Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Sneeky malware, browser hijack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 24th, 2011, 10:26 pm

Gary R., I ran into a problem.

I ran the OTL.exe program, as instructed. I entered the code and hit Run Fix. I seemed to run for a couple of minutes--at most--and then, after a while, seeing no activity, I terminated the program. As soon as I closed the program the following (partial) logfile was created in Notepad:


Files\Folders moved on Reboot...
Folder move failed. C:\Users\Rachel Mindel\AppData\Roaming\mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults\preferences scheduled to be moved on reboot.
Folder move failed. C:\Users\Rachel Mindel\AppData\Roaming\mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults\preferences scheduled to be moved on reboot.
Folder move failed. C:\Users\Rachel Mindel\AppData\Roaming\mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults scheduled to be moved on reboot.
Folder move failed. C:\Users\Rachel Mindel\AppData\Roaming\mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome scheduled to be moved on reboot.
Folder move failed. C:\Users\Rachel Mindel\AppData\Roaming\mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults\preferences scheduled to be moved on reboot.
Folder move failed. C:\Users\Rachel Mindel\AppData\Roaming\mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults scheduled to be moved on reboot.
Folder move failed. C:\Users\Rachel Mindel\AppData\Roaming\mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome scheduled to be moved on reboot.
Folder move failed. C:\Users\Rachel Mindel\AppData\Roaming\mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037} scheduled to be moved on reboot.

Registry entries deleted on Reboot...


I figured maybe I moved the mouse and that's why the program stalled. Who knows? So I ran it again. The previous run got up to :Files and the line immediately under that (ending with symnrt.exe). On the second run, the program again seemed to stall, however, I decided to leave it, in the hope that it was crunching some data and would eventually finish properly. When I came back almost two hours later, everything was on the screen as I left it. I couldn't copy the lines in the data on the screen, since my mouse click immediately showed that the program was "not responding." There was no notepad file or log generated, however, I did note the following lines on the screen:

From the first section, the last three lines (of your code) beginning with DRV: were listed; followed by :Files and all six lines beneath that; under the :Reg were the [HKEY... ending with FirewallRules] including the three entries under that; the next [HKEY... was there, accompanied by the first line--alone. That's where the trail ended.

Please let me know how to proceed.

Mory (seep34)
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am
Advertisement
Register to Remove

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 24th, 2011, 10:41 pm

Hi Gary R.

I figured that while awaiting your reply, I would at least update the Malwarebyte's Anti-Malware program. When I clicked on the program icon, I was immediately asked if I wanted to update my database, since it was 20 plus days old. I said yes. 6.75 MB (100%) was downloaded. However, a split second later, the following Malwarebyte's Anti-Malware message appeared:

An error has occurred. Please report this error to our support team.
PROGRAM_ERROR_UPDATING (5,0, CreateFile)
Access is denied.

When I clicked "OK," the program's Scanner screen appeared. I knew that I was not going to run a scan without your prior instructions--so I hit the Update tab and saw the following:

Current Database Information:
Date: 7/1/2011
Database version: 6998
Fingerprints loaded: 325225

The "Check for Updates" button was grayed out.

I had noticed the inability-to-update issue several times over the past few weeks (and I've seen it on other computers, as well).

Any idea why this is happening? Suggestions?

Mory (Seep34)
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 24th, 2011, 10:48 pm

Gary R.

Scratch my previous post. I solved the problem by running the program as an administrator--which I forgot to do the previous times. I now have the latest version of the program and my database has been updated to 7268.

((OK--I'm not perfect.))

Mory (Seep34)
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 24th, 2011, 11:50 pm

BTW, Gary R., when I went to uninstall Anvir Task Manager Free and Mamutu 3.0 via the control panel, I noticed something very strange. The two Java 6 Updates (7 & 17), that I deleted last week, were back in the lineup. They were listed with file sizes 171 MB and 94.9 MB, respectively; no publisher was listed and no installed date. When I deleted them, they disappeared from the list--now they're back... What gives? Now that's sneeky!

Mory (Seep34)
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Gary R » July 25th, 2011, 2:02 am

To get the log from your OTL run ....

Go to C:\_OTL\MovedFiles where there should be a log file MMDDYYYY_HHMMSS.log (where MDYHMS are numbers representing the date and time the fix was run)

Please post me that file please.

If no log file has been produced ....

Continue and run the MBAM and E-Set scans I asked for earlier and post me the logs please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 25th, 2011, 10:05 am

Good morning Gary R.,

Found the OTL Moved Files, but no log files. Sending you a screen-shot of the structure of both files.

Scratch that; only the screen-shot captions appeared. Long file structures, but little/no content.

I'm moving on to the next instructions.

Mory (Seep34)
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 25th, 2011, 10:32 am

Gary R., nothing to fix on this scan; here's the MBAM log:

Malwarebytes' Anti-Malware 1.51.1.1800
http://www.malwarebytes.org

Database version: 7274

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

7/25/2011 10:13:56 AM
mbam-log-2011-07-25 (10-13-56).txt

Scan type: Quick scan
Objects scanned: 214100
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Moving to next instruction.

Mory (Seep34)
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 25th, 2011, 1:50 pm

Gary R.: The ESET online scanner has been running for almost 3 hours. It's already found 14 infected files. These are the tricky ones I was alluding to when I gave this session it's name. From what I can see on the screen they are a whole bunch of trojans--most of which I had previously "removed." Some of the names have morphed a bit, but they're still recognizable. ESET is picking them up, Malaware didn't. My anti-virus programs, BTW, are still turned off...

I have to leave. The scan is 75% complete. I can't wait another few hours. I'll have to post the results tonight.

Sorry to keep you in suspense. Here's where the real fun begins.

Mory (seep34)
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Gary R » July 25th, 2011, 3:33 pm

No problem, post the log when you're ready.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 25th, 2011, 9:46 pm

Here it is Gary R.; the ESET log.

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=02b7977b2fd37e4ebd44cd49f1bd9239
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-25 06:01:16
# local_time=2011-07-25 02:01:16 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=770 16774141 100 0 0 0 0 0
# compatibility_mode=5892 16776638 100 56 0 148204778 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=321031
# found=14
# cleaned=0
# scan_time=10803
C:\Users\Malky\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo\contentscript.js Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\65891f0d-52139baa probably a variant of Win32/Agent.KORPJCX trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\73769d5f-217ebd5f probably a variant of Win32/Agent.KORPJCX trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\1c8e61e8-7b97a298 probably a variant of Java/Exploit.CVE-2009-3867.AC trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Malky\Documents\FFSetup220[2]\FFSetup220.exe Win32/Adware.ADON application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Rachel Mindel\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo\contentscript.js Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Rachel Mindel\AppData\Roaming\Mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\07242011_184105\C_Users\Rachel Mindel\AppData\Roaming\mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I

Thanks Gary R. for flushing out these nasty bugs... I can't wait to find out how they can be permanently banished from this computer.

Mory (Seep34)

PS. My youngest daughter came home from camp this morning and I don't want to tell you what she said when she found out that this process has been going on for more than four weeks--and the kids still don't have their computer back. (Of course, if they were more prudent, they wouldn't have gotten into this mess in the first place.)
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Gary R » July 26th, 2011, 1:10 am

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
C:\Users\Malky\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo
C:\Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\65891f0d-52139baa
C:\Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\73769d5f-217ebd5f 
C:\Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\1c8e61e8-7b97a298I
C:\Users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}
C:\Users\Malky\Documents\FFSetup220[2]\FFSetup220.exe
C:\Users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}
C:\Users\Rachel Mindel\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo
C:\Users\Rachel Mindel\AppData\Roaming\Mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}
C:\Users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}

:Commands
[emptytemp]
[emptyflash]
[resethosts]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 26th, 2011, 8:49 am

Bad news, Gary R. OTL.exe chugged along, relatively quickly, and got to where it said it was resetting the host file--which was just about at the end, when it died. Program faded, circle spinned, and message popped up: "OTL has stopped working" followed by the usual "A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available." No log was produced. I clicked OK and the program closed.

Next?

Mory (Seep34)
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 26th, 2011, 9:11 am

Sorry. OTL did produce a log file. I didn't notice it at first, even though I went to Moved Folders, like the last time, however, I grabbed it and copied it below.

Mory (Seep34)



All processes killed
========== FILES ==========
Folder move failed. C:\Users\Malky\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo scheduled to be moved on reboot.
C:\Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\65891f0d-52139baa moved successfully.
C:\Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\73769d5f-217ebd5f moved successfully.
File\Folder C:\Users\Malky\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\1c8e61e8-7b97a298I not found.
Folder move failed. C:\Users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults\preferences scheduled to be moved on reboot.
Folder move failed. C:\Users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults scheduled to be moved on reboot.
Folder move failed. C:\Users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome scheduled to be moved on reboot.
Folder move failed. C:\Users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037} scheduled to be moved on reboot.
C:\Users\Malky\Documents\FFSetup220[2]\FFSetup220.exe moved successfully.
Folder move failed. C:\Users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults\preferences scheduled to be moved on reboot.
Folder move failed. C:\Users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults scheduled to be moved on reboot.
Folder move failed. C:\Users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome scheduled to be moved on reboot.
Folder move failed. C:\Users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037} scheduled to be moved on reboot.
Folder move failed. C:\Users\Rachel Mindel\AppData\Local\Google\Chrome\User Data\Default\Default\mgjkiimdknagkhpcokjofhbafnaopifo scheduled to be moved on reboot.
Folder move failed. C:\Users\Rachel Mindel\AppData\Roaming\Mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults scheduled to be moved on reboot.
Folder move failed. C:\Users\Rachel Mindel\AppData\Roaming\Mozilla\Firefox\Profiles\jswapa5i.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037} scheduled to be moved on reboot.
Folder move failed. C:\Users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults\preferences scheduled to be moved on reboot.
Folder move failed. C:\Users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults scheduled to be moved on reboot.
Folder move failed. C:\Users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome scheduled to be moved on reboot.
Folder move failed. C:\Users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037} scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: AppData

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Malky
->Temp folder emptied: 65908255 bytes
->Temporary Internet Files folder emptied: 4084429 bytes
->Java cache emptied: 100663468 bytes
->FireFox cache emptied: 40181464 bytes
->Google Chrome cache emptied: 15820124 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 37293 bytes

User: Nechama Deena
->Temp folder emptied: 41775794 bytes
->Temporary Internet Files folder emptied: 94261 bytes
->Java cache emptied: 34952930 bytes
->FireFox cache emptied: 95273190 bytes
->Apple Safari cache emptied: 11235328 bytes
->Flash cache emptied: 22320 bytes

User: Public

User: Rachel Mindel
->Temp folder emptied: 24765799 bytes
->Temporary Internet Files folder emptied: 1113208 bytes
->Java cache emptied: 24237387 bytes
->FireFox cache emptied: 8003701 bytes
->Google Chrome cache emptied: 819568 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 1487 bytes

User: Sarah Sheindel
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 804 bytes
->Java cache emptied: 12118713 bytes
->FireFox cache emptied: 83710129 bytes
->Apple Safari cache emptied: 11260928 bytes
->Flash cache emptied: 5823 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 149868 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 99088341 bytes

Total Files Cleaned = 644.00 mb


[EMPTYFLASH]

User: All Users

User: AppData

User: Default

User: Default User

User: Malky
->Flash cache emptied: 0 bytes

User: Nechama Deena
->Flash cache emptied: 0 bytes

User: Public

User: Rachel Mindel
->Flash cache emptied: 0 bytes

User: Sarah Sheindel
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.26.1 log created on 07262011_083631
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am

Re: Sneeky malware, browser hijack

Unread postby Gary R » July 26th, 2011, 10:25 am

Since we're having so many problems with OTL, I'd like to look at your infection using different tools ....

First

Download ComboFix from one of these locations and save it to your Desktop: (if you already have a copy of Combofix, delete it and use this version)

Link 1
Link 2

IMPORTANT !!! ComboFix.exe must be run from your Desktop

  • Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix. There are details for disabling many programmes here.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install Microsoft Windows Recovery Console.

**Please note: If Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image

Once Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you.

Please include this log in your next reply. ......... (it can also be found at C:\ComboFix.txt)

IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.
If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.

Next

Run a new scan with DDS and post me the 2 logs it produces .... DDS.txt and Attach.txt

Next

Run a new scan with E-Set and post me the log please.

Summary of the logs I need from you in your next post:
  • Combofix log
  • new DDS.txt
  • new Attach.txt
  • new E-Set log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Sneeky malware, browser hijack

Unread postby Seep34 » July 26th, 2011, 12:07 pm

Gary R., here's the Combofix log output.

Mory (Seep34)


ComboFix 11-07-26.02 - Rachel Mindel 07/26/2011 11:36:04.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3998.2066 [GMT -4:00]
Running from: c:\users\Malky\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Malky\AppData\Local\.#
c:\users\Malky\AppData\Local\.#\MBX@4910@2CF2748.###
c:\users\Malky\AppData\Local\.#\MBX@4910@2CF2778.###
c:\users\Malky\AppData\Local\.#\MBX@5B0C@3252748.###
c:\users\Malky\AppData\Local\.#\MBX@5B0C@3252778.###
c:\users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}
c:\users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest
c:\users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar
c:\users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults\preferences\xulcache.js
c:\users\Malky\AppData\Roaming\Mozilla\Firefox\Profiles\zbf0gd70.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\install.rdf
c:\users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}
c:\users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest
c:\users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar
c:\users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults\preferences\xulcache.js
c:\users\Nechama Deena\AppData\Roaming\Mozilla\Firefox\Profiles\yuyqsk2x.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\install.rdf
c:\users\Public\Documents\~WRL1259.tmp
c:\users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}
c:\users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome.manifest
c:\users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\chrome\xulcache.jar
c:\users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\defaults\preferences\xulcache.js
c:\users\Sarah Sheindel\AppData\Roaming\Mozilla\Firefox\Profiles\lig7kx0j.default\extensions\{1a184095-bed1-41ab-9d6d-ab4ada3b3037}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2011-06-26 to 2011-07-26 )))))))))))))))))))))))))))))))
.
.
2011-07-26 15:48 . 2011-07-26 15:48 -------- d-----w- c:\users\Sarah Sheindel\AppData\Local\temp
2011-07-26 15:48 . 2011-07-26 15:48 -------- d-----w- c:\users\Rachel Mindel\AppData\Local\temp
2011-07-26 15:48 . 2011-07-26 15:48 -------- d-----w- c:\users\Nechama Deena\AppData\Local\temp
2011-07-26 15:48 . 2011-07-26 15:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-26 12:32 . 2011-07-13 04:53 8578896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C7384B1A-EA7F-44D2-8F84-CAD5EFAF2E49}\mpengine.dll
2011-07-26 12:26 . 2011-07-26 12:27 -------- d-----w- c:\users\Malky\AppData\Roaming\HpUpdate
2011-07-25 14:41 . 2011-07-25 14:41 -------- d-----w- c:\program files (x86)\ESET
2011-07-25 13:27 . 2011-07-26 01:52 -------- d-----w- C:\HpUpdate
2011-07-24 22:41 . 2011-07-24 22:41 -------- d-----w- C:\_OTL
2011-07-18 00:55 . 2011-07-18 00:55 -------- d-----w- c:\windows\Hewlett-Packard
2011-07-17 15:52 . 2011-07-17 15:52 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-07-17 15:52 . 2011-07-17 15:52 -------- d-----w- c:\program files\Bonjour
2011-07-17 15:52 . 2011-07-17 15:52 -------- d-----w- c:\program files (x86)\Bonjour
2011-07-15 02:41 . 2011-07-21 14:34 -------- d-----w- c:\program files (x86)\Mamutu
2011-07-15 02:36 . 2011-07-15 02:36 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-07-13 17:38 . 2011-06-02 13:50 2764288 ----a-w- c:\windows\system32\win32k.sys
2011-07-13 17:38 . 2011-04-20 16:03 451072 ----a-w- c:\windows\system32\winsrv.dll
2011-07-13 17:38 . 2011-04-20 15:58 85504 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-13 13:10 . 2011-07-13 13:10 -------- d-----w- c:\users\Malky\AppData\Local\Yahoo
2011-07-11 02:34 . 2011-07-11 02:34 -------- d-----w- c:\windows\Profiles
2011-07-07 14:39 . 2011-07-07 14:39 -------- d-----w- C:\ProcAlyzer Dumps
2011-07-06 18:52 . 2011-07-06 18:52 -------- d-----w- c:\program files (x86)\VS Revo Group
2011-07-06 16:55 . 2011-07-06 16:55 -------- d-----w- c:\users\Malky\AppData\Roaming\WinPatrol
2011-07-06 15:41 . 2011-07-06 15:41 -------- d-----w- c:\users\Rachel Mindel\AppData\Roaming\WinPatrol
2011-07-06 15:41 . 2011-07-06 15:41 -------- d-----w- c:\programdata\InstallMate
2011-07-06 15:41 . 2011-07-06 15:41 -------- d-----w- c:\program files (x86)\BillP Studios
2011-07-04 16:02 . 2011-07-04 16:02 -------- d-----w- c:\program files\CCleaner
2011-07-04 14:51 . 2011-07-04 14:55 -------- d-----w- c:\users\Malky\AppData\Roaming\QuickScan
2011-07-04 14:16 . 2011-07-04 14:16 -------- d-----w- C:\Google
2011-07-03 17:13 . 2009-10-10 03:30 352784 ----a-w- c:\windows\system32\drivers\7455833.sys
2011-07-03 17:13 . 2009-09-25 21:59 157712 ----a-w- c:\windows\system32\drivers\74558331.sys
2011-07-03 15:14 . 2009-10-10 03:30 352784 ----a-w- c:\windows\system32\drivers\7041613.sys
2011-07-03 15:14 . 2009-09-25 21:59 157712 ----a-w- c:\windows\system32\drivers\70416131.sys
2011-07-01 23:25 . 2011-07-01 23:25 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-01 21:17 . 2011-07-01 21:17 -------- d-----w- C:\Malwarebytes
2011-07-01 21:17 . 2011-07-06 23:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-30 03:51 . 2011-07-04 11:43 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-06-30 03:51 . 2011-07-04 11:36 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-30 03:35 . 2009-07-14 18:31 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2011-06-30 03:35 . 2009-07-14 18:18 654928 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-06-30 03:35 . 2009-07-14 18:18 42064 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-06-30 03:20 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
2011-06-30 03:20 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
2011-06-29 16:26 . 2011-07-03 17:14 -------- d-----w- c:\programdata\Kaspersky Lab
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-05-26 15:31 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-04 11:43 . 2010-10-25 18:00 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:43 . 2010-10-25 18:00 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-07-04 11:36 . 2010-10-25 18:02 288088 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-04 11:35 . 2010-10-25 18:01 45400 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-04 11:32 . 2010-10-25 18:01 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-04 11:32 . 2010-10-25 18:01 64856 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-07-04 11:32 . 2010-10-25 18:02 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-24 23:14 . 2010-05-27 12:33 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-13 22:58 . 2011-05-13 22:58 17720 ----a-w- c:\windows\system32\HPMDPCoInst12.dll
2011-05-13 22:58 . 2008-03-27 19:10 30008 ----a-w- c:\windows\system32\drivers\hpdskflt.sys
2011-05-13 22:58 . 2008-03-18 23:25 30520 ----a-w- c:\windows\system32\hpservice.exe
2011-05-13 22:58 . 2008-04-17 16:58 20792 ----a-w- c:\windows\system32\accelerometerdll.DLL
2011-05-13 22:57 . 2011-05-13 22:57 43320 ----a-w- c:\windows\system32\drivers\Accelerometer.sys
2011-05-02 17:16 . 2011-06-15 12:30 739328 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-05-02 17:13 . 2011-06-15 12:30 975360 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 13:41 . 2011-06-15 12:31 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 13:40 . 2011-06-15 12:31 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-29 13:39 . 2011-06-15 12:31 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-29 13:39 . 2011-06-15 12:31 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 13:39 . 2011-06-15 12:31 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-11-18 966656]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2942976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-12-25 189736]
"UCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Uninstall Adobe Download Manager"="c:\windows\system32\rundll32.exe" [2006-11-02 44544]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"OTL"="c:\users\Malky\Downloads\OTL.exe" [2011-07-20 579584]
.
c:\users\Malky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [x]
R1 SABKUTIL;SABKUTIL;c:\program files\SUPERAntiSpyware\SABKUTIL.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 a2acc;a2acc;c:\program files (x86)\MAMUTU\a2accx64.sys [x]
R3 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\AESTSr64.exe [x]
R3 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2010-12-20 1845520]
R3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-11-19 222512]
R3 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-24 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-24 135664]
R3 NETw3v64;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw3v64.sys [x]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2008-01-21 27648]
R3 Recovery Service for Windows;Recovery Service for Windows;c:\program files (x86)\SMINST\BLService.exe [2008-12-18 365952]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
S1 70416131;70416131;c:\windows\system32\DRIVERS\70416131.sys [x]
S1 74558331;74558331;c:\windows\system32\DRIVERS\74558331.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 setup_9.0.0.722_03.07.2011_17-11drv;setup_9.0.0.722_03.07.2011_17-11drv;c:\windows\system32\DRIVERS\7455833.sys [x]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/07/20 03:27];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-29 01:04 146928]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 lxbv_device;lxbv_device;c:\windows\system32\lxbvcoms.exe [2007-04-25 566704]
S2 SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-04-28 120832]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-24 01:35]
.
2011-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-24 01:35]
.
2011-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-976231018-1287267316-1729043825-1000Core.job
- c:\users\Malky\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-03 01:04]
.
2011-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-976231018-1287267316-1729043825-1000UA.job
- c:\users\Malky\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-03 01:04]
.
2011-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-976231018-1287267316-1729043825-1002Core.job
- c:\users\Nechama Deena\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-15 06:45]
.
2011-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-976231018-1287267316-1729043825-1002UA.job
- c:\users\Nechama Deena\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-15 06:45]
.
2010-04-02 c:\windows\Tasks\HPCeeScheduleForMalky.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-01-13 19:34]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-11 153624]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-11 225816]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-11 200216]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 182784]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-04 442368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.0.1
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Rachel Mindel\AppData\Roaming\Mozilla\Firefox\Profiles\jswapa5i.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files (x86)\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-07-26 12:02:38
ComboFix-quarantined-files.txt 2011-07-26 16:02
.
Pre-Run: 130,151,202,816 bytes free
Post-Run: 130,010,865,664 bytes free
.
- - End Of File - - 4D990598D62926E2DA00BB8B832D8F5B
Seep34
Regular Member
 
Posts: 37
Joined: August 30th, 2010, 10:05 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 141 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware