those trojans and other malware that kept on sneaking back. Does the "Malware Removal University" part of this site teach these things?

Second, how do I get rid of the COMBOFIX program? Given problems that arose when I forgot to suspend the virus protection, I downloaded another copy and tried to eliminate the first. I was unable to delete in outright, so I manually deleted all of the files/programs/data etc., except for the pev.cfxxe program within COMBOFIX (and, therefore, COMBOFIX itself was immune from "simple" deletion).

Third, although we uninstalled Java6 updates 7 and 17, they both sneaked back on. They appear (using Windows Explorer) in their full glory (update 7 occupies 171MB; update 17 occupies 94.9MB). Why is that happening? You had mentioned that they were not critical since the Java programs operate differently and you'd show me how (or something to that effect). Explanation?

Fourth, the security programs currently residing on the computer are: avast! Anti-Virus, Malawarebyte's Anti-Malware, Super Anti-Spyware, WinPatrol, and Windows Defender. You had me reveral security programs that you felt were redundant or conflicting. Is the computer adequately protected? Should I reload Spybot Search & Destroy? How about MAMUTU? Are there any other (freeware) programs that should be added to the arsenal?

Fifth, you mentioned that at the end of the cleanup process, you were going to recommend "an advanced task manager." I'm all ears.

Sixth, the kids have been asking for their computor back for weeks. It's summertime, so they have a bit more time to use it (their school day is relatively long) would have liked to have used it more. I can't really answer the last question that you posed: does the computer appear to be working better, because the only things I've been doing on the computer is working to debug it. I've got my own computer. Question: is there anything I need to do, before turning the computer over to the kids, to make it more secure?

Gary R. thank you, again, for you wonderful help and in walking me through the process and cleaning up this computer!

Mory (Seep34)
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Gary R » July 28th, 2011, 5:31 pm

OK, lot's of questions there, let's see if we can give you a few answers ....

Firstly Yes the University section of this site does teach you how to safely remove infections from people's computers. The Application Page will give you a little more information.

Secondly We'll be removing the programs we've used to clean your machine, once we've resolved all your problems (or as many as we're able to). At that time I'll also make some recommendations for a secure set up for your machine.

Thirdly For a more advanced Task Manager, I would recommend the use of .... Process Explorer

Fourthly I didn't see any old Java entries in the last logs you supplied, but that doesn't necessarily mean there aren't any orphans from an incomplete uninstall ....

Please download SystemLook from one of the links below and save it to your Desktop.

For 64 bit Systems
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: Select all
:regfind
java

:filefind
java

:folderfind
java

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Fifthly

As regards not being able to see the other User accounts on the Welcome screen.

  • First login with your usual user account.
  • Click Start and type Run in the Search programs and files box, then hit Enter.
  • Type control userpasswords2 in the run window and hit OK
  • Check whether the check box which says Users must enter a user name and password to use is checked.
  • If the check box is checked then uncheck the check box, click on Apply and OK.
  • Restart the system.
  • You should be able to see different users in the logon screen.

Summary of the logs I need from you in your next post:
  • SystemLook.txt
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 28th, 2011, 7:34 pm

Gary R. you are the best! I infrequently meet up with people with your ability, willingness to help, and patience like yourself. You are a breath of fresh air.

I haven't had time to implement any of your suggestions yet, however, I wanted to keep the ball rolling (especially since I let the kids know that we are nearing the end of the repair process), so I ran the SystemLook program and have pasted the log below.

Mory (seep34)



SystemLook 04.09.10 by jpshortstuff
Log created at 19:19 on 28/07/2011 by Rachel Mindel
Administrator - Elevation successful

========== regfind ==========

Searching for "java"
[HKEY_CURRENT_USER\Software\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Java\jre6\bin\jusched.exe"="07/06/2011 11:41 AM"
[HKEY_CURRENT_USER\Software\BillP Studios\Detected\IEHelper]
"C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll"="07/06/2011 11:41 AM"
[HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\IEHelpers]
"Java(TM) Platform SE 6 U17"="900"
[HKEY_CURRENT_USER\Software\JavaSoft]
[HKEY_CURRENT_USER\Software\JavaSoft\Java Update]
[HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\comissur.com\java]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\comissur.com\java]
[HKEY_CURRENT_USER\Software\Piriform\CCleaner]
"(App)Sun Java"="True"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.java]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}]
@="Microsoft HTML Javascript Pluggable Protocol"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}]
@="Java"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}\DefaultIcon]
@="C:\Program Files (x86)\Java\jre1.6.0_07\bin\javacpl.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}\Shell\Open\Command]
@="C:\Program Files (x86)\Java\jre1.6.0_07\bin\javacpl.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\436345E052E7F8B4D8B57988E0E50588]
"JavaSupport"="Bonjour"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\EA2C924A1FBE18F42A12C111C5AADDDA]
"QuickTimeForJava"="QuickTimeEssentials"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF238120671FF]
"ProductName"="Java(TM) 6 Update 17"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF238120671FF\SourceList]
"LastUsedSource"="n;1;C:\Users\Malky\AppData\LocalLow\Sun\Java\jre1.6.0_17\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF238120671FF\SourceList\Net]
"1"="C:\Users\Malky\AppData\LocalLow\Sun\Java\jre1.6.0_17\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610007]
"ProductName"="Java(TM) 6 Update 7"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610007\SourceList]
"LastUsedSource"="n;1;C:\Users\Administrator\AppData\LocalLow\Sun\Java\jre1.6.0_07\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610007\SourceList\Net]
"1"="C:\Users\Administrator\AppData\LocalLow\Sun\Java\jre1.6.0_07\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaPlugin.160_07]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaPlugin.160_17]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript Author]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.1 Author]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.2]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.2 Author]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.3]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.3 Author]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-applet]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\javascript]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\.java]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}]
@="Microsoft HTML Javascript Pluggable Protocol"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}]
@="Java"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}]
"InfoTip"="@C:\Program Files (x86)\Java\jre6\bin\javacpl.exe,-2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}\DefaultIcon]
@="C:\Program Files (x86)\Java\jre6\bin\javacpl.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\JavaPlugin.160_07]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\JavaPlugin.160_17]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\JavaScript]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\JavaScript Author]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\JavaScript1.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\JavaScript1.1 Author]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\JavaScript1.2]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\JavaScript1.2 Author]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\JavaScript1.3]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\JavaScript1.3 Author]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MIME\Database\Content Type\application/x-java-applet]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MIME\Database\Content Type\application/x-java-jnlp-file]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\PROTOCOLS\Handler\javascript]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\2.0.50727.0]
"SupportedExts"=".asax,1,.ascx,1,.ashx,0,.asmx,0,.aspx,0,.axd,0,.vsdisco,0,.rem,0,.soap,0,.config,1,.cs,1,.csproj,1,.vb,1,.vbproj,1,.webinfo,1,.licx,1,.resx,1,.resources,1,.master,1,.skin,1,.compiled,1,.browser,1,.mdb,1,.jsl,1,.vjsproj,1,.sitemap,1,.msgx,0,.ad,1,.dd,1,.ldd,1,.sd,1,.cd,1,.adprototype,1,.lddprototype,1,.sdm,1,.sdmDocument,1,.ldb,1,.svc,0,.mdf,1,.ldf,1,.java,1,.exclude,1,.refresh,1,"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\CONSOLE]
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Java VM"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\JIT]
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Java VM"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\LOGGING]
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Java VM"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ControlPanel\NameSpace\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}]
@="Java"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.6.0.b105\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\Common Files\Java\Update\Base Images\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\Common Files\Java\Update\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\Common Files\Java\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_07.b06\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\Java\jre1.6.0_07\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\Java\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\Java\jre1.6.0_07\bin\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\Java\jre6\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\Java\jre6\bin\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\Common Files\Apple\Apple Application Support\JavaScriptCore.resources\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0357E4991DA5FF14F9615B3312061F07]
"4EA42A62D9304AC4784BF238120671FF"="C:\Program Files (x86)\Java\jre6\zipper.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0357E4991DA5FF14F9615B3412061F07]
"4EA42A62D9304AC4784BF238120671FF"="C:\Program Files (x86)\Java\jre6\bin\regutils.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0357E4991DA5FF14F9615B3512061F07]
"4EA42A62D9304AC4784BF238120671FF"="C:\Program Files (x86)\Java\jre6\patchjre.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0357E4991DA5FF14F9615B3612061F07]
"4EA42A62D9304AC4784BF238120671FF"="02:\Software\JavaSoft\Java Runtime Environment\Java6FamilyVersion"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1508B1D599F5544488D93C0B55C7D592]
"47D9F3A608BB1544C81AB4A358F73195"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\JavaScriptCore.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1508B1D599F5544488D93C0B55C7D592\47D9F3A608BB1544C81AB4A358F73195]
"File"="JavaScriptCore.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\22166D9CBE3C432458DF5F7A65E130CE]
"8F93D65EF9A24B440B867AE2540A376E"="C:\Program Files (x86)\Safari\Plugins\npJavaPlugin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23B06123E6D18D74FA6711404FCAC1B8]
"8A0F842331866D117AB7000B0D610007"="C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_07.b06\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4210D39FE9C0D214DA66C66F9C686753]
"68AB67CA7DA73301B7449A0000000010"="C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\772EF6A046F998143AEBFFF530CBE331]
"EA2C924A1FBE18F42A12C111C5AADDDA"="C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeJavaExtras.qtx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\86428DDFDC286AB44A0C1FD0468AF9E4]
"47D9F3A608BB1544C81AB4A358F73195"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit.resources\inspector\SourceJavaScriptTokenizer.re2js"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\866BB5EBF2C0C9C46AC0D4B6536CEC0B]
"8F93D65EF9A24B440B867AE2540A376E"="C:\Program Files (x86)\Safari\JavaScriptCore.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\870E922415DCA764DA1F6629A94A01B5]
"47D9F3A608BB1544C81AB4A358F73195"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\JavaScriptCore.resources\Info.plist"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9980612346D1FCB438ABEE81A929CB3E]
"8A0F842331866D117AB7000B0D610007"="C?\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.6.0.b105\extra.zip"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9E5B9BA17FD00284596D6092645FFC85]
"EA2C924A1FBE18F42A12C111C5AADDDA"="C:\Program Files (x86)\Java\jre1.6.0_07\lib\ext\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACB0612318A96D117A58000B0D97FA46]
"8A0F842331866D117AB7000B0D610007"="C?\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.6.0.b105\core1.zip"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACB0612318A96D117A58000B0D97FA56]
"8A0F842331866D117AB7000B0D610007"="C?\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.6.0.b105\core2.zip"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACB0612318A96D117A58000B0D97FA66]
"8A0F842331866D117AB7000B0D610007"="C?\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.6.0.b105\core3.zip"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610007]
"8A0F842331866D117AB7000B0D610007"="C:\Program Files (x86)\Java\jre1.6.0_07\COPYRIGHT"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF606123726A6D117A78000B0D97FA46]
"8A0F842331866D117AB7000B0D610007"="C?\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.6.0.b105\other.zip"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C0F9FB06C20ADF24198E6BB3307B1397]
"47D9F3A608BB1544C81AB4A358F73195"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit.resources\inspector\SourceJavaScriptTokenizer.js"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D7416EC557D282A45BD280A3096E640E]
"EA2C924A1FBE18F42A12C111C5AADDDA"="C:\Program Files (x86)\QuickTime\QTSystem\QTJavaNative.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FF1098B9FA132D4449A6B8C7168768BF]
"47D9F3A608BB1544C81AB4A358F73195"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit.resources\inspector\JavaScriptFormatter.js"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\436345E052E7F8B4D8B57988E0E50588\Features]
"JavaSupport"="Qf`x%PU5h(&AnnR%lrLW~Xn9Ptz9L=n*{tT5cgq]HEXj*-Gw*=]dEh!luLx.Bonjour"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4EA42A62D9304AC4784BF238120671FF\InstallProperties]
"Contact"="http://java.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4EA42A62D9304AC4784BF238120671FF\InstallProperties]
"HelpLink"="http://java.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4EA42A62D9304AC4784BF238120671FF\InstallProperties]
"InstallLocation"="C:\Program Files (x86)\Java\jre6\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4EA42A62D9304AC4784BF238120671FF\InstallProperties]
"InstallSource"="C:\Users\Malky\AppData\LocalLow\Sun\Java\jre1.6.0_17\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4EA42A62D9304AC4784BF238120671FF\InstallProperties]
"Readme"="C:\Program Files (x86)\Java\jre6\README.txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4EA42A62D9304AC4784BF238120671FF\InstallProperties]
"URLInfoAbout"="http://java.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4EA42A62D9304AC4784BF238120671FF\InstallProperties]
"URLUpdateInfo"="http://java.sun.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4EA42A62D9304AC4784BF238120671FF\InstallProperties]
"DisplayName"="Java(TM) 6 Update 17"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610007\InstallProperties]
"Contact"="http://java.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610007\InstallProperties]
"HelpLink"="http://java.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610007\InstallProperties]
"InstallSource"="C:\Users\Administrator\AppData\LocalLow\Sun\Java\jre1.6.0_07\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610007\InstallProperties]
"Readme"="C:\Program Files (x86)\Java\jre1.6.0_07\README.txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610007\InstallProperties]
"URLInfoAbout"="http://java.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610007\InstallProperties]
"URLUpdateInfo"="http://java.sun.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610007\InstallProperties]
"DisplayName"="Java(TM) 6 Update 7"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\EA2C924A1FBE18F42A12C111C5AADDDA\Features]
"QuickTimeForJava"="F@,Z+@IH3?oGm313a9VD}cRYjqXZM=+&FBLrWSBFRhtqE9@to?MDG`6rr~)qQx-F&L7K(9?rYqF5(i3)QuickTimeEssentials"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER]
"Text"="Java VM"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\SCRIPTING\SCRIPTJAVA]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\SCRIPTING\SCRIPTJAVA]
"Text"="Scripting of Java applets"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\comissur.com\java]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\comissur.com\java]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\.java]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}]
@="Microsoft HTML Javascript Pluggable Protocol"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}]
@="Java"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}]
"InfoTip"="@C:\Program Files (x86)\Java\jre6\bin\javacpl.exe,-2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}\DefaultIcon]
@="C:\Program Files (x86)\Java\jre6\bin\javacpl.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\JavaPlugin.160_07]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\JavaPlugin.160_17]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\JavaScript]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\JavaScript Author]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\JavaScript1.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\JavaScript1.1 Author]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\JavaScript1.2]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\JavaScript1.2 Author]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\JavaScript1.3]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\JavaScript1.3 Author]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MIME\Database\Content Type\application/x-java-applet]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MIME\Database\Content Type\application/x-java-jnlp-file]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\PROTOCOLS\Handler\javascript]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\1.6.0_07]
"JavaHome"="C:\Program Files (x86)\Java\jre1.6.0_07"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\1.6.0_17]
"JavaHome"="C:\Program Files (x86)\Java\jre6"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment]
"Java6FamilyVersion"="1.6.0_17"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment]
"BrowserJavaVersion"="1.6.0_17"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.6]
"JavaHome"="C:\Program Files (x86)\Java\jre6"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.6]
"RuntimeLib"="C:\Program Files (x86)\Java\jre6\bin\client\jvm.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.6.0_07]
"JavaHome"="C:\Program Files (x86)\Java\jre1.6.0_07"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.6.0_07]
"RuntimeLib"="C:\Program Files (x86)\Java\jre1.6.0_07\bin\client\jvm.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.6.0_07\MSI]
"INSTALLDIR"="C:\Program Files (x86)\Java\jre1.6.0_07\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.6.0_07\MSI]
"JAVAUPDATE"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.6.0_17]
"JavaHome"="C:\Program Files (x86)\Java\jre6"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.6.0_17]
"RuntimeLib"="C:\Program Files (x86)\Java\jre6\bin\client\jvm.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.6.0_17\MSI]
"INSTALLDIR"="C:\Program Files (x86)\Java\jre6\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.6.0_17\MSI]
"JAVAUPDATE"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy]
"PostStatusUrl"="https://nometrics.java.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Web Start]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Web Start\1.0.1]
"Home"="C:\Program Files (x86)\Java\jre6\bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Web Start\1.0.1_02]
"Home"="C:\Program Files (x86)\Java\jre6\bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Web Start\1.0.1_03]
"Home"="C:\Program Files (x86)\Java\jre6\bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Web Start\1.0.1_04]
"Home"="C:\Program Files (x86)\Java\jre6\bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Web Start\1.2]
"Home"="C:\Program Files (x86)\Java\jre6\bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Web Start\1.2.0_01]
"Home"="C:\Program Files (x86)\Java\jre6\bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Web Start\1.6.0_07]
"Home"="C:\Program Files (x86)\Java\jre1.6.0_07\bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Web Start\1.6.0_17]
"Home"="C:\Program Files (x86)\Java\jre6\bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]
@="Java (Sun)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]
"ComponentID"="JAVAVM"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]
"KeyFileName"="C:\Program Files (x86)\Java\jre6\bin\regutils.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ASP.NET\2.0.50727.0]
"SupportedExts"=".asax,1,.ascx,1,.ashx,0,.asmx,0,.aspx,0,.axd,0,.vsdisco,0,.rem,0,.soap,0,.config,1,.cs,1,.csproj,1,.vb,1,.vbproj,1,.webinfo,1,.licx,1,.resx,1,.resources,1,.master,1,.skin,1,.compiled,1,.browser,1,.mdb,1,.jsl,1,.vjsproj,1,.sitemap,1,.msgx,0,.ad,1,.dd,1,.ldd,1,.sd,1,.cd,1,.adprototype,1,.lddprototype,1,.sdm,1,.sdmDocument,1,.ldb,1,.svc,0,.mdf,1,.ldf,1,.java,1,.exclude,1,.refresh,1,"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\CONSOLE]
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Java VM"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\JIT]
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Java VM"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\LOGGING]
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Java VM"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3B9A6E32-36C9-4946-B78C-3F58E3785EC1}]
"AppPath"="C:\Program Files (x86)\Java\jre6\bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}]
"AppPath"="C:\Program Files (x86)\Java\jre6\bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}]
"AppName"="javaws.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}]
"AppPath"="C:\Program Files (x86)\Java\jre6\bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}]
"AppPath"="C:\Program Files (x86)\Java\jre6\bin"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}]
@="Java"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER]
"Text"="Java VM"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SO\SCRIPTING\SCRIPTJAVA]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SO\SCRIPTING\SCRIPTJAVA]
"Text"="Scripting of Java applets"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\comissur.com\java]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\comissur.com\java]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment]
"CLASSPATH"=".;C:\Program Files (x86)\Java\jre1.6.0_07\lib\ext\QTJava.zip"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment]
"QTJAVA"="C:\Program Files (x86)\Java\jre1.6.0_07\lib\ext\QTJava.zip"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Session Manager\Environment]
"CLASSPATH"=".;C:\Program Files (x86)\Java\jre1.6.0_07\lib\ext\QTJava.zip"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Session Manager\Environment]
"QTJAVA"="C:\Program Files (x86)\Java\jre1.6.0_07\lib\ext\QTJava.zip"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"CLASSPATH"=".;C:\Program Files (x86)\Java\jre1.6.0_07\lib\ext\QTJava.zip"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"QTJAVA"="C:\Program Files (x86)\Java\jre1.6.0_07\lib\ext\QTJava.zip"
[HKEY_USERS\.DEFAULT\Software\JavaSoft]
[HKEY_USERS\.DEFAULT\Software\JavaSoft\Java Update]
[HKEY_USERS\.DEFAULT\Software\JavaSoft\Java Update\Policy\JavaFX]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\comissur.com\java]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\comissur.com\java]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Java\jre6\bin\jusched.exe"="07/06/2011 12:55 AM"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\BillP Studios\WinPatrol\IEHelpers]
"Java(TM) Platform SE 6 U17"="900"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\BillP Studios\WinPatrol\IEHelpers]
"Java(TM) Platform SE binary"="600"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\JavaSoft]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\JavaSoft\Java Runtime Environment]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\JavaSoft\Java Update]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\JavaSoft\Java Update\Policy\JavaFX]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\JavaSoft\Java2D]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\1f3fe812_0]
@="{0.0.0.00000000}.{794f089c-2271-43fa-a760-c1dcd19766a7}|\Device\HarddiskVolume1\Program Files (x86)\Java\jre6\bin\java.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\239a72c0_0]
@="{0.0.0.00000000}.{8b970a98-9cca-4eba-a139-dc7407583405}|\Device\HarddiskVolume1\Program Files (x86)\Java\jre6\bin\java.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5682053c_0]
@="{0.0.0.00000000}.{539ebb6c-62c0-4d68-ba22-8a50cd620cde}|\Device\HarddiskVolume1\Program Files (x86)\Java\jre6\bin\java.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\80eb886d_0]
@="{0.0.0.00000000}.{f46fc579-13f6-41d1-9def-48c9dbfaf32e}|\Device\HarddiskVolume1\Program Files (x86)\Java\jre6\bin\java.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\864094bf_0]
@="{0.0.0.00000000}.{1fc41fe7-1bd7-44e3-993b-d3f339d4eeba}|\Device\HarddiskVolume1\Program Files (x86)\Java\jre6\bin\java.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\9a9814f1_0]
@="{0.0.0.00000000}.{cf07edaa-292f-4310-8d5c-30938b864f9e}|\Device\HarddiskVolume1\Program Files (x86)\Java\jre6\bin\java.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Microsoft\Java VM]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\comissur.com\java]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\comissur.com\java]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Netscape\Netscape Navigator\User Trusted External Applications]
""C:\Program Files (x86)\Java\jre6\bin\javaws.exe""="Yes"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Netscape\Netscape Navigator\Viewers]
"TYPE0"="application/x-java-jnlp-file"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Netscape\Netscape Navigator\Viewers]
"application/x-java-jnlp-file"=""C:\Program Files (x86)\Java\jre6\bin\javaws.exe""
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Piriform\CCleaner]
"(App)Sun Java"="True"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Classes\LimeWire]
"Generated By"="Generated By Java-Association"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"@C:\Windows\SysWOW64\inetcpl.cpl,-4787"="Scripting of Java applets"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\JavaSoft]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Classes\Wow6432Node\LimeWire]
"Generated By"="Generated By Java-Association"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"@C:\Windows\SysWOW64\inetcpl.cpl,-4787"="Scripting of Java applets"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000_Classes\LimeWire]
"Generated By"="Generated By Java-Association"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"@C:\Windows\SysWOW64\inetcpl.cpl,-4787"="Scripting of Java applets"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\JavaSoft]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000_Classes\Wow6432Node\LimeWire]
"Generated By"="Generated By Java-Association"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1000_Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"@C:\Windows\SysWOW64\inetcpl.cpl,-4787"="Scripting of Java applets"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1001\Software\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Java\jre6\bin\jusched.exe"="07/06/2011 11:41 AM"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1001\Software\BillP Studios\Detected\IEHelper]
"C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll"="07/06/2011 11:41 AM"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1001\Software\BillP Studios\WinPatrol\IEHelpers]
"Java(TM) Platform SE 6 U17"="900"
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1001\Software\JavaSoft]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1001\Software\JavaSoft\Java Update]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1001\Software\JavaSoft\Java Update\Policy\JavaFX]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\comissur.com\java]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\comissur.com\java]
[HKEY_USERS\S-1-5-21-976231018-1287267316-1729043825-1001\Software\Piriform\CCleaner]
"(App)Sun Java"="True"
[HKEY_USERS\S-1-5-18\Software\JavaSoft]
[HKEY_USERS\S-1-5-18\Software\JavaSoft\Java Update]
[HKEY_USERS\S-1-5-18\Software\JavaSoft\Java Update\Policy\JavaFX]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\comissur.com\java]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\comissur.com\java]

========== filefind ==========

Searching for "java"
No files found.

========== folderfind ==========

Searching for "java"
C:\Program Files (x86)\Java d------ [16:57 13/01/2009]
C:\Program Files (x86)\Common Files\Java d------ [16:57 13/01/2009]
C:\Users\Malky\AppData\Local\VirtualStore\Windows\Sun\Java d------ [21:30 30/04/2010]
C:\Users\Malky\AppData\LocalLow\Sun\Java d------ [06:22 01/01/2010]
C:\Users\Nechama Deena\AppData\LocalLow\Sun\Java d------ [05:58 23/02/2010]
C:\Users\Rachel Mindel\AppData\LocalLow\Sun\Java d------ [04:05 01/03/2010]
C:\Users\Sarah Sheindel\AppData\LocalLow\Sun\Java d------ [20:14 23/02/2010]
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java d------ [11:38 01/01/2010]
C:\_OTL\MovedFiles\07262011_083631\C_Users\Malky\AppData\LocalLow\Sun\Java d------ [12:36 26/07/2011]

-= EOF =-
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Gary R » July 29th, 2011, 2:47 am

I can see no sign of the latest Java update in your log, did you install JDK 6 Update 26 (JDK or JRE) ?

If not please do so.

Can you then run the SystemLook scan again please.

I think WinPatrol has replaced the update 07 and 17 registry entries, so we'll need to disable that when we remove the 07 and 17 entries, but I'd like to make sure version 26 installs properly first.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 31st, 2011, 1:50 pm

Dear Gary R.,

(Is there a way to save a posting, without sending it? I've just spent the last two hours composing a follow-up to our clean-up project, only to lose my posting--TWICE :cry: . I'm now working on my computer... I'll try my best to reconstruct my message.)

1) Going into the Control Panel, then Programs and Features, the Java 7 and 17 updates appear on the program roster. However, upon clicking on either program, none of the usual uninstall, change, or repair options appear. Perhaps they are immortal and can't be killed; perhaps they are just shadows of their former selves. In any case, it's annoying to see programs that I've deleted still up on the programs list.

2) While installing the latest version of JAVA, the program bombed out with an Error 1606. "Could not access network location %APPDATA%." Now that's doubly interesting, because when I recently tried to update the HP Support Assistant program, it aborted with the exact same error code and message. The %APPDATA% folder (slightly grayed out) resides on the computer's desktop. I'm able to drill down into the file structure using Windows Explorer from the %APPDATA% folder to the Microsoft folder to the Windows folder to a choice of two folders: PrivacIE or IETldCache; each containing a folder: index.dat. I don't know why the %APPDATA% folder is so important, where it came from, or how it plays a special role in foiling program installations. I've seen appdata folders under users, but never bounded by percent signs and sitting on a desktop. Any ideas?

3) Starting with the time I turned the computer on this morning, I'm being plagued by a SUPERAntiSpyware Alert telling me that a Browser Home Page Change has been Detected. It give me the choice of Allow Change or Block Change. I didn't ask for the change, so I hit Block Change. The pop-up box disappears, followed immediately by the identical pop-up box. I hit Block Change; it pops back up. Apparently choosing Block Change is not acceptable. I've dragged the pop-up box off to the side of the screen, so that I could continue working. You know, Gary R., that it's very reminiscent of the beginning of our adventure, when a bogus anti-virus program littered the screen with pop-up boxes saying that the computer was infected with the Win32/Blaster A virus. The bogus security program urged the user to click on a button to download a "cure." (It was at that point that the kids brought me their computer.) The SUPERAntiSpyware Alert message shows the current home page, which looks like the HP home page (I can't seen the entire URL) and wants to exchange that for a blank page. The Alert says "If you did not make this change, you may have spyware or adware on your system." I can't understand how spyware/adware would benefit by directing the home page to a blank page. What do you make of it Gary R.? What do I do?

4) I tried to implement your suggested "control userpasswords2" fix. Three user names appeared in the box on that screen. However, when I unchecked "Users must enter a user name and password to use" two of the three user names faded. I played with it for a while, and was able to effect a change--in that when I boot up, it now displays the administrator's log in name; I just need to enter my password. This in itself is a big improvement, since I can now sign on as an administrator, giving me greater ability to implement changes. However, that's the only user name on the opening screen (well, sort of & I'll explain that in #5). If I hit switch user, I come back to the original log in screen which demanded a username and password input. How do I get the other users to appear on the same screen at computer log in time? Where am I going wrong?

5) When bringing up the computer something very strange happens, even before the administrator's log in screen appears. A message saying "The username or password is incorrect" appears. Only after clicking the OK button, does the Administrator log in appear (under which appears Reset password... and under that is Switch User). I've not input a password of user name, even before the log in screen comes up, so what's happening. I speculate that somewhere, in an .ini or some other start up file, a user name and/or password has been coded. Could that have been part of the virus/trojan/malware (perhaps successful) plan to hijack this computer? Has this been implanted via a rootkit, or boot-up virus? If so, I assume that the offending code has to be tracked down and neutralized. And, the virus/trojan/malware that put the log in data there, also has to be eliminated. Gary R., what do you think is going on here? I have no idea if my speculation is on, or off target. What do you think is really happening?

(This is my third time writing this message--almost three hours time devoted to pulling the data together and to posing the appropriate questions. I am very tempted to return the computer to the kids and let them have a crack at following/implementing your forthcoming your instructions. How do you feel about that? The natives are very restless.)

Mory (Seep34)
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Gary R » August 1st, 2011, 6:38 am

Before we do anything else, I want to make 100% sure we're not dealing with any hidden Malware.

Your machine is using a 64 bit version of Windows, and 64 bit versions of Windows do not permit kernel patching, so rootkits can not normally install on your computer.

It is possible to "end run" Patch Guard (the system Windows uses to prevent kernel patching) by loading what's known as a bootkit (the infection corrupts the Master Boot record of your hard drive), but we've checked for those, and your MBR does not appear to be infected.

However, some of the MBR infections have been known to present a legit copy of the MBR when scanned to avoid detection, so to make sure we don't have one of those to deal with, I'm going to need to get a copy of your MBR when Windows is not running. That way the infection is not active, and we can see what's really there.

To do this we need to boot your computer into an alternative Operating System, and get a copy of your MBR using that. We'll need a re-writeable CD/DVD and a USB key drive for this.

The OS I choose to use is Puppy Linux, because it's usually able to successfully boot most computers.

First

We need to create a bootable Puppy Linux CD/DVD ....

Download .... http://distro.ibiblio.org/pub/linux/dis ... pu-525.iso .... to your Desktop.

  • Insert a re-writable CD or DVD into your CD/DVD drive.
  • Right click the ISO file on your Desktop, select Open with , and choose Windows Disk Image Burner
  • Check Verify disk after burning
  • Click Burn, and allow the ISO file to burn to disk.

Next


Next

We need to boot your computer from the Puppy Linux CD/DVD you created.

To do this we may need to change the boot order of your BIOS, or if your computer is a fairly new one (which the OS would suggest it is), then you should be able to select what device to boot from by doing the following ....

  • With the Puppy Linux CD/DVD in your CD/DVD drive, shut down your computer.
  • Re-start it, and continuously hit F12 (some computers it's F9) on power up.
  • You will be presented with a boot options box ...... opt to boot from CD/DVD (optical drive).
  • Computer should now boot from the Puppy Linux boot disk.

If you're not able to boot from the CD/DVD this way, let me know, and I'll talk you through how to change your boot priority on your BIOS.

If you are able to boot into Puppy ....

  • Insert your USB drive.
  • At the bottom of the Puppy desktop, click on sdb1 to mount it. (sdb1 is what linux calls your USB drive)
  • A Window should open entitled /mnt/sdb1
  • Double click pldumpit to run it.
  • A window should open named bash with a series of code lines.
  • Wait till it says All Done ! then hit Enter to exit the window.
  • Close the /mnt/sdb1 window.
  • Remove the puppy CD/DVD from your machine.
  • In the bottom left corner of the Puppy desktop, click on menu > shutdown > power off computer
  • If prompted do not save session.

Remove the USB from the USB port and boot your computer into Windows.

Re-insert the USB, and open it in Windows ....

  • Right-click on a folder mbr.zip and select Extract all ....
  • Accept the default settings.
  • A new folder should now be present on the USB drive named mbr
  • Inside there may be a number of files, icluding one named sda0.bin

Next

I want you to scan sda0.bin at VirusTotal or Jotti's

sda0.bin

  • Browse to the file in the quote box above (on your USB drive).
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Post me the details please.

Do not do anything else whilst you are within Puppy, other than what I've told you to. All the normal restrictions within Windows are not present while you are in Puppy, and it is quite easy to do damage.

You will be given no warnings by the OS if you decide to do something stupid, it will just do it.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Sneeky malware, browser hijack

Unread postby Gary R » August 4th, 2011, 12:49 pm

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 129 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware