Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Unable to get rid of Adware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unable to get rid of Adware

Unread postby balance » July 15th, 2011, 7:25 pm

I noticed that I am infected with Adware. Avira Antivir found a few infected files but was unable to delete them. So i did it myself and killed the processed that were using the files(there where kind of in a chain, so I had to kill several processes to delete the files). I also deleted manually the entries in Autorun via regedit. Now there is still another one, which I can not delete :/.

So finally, I do not know how to continue. I still get redirected to different sites when I click on Google Results, so it's obviously Adware. I hope that someone can help me here.

Thanks in Advance, Have a great day!

Thats my HijackThis Log:
Code: Select all
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:20:51, on 16.07.2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16800)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\wininit.exe
C:\windows\system32\csrss.exe
C:\windows\system32\services.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\lsass.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\system32\svchost.exe
C:\Program Files\Oceanis\SystemSetting\WallPaperAgent.exe
C:\windows\Explorer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\System32\AsusService.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\windows\system32\conhost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
C:\Program Files\EeePC\HotkeyService\HotkeyService.exe
C:\Program Files\EeePC\SHE\SuperHybridEngine.exe
C:\Program Files\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe
C:\Program Files\EeePC\CapsHook\CapsHook.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe
C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\FileZilla FTP Client\filezilla.exe
C:\windows\system32\notepad.exe
C:\Windows\System32\mstsc.exe
C:\Users\Max\Downloads\HiJackThis204.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\svchost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 208.98.45.3:52931
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HotkeyMon] AsusSender.exe C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
O4 - HKLM\..\Run: [HotkeyService] AsusSender.exe C:\Program Files\EeePC\HotkeyService\HotkeyService.exe
O4 - HKLM\..\Run: [SuperHybridEngine] AsusSender.exe C:\Program Files\EeePC\SHE\SuperHybridEngine.exe
O4 - HKLM\..\Run: [CapsHook] AsusSender.exe C:\Program Files\EeePC\CapsHook\CapsHook.exe
O4 - HKLM\..\Run: [Eee Docking] C:\Program Files\ASUS\Eee Docking\Eee Docking.exe autorun
O4 - HKLM\..\Run: [ASUS WebStorage] C:\Program Files\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Boingo Wi-Fi] "C:\Program Files\Boingo\Boingo Wi-Fi\Boingo.lnk"
O4 - HKLM\..\Run: [ASUSPRP] C:\Program Files\ASUS\APRP\APRP.EXE
O4 - HKLM\..\Run: [SynAsusAcpi] %ProgramFiles%\Synaptics\SynTP\SynAsusAcpi.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Google Update] "C:\Users\Max\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST')
O8 - Extra context menu item: Download with Xilisoft Download YouTube Video - C:\Program Files\Xilisoft\Download YouTube Video\upod_link.HTM
O8 - Extra context menu item: Free YouTube Download - C:\Users\Max\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxernsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Asus Launcher Service (AsusService) - Unknown owner - C:\Windows\System32\AsusService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.17\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.5.8\bin\mysqld.exe

--
End of file - 8579 bytes

balance
Active Member
 
Posts: 8
Joined: July 15th, 2011, 10:38 am
Advertisement
Register to Remove

Re: Unable to get rid of Adware

Unread postby Alander » July 18th, 2011, 5:16 pm

Hello, I Am Alander :)

Welcome to the Malware Removal forums.

I would be glad to take a look at your log and help you with solving any malware problems.

DDS logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.

As I am still training, everything that I post to you, must be checked by an Admin or Moderator.

Thus, there may be a tiny bit of a delay between posts. While it shouldn't be too long, you can be assured you will get the best possible advice.


  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please download DDS by sUBs from one of the links below, save it to your Desktop (Note: It must be in this location).
Please disable any anti-malware program that will block scripts from running before running DDS.

  • Right-Click on dds.scr And select " Run as administrator "... and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
User avatar
Alander
Regular Member
 
Posts: 1603
Joined: September 15th, 2007, 2:04 pm
Location: Singapore

Re: Unable to get rid of Adware

Unread postby balance » July 20th, 2011, 9:02 am

Thank you for your answer.

I did what you said.

dds.txt:
Code: Select all
DDS (Ver_2011-07-14.01) - NTFS_x86 
Internet Explorer: 8.0.7600.16385  BrowserJavaVersion: 1.6.0_13
Run by Max at 14:35:35 on 2011-07-20
Microsoft Windows 7 Starter   6.1.7600.0.1252.49.1031.18.1014.232 [GMT 2:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ================
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\Program Files\Oceanis\SystemSetting\WallPaperAgent.exe
C:\windows\Explorer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\System32\AsusService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\windows\system32\conhost.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
C:\Program Files\EeePC\HotkeyService\HotkeyService.exe
C:\Program Files\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe
C:\Program Files\EeePC\SHE\SuperHybridEngine.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\EeePC\CapsHook\CapsHook.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe
C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://asus.msn.com
uDefault_Page_URL = hxxp://asus.msn.com
uProxyServer = 208.98.45.3:52931
uProxyOverride = local
dURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
uWinlogon: Shell = c:\program files\oceanis\systemsetting\WallPaperAgent.exe
uRun: [Google Update] "c:\users\max\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HotkeyMon] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotKeyMon.exe
mRun: [HotkeyService] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotkeyService.exe
mRun: [SuperHybridEngine] AsusSender.exe c:\program files\eeepc\she\SuperHybridEngine.exe
mRun: [CapsHook] AsusSender.exe c:\program files\eeepc\capshook\CapsHook.exe
mRun: [Eee Docking] c:\program files\asus\eee docking\Eee Docking.exe autorun
mRun: [ASUS WebStorage] c:\program files\asus\asus webstorage\service\AsusWSService.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Boingo Wi-Fi] "c:\program files\boingo\boingo wi-fi\Boingo.lnk"
mRun: [ASUSPRP] c:\program files\asus\aprp\APRP.EXE
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Download with Xilisoft Download YouTube Video - c:\program files\xilisoft\download youtube video\upod_link.HTM
IE: Free YouTube Download - c:\users\max\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
LSP: %SystemRoot%\system32\PrxerDrv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer = 192.168.178.1
TCP: Interfaces\{3ECCDB74-CF09-4985-9509-A4F4D3F5757B} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{7C8B6C1D-ECBC-4C9D-9EDB-D4D1E2EBF25A} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{8D573591-5F0F-4AA7-8485-C2B0A52BDF89} : DHCPNameServer = 92.241.168.201 92.241.169.201
TCP: Interfaces\{B9BE2B73-BA22-4991-A294-27772E63497D} : DHCPNameServer = 192.168.178.1
TCP: Interfaces\{B9BE2B73-BA22-4991-A294-27772E63497D}\84F6473707F647D24585C4 : DHCPNameServer = 213.148.129.10 213.148.130.10
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg pku2u livessp
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\windows mail\WinMail.exe" OCInstallUserConfigOE
Hosts: 184.171.169.147 www.thebestspinner.com
Hosts: 184.171.169.147 thebestspinner.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\max\appdata\roaming\mozilla\firefox\profiles\u36emkf4.default\
FF - prefs.js: browser.startup.homepage - hxxp://whoer.net/extended
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\max\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-6-24 11520]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-27 66616]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2010-6-24 51712]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2010-4-24 550760]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2010-4-24 195944]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2010-4-24 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2010-4-24 19304]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-13 43944]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-2-20 39272]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2005-1-31 163328]
.
=============== Created Last 30 ================
.
2011-07-12 18:22:30	--------	d-----w-	c:\program files\Tweet Adder 3
2011-07-12 17:34:11	--------	d-----w-	c:\users\max\appdata\local\{BE0E75BB-2E68-4196-8CA6-8ACD9A6984E2}
2011-07-11 02:33:26	--------	d-----w-	c:\program files\PageRage
2011-07-11 02:33:20	--------	d-----w-	c:\programdata\Tarma Installer
2011-07-11 02:33:07	--------	d-----w-	c:\users\max\appdata\local\{358FC670-D49E-4FED-BF5A-20B5D19C1177}
2011-07-11 02:32:26	--------	d-----w-	c:\windows\$XNTUninstall643$
2011-07-10 19:30:32	--------	d-----w-	c:\users\max\appdata\local\{32F50E9B-DDB2-4E93-9432-EFCF657CD1B6}
2011-07-10 19:19:47	--------	d-----w-	c:\program files\MSECache
2011-07-10 13:55:45	--------	d-----w-	c:\program files\Oceanis
2011-07-10 02:47:57	--------	d-----w-	c:\users\max\appdata\local\Apple
2011-07-09 01:00:08	--------	d-----w-	c:\users\max\.thumbnails
2011-07-09 00:50:59	--------	d-----w-	c:\users\max\.gimp-2.6
2011-07-09 00:49:05	--------	d-----w-	c:\program files\GIMP-2.0
2011-07-06 11:25:36	--------	d-----w-	c:\program files\Apex Pacific
2011-07-01 08:42:29	2106216	----a-w-	c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-07-01 08:42:28	1998168	----a-w-	c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-29 06:33:05	1553920	----a-w-	c:\windows\system32\tquery.dll
2011-06-29 06:33:05	1401856	----a-w-	c:\windows\system32\mssrch.dll
2011-06-29 06:33:03	666624	----a-w-	c:\windows\system32\mssvp.dll
2011-06-29 06:33:03	428032	----a-w-	c:\windows\system32\SearchIndexer.exe
2011-06-29 06:33:03	337408	----a-w-	c:\windows\system32\mssph.dll
2011-06-29 06:33:03	164352	----a-w-	c:\windows\system32\SearchProtocolHost.exe
2011-06-29 06:33:02	86528	----a-w-	c:\windows\system32\SearchFilterHost.exe
2011-06-29 06:33:02	59392	----a-w-	c:\windows\system32\msscntrs.dll
2011-06-29 06:33:02	197120	----a-w-	c:\windows\system32\mssphtb.dll
2011-06-29 06:32:10	294912	----a-w-	c:\windows\system32\umpnpmgr.dll
2011-06-21 22:12:27	--------	d-----w-	c:\users\max\appdata\local\PDF24
.
==================== Find3M  ====================
.
2011-06-28 16:32:29	66616	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2011-06-11 02:37:19	2332672	----a-w-	c:\windows\system32\win32k.sys
2011-06-02 05:59:55	169984	----a-w-	c:\windows\system32\winsrv.dll
2011-06-02 05:58:05	290816	----a-w-	c:\windows\system32\KernelBase.dll
2011-06-02 05:55:31	271872	----a-w-	c:\windows\system32\conhost.exe
2011-06-02 03:45:49	6144	---ha-w-	c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-06-02 03:45:49	4608	---ha-w-	c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-02 03:45:49	3584	---ha-w-	c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-06-02 03:45:49	3072	---ha-w-	c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-05-28 03:00:02	1638912	----a-w-	c:\windows\system32\mshtml.tlb
2011-05-04 02:43:59	222720	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys
2011-05-04 02:43:48	96256	----a-w-	c:\windows\system32\drivers\mrxsmb20.sys
2011-05-04 02:43:41	123392	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-05-03 04:50:29	740864	----a-w-	c:\windows\system32\inetcomm.dll
2011-04-29 02:57:34	311296	----a-w-	c:\windows\system32\drivers\srv.sys
2011-04-29 02:57:21	309760	----a-w-	c:\windows\system32\drivers\srv2.sys
2011-04-29 02:57:13	114176	----a-w-	c:\windows\system32\drivers\srvnet.sys
2011-04-28 03:29:32	60416	----a-w-	c:\windows\system32\drivers\BTHUSB.SYS
2011-04-28 03:29:32	393216	----a-w-	c:\windows\system32\drivers\bthport.sys
2011-04-27 02:33:46	78336	----a-w-	c:\windows\system32\drivers\dfsc.sys
2011-04-25 04:56:06	1286016	----a-w-	c:\windows\system32\drivers\tcpip.sys
2011-04-25 02:35:40	338944	----a-w-	c:\windows\system32\drivers\afd.sys
2011-04-22 19:36:05	26496	----a-w-	c:\windows\system32\drivers\Diskdump.sys
2011-04-22 19:31:50	981504	----a-w-	c:\windows\system32\wininet.dll
2011-04-22 19:31:26	44544	----a-w-	c:\windows\system32\licmgr10.dll
2011-04-22 18:23:59	386048	----a-w-	c:\windows\system32\html.iec
2006-05-03 10:06:54	163328	--sha-r-	c:\windows\system32\flvDX.dll
2007-02-21 11:47:16	31232	--sha-r-	c:\windows\system32\msfDX.dll
2008-03-16 13:30:52	216064	--sha-r-	c:\windows\system32\nbDX.dll
.
============= FINISH: 14:37:53,61 ===============


attach.txt:
Code: Select all
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-07-14.01)
.
Microsoft Windows 7 Starter 
Boot Device: \Device\HarddiskVolume1
Install Date: 19.11.2010 19:46:37
System Uptime: 20.07.2011 13:35:30 (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | 1001PX
Processor: Intel(R) Atom(TM) CPU N450   @ 1.66GHz | CPU 1 | 1667/167mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 100 GiB total, 69,125 GiB free.
D: is FIXED (NTFS) - 118 GiB total, 117,774 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP92: 10.07.2011 04:49:54 - Installed QuickTime
RP93: 10.07.2011 21:20:19 - Microsoft PowerPoint Viewer wird installiert
RP94: 12.07.2011 03:00:24 - Windows Update
RP95: 12.07.2011 20:21:22 - Installed Tweet Adder 3
RP96: 14.07.2011 03:00:30 - Windows Update
RP97: 15.07.2011 02:10:57 - Removed FBP - Facebook Blaster Pro
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1 MUI
AIM 7
Apple Application Support
Apple Software Update
Article Marketing Robot
ASUS VIBE
ASUS WebStorage
ASUSUpdate for Eee PC
Atheros Client Installation Program
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Auto Blog Samurai
Avira AntiVir Personal - Free Antivirus
Boingo Wi-Fi
CapsHook
CCleaner
Chicken Invaders 2
D3DX10
Download Updater (AOL LLC)
Dupli Find 6.0
E-Cam
ebi.BookReader3J
Eee Docking 3.7.0
EeeSplendid
FileZilla Client 3.2.7.1
FLV Player 2.0 (build 25)
FontResizer
Game Park Console
GIMP 2.6.11
Google Chrome
Hotkey Service
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java(TM) 6 Update 13
JDownloader
Junk Mail filter update
LiveUpdate
LocaleMe
Market Samurai
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile DEU Language Pack
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Office 2010
Microsoft Office Klick-und-Los 2010
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Starter 2010 - Deutsch
Microsoft PowerPoint Viewer
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 5.0 (x86 de)
MSVCRT
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser (KB973685)
Oceanis Change Background Windows 7
OnlyWire
OpenVPN 2.1.1
PageRage 1.10.01
Pidgin
Proxifier version 2.91
Ralink RT2860 Wireless LAN Card
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2518870)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
SENukeUpdate
SERPAttacks
Skype™ 4.2
Street-Ads Browser Enhancer
SUPER © v2011.build.47 (March 12, 2011) Version v2011.build.47
Super Hybrid Engine
Synaptics Pointing Device Driver
Times Reader
Traffic Travis 3.3.14
TrueCrypt
Tube Toolbox
Tweet Adder 3
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Video Shadow 1
viewet
WampServer 2.1
Windows Driver Package - Broadcom Bluetooth  (07/17/2009 6.2.0.9403)
Windows Driver Package - Broadcom Bluetooth  (07/29/2009 6.1.7100.0)
Windows Driver Package - Broadcom HIDClass  (07/28/2009 6.2.0.9800)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Fotogalerie
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinHTTrack Website Copier 3.44-1
WinRAR
xGen SEO
Xilisoft Download YouTube Video
Xilisoft PowerPoint to Video Converter Free
.
==== End Of File ===========================
balance
Active Member
 
Posts: 8
Joined: July 15th, 2011, 10:38 am

Re: Unable to get rid of Adware

Unread postby Alander » July 21st, 2011, 1:21 pm

Hi, is this machine used for business activities, such as software development?
User avatar
Alander
Regular Member
 
Posts: 1603
Joined: September 15th, 2007, 2:04 pm
Location: Singapore

Re: Unable to get rid of Adware

Unread postby balance » July 21st, 2011, 2:15 pm

No. This is my personal Laptop. I do some SEO, but that's it. No business activities.
balance
Active Member
 
Posts: 8
Joined: July 15th, 2011, 10:38 am

Re: Unable to get rid of Adware

Unread postby Alander » July 22nd, 2011, 5:54 pm

Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Alander
Regular Member
 
Posts: 1603
Joined: September 15th, 2007, 2:04 pm
Location: Singapore

Re: Unable to get rid of Adware

Unread postby balance » July 23rd, 2011, 2:42 pm

Hi!

Combofix.txt:
Code: Select all
ComboFix 11-07-23.03 - Max 23.07.2011  18:44:01.1.2 - x86
Microsoft Windows 7 Starter   6.1.7600.0.1252.49.1031.18.1014.296 [GMT 2:00]
ausgeführt von:: c:\users\Max\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
C:\Recycle.Bin
c:\recycle.bin\config.bin
c:\users\Max\AppData\Local\{358FC670-D49E-4FED-BF5A-20B5D19C1177}
c:\users\Max\AppData\Local\{358FC670-D49E-4FED-BF5A-20B5D19C1177}\chrome.manifest
c:\users\Max\AppData\Local\{358FC670-D49E-4FED-BF5A-20B5D19C1177}\chrome\content\_cfg.js
c:\users\Max\AppData\Local\{358FC670-D49E-4FED-BF5A-20B5D19C1177}\chrome\content\overlay.xul
c:\users\Max\AppData\Local\{358FC670-D49E-4FED-BF5A-20B5D19C1177}\install.rdf
c:\users\Max\AppData\Roaming\EurekaLog
c:\users\Max\AppData\Roaming\Microsoft\Windows\Recent\Penthesilea Profit Package - The Best - If you are focusing your efforts on making money with Amazon then you have probably been scouring the Internet for the.url
c:\windows\$xntuninstall643$
c:\windows\$xntuninstall643$\apUninstall.exe
.
.
(((((((((((((((((((((((   Dateien erstellt von 2011-06-23 bis 2011-07-23  ))))))))))))))))))))))))))))))
.
.
2011-07-23 16:58 . 2011-07-23 16:58	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-07-21 13:36 . 2009-03-04 21:22	124688	----a-w-	c:\windows\system32\MSWINSCK.OCX
2011-07-21 13:36 . 2011-07-21 13:36	--------	d-----w-	c:\program files\IndexBear.com Index Checker
2011-07-21 13:36 . 2003-10-27 12:06	140488	----a-w-	c:\windows\system32\comdlg32.ocx
2011-07-21 10:43 . 2011-07-21 10:44	--------	d-----w-	c:\users\Administrator
2011-07-12 18:22 . 2011-07-12 18:22	--------	d-----w-	c:\program files\Tweet Adder 3
2011-07-11 02:33 . 2011-07-11 02:33	--------	d-----w-	c:\program files\PageRage
2011-07-10 19:19 . 2011-07-10 19:19	--------	d-----w-	c:\program files\MSECache
2011-07-10 13:55 . 2011-07-10 13:55	--------	d-----w-	c:\program files\Oceanis
2011-07-10 02:48 . 2011-07-10 02:48	--------	d-----w-	c:\program files\Common Files\Apple
2011-07-10 02:47 . 2011-07-10 02:47	--------	d-----w-	c:\users\Max\AppData\Local\Apple
2011-07-10 02:47 . 2011-07-10 02:47	--------	d-----w-	c:\program files\Apple Software Update
2011-07-10 02:47 . 2011-07-10 02:47	--------	d-----w-	c:\programdata\Apple
2011-07-09 01:00 . 2011-07-09 01:00	--------	d-----w-	c:\users\Max\.thumbnails
2011-07-09 00:50 . 2011-07-12 22:57	--------	d-----w-	c:\users\Max\.gimp-2.6
2011-07-09 00:49 . 2011-07-09 00:49	--------	d-----w-	c:\program files\GIMP-2.0
2011-07-06 11:25 . 2011-07-06 11:25	--------	d-----w-	c:\program files\Apex Pacific
2011-07-01 08:42 . 2011-07-01 08:42	2106216	----a-w-	c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-01 08:42 . 2011-07-01 08:42	1998168	----a-w-	c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-29 06:33 . 2011-05-04 04:53	1553920	----a-w-	c:\windows\system32\tquery.dll
2011-06-29 06:33 . 2011-05-04 04:52	1401856	----a-w-	c:\windows\system32\mssrch.dll
2011-06-29 06:33 . 2011-05-04 04:52	666624	----a-w-	c:\windows\system32\mssvp.dll
2011-06-29 06:33 . 2011-05-04 04:52	337408	----a-w-	c:\windows\system32\mssph.dll
2011-06-29 06:33 . 2011-05-04 04:52	428032	----a-w-	c:\windows\system32\SearchIndexer.exe
2011-06-29 06:33 . 2011-05-04 04:52	164352	----a-w-	c:\windows\system32\SearchProtocolHost.exe
2011-06-29 06:33 . 2011-05-04 04:52	59392	----a-w-	c:\windows\system32\msscntrs.dll
2011-06-29 06:33 . 2011-05-04 04:52	197120	----a-w-	c:\windows\system32\mssphtb.dll
2011-06-29 06:33 . 2011-05-04 04:52	86528	----a-w-	c:\windows\system32\SearchFilterHost.exe
2011-06-29 06:32 . 2011-05-24 10:35	294912	----a-w-	c:\windows\system32\umpnpmgr.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-28 16:32 . 2011-04-27 19:27	66616	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2011-06-28 16:32 . 2011-04-27 19:27	138192	----a-w-	c:\windows\system32\drivers\avipbb.sys
2011-05-28 03:00 . 2011-06-16 10:04	1638912	----a-w-	c:\windows\system32\mshtml.tlb
2011-05-12 14:06 . 2010-06-24 10:33	18328	----a-w-	c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-05-04 02:43 . 2011-06-16 09:58	222720	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys
2011-05-04 02:43 . 2011-06-16 09:58	96256	----a-w-	c:\windows\system32\drivers\mrxsmb20.sys
2011-05-04 02:43 . 2011-06-16 09:58	123392	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-05-03 04:50 . 2011-06-16 10:00	740864	----a-w-	c:\windows\system32\inetcomm.dll
2011-04-29 02:57 . 2011-06-16 10:00	311296	----a-w-	c:\windows\system32\drivers\srv.sys
2011-04-29 02:57 . 2011-06-16 10:00	309760	----a-w-	c:\windows\system32\drivers\srv2.sys
2011-04-29 02:57 . 2011-06-16 10:00	114176	----a-w-	c:\windows\system32\drivers\srvnet.sys
2011-04-27 02:33 . 2011-06-16 10:00	78336	----a-w-	c:\windows\system32\drivers\dfsc.sys
2011-04-25 04:56 . 2011-06-16 10:00	1286016	----a-w-	c:\windows\system32\drivers\tcpip.sys
2011-04-25 02:35 . 2011-06-16 10:00	338944	----a-w-	c:\windows\system32\drivers\afd.sys
2011-07-01 08:42 . 2011-04-21 16:52	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06	163328	--sha-r-	c:\windows\System32\flvDX.dll
2007-02-21 11:47	31232	--sha-r-	c:\windows\System32\msfDX.dll
2008-03-16 13:30	216064	--sha-r-	c:\windows\System32\nbDX.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}"
[HKEY_CLASSES_ROOT\CLSID\{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{618A47A2-528B-4D9A-AFC8-97D3233511E2}"
[HKEY_CLASSES_ROOT\CLSID\{618A47A2-528B-4D9A-AFC8-97D3233511E2}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"HotkeyMon"="AsusSender.exe" [2010-03-03 29184]
"HotkeyService"="AsusSender.exe" [2010-03-03 29184]
"SuperHybridEngine"="AsusSender.exe" [2010-03-03 29184]
"CapsHook"="AsusSender.exe" [2010-03-03 29184]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2010-03-29 415920]
"ASUS WebStorage"="c:\program files\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe" [2010-03-16 1754448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-22 173592]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-06-22 9177632]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-13 1594664]
"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2010-11-19 2429]
"ASUSPRP"="c:\program files\ASUS\APRP\APRP.EXE" [2010-06-24 2018032]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2010-04-13 83240]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [2009-08-19 219136]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-13 43944]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2005-01-31 163328]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-06-21 11520]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2010-04-13 51712]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-04-24 550760]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-04-24 195944]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-04-24 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-04-24 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
.
Inhalt des "geplante Tasks" Ordners
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3563985660-3096077780-4205837149-1000Core.job
- c:\users\Max\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-28 15:35]
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3563985660-3096077780-4205837149-1000UA.job
- c:\users\Max\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-28 15:35]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://asus.msn.com
uInternet Settings,ProxyServer = 208.98.45.3:52931
uInternet Settings,ProxyOverride = local
IE: Download with Xilisoft Download YouTube Video - c:\program files\Xilisoft\Download YouTube Video\upod_link.HTM
IE: Free YouTube Download - c:\users\Max\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
LSP: %SystemRoot%\system32\PrxerDrv.dll
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Max\AppData\Roaming\Mozilla\Firefox\Profiles\u36emkf4.default\
FF - prefs.js: browser.startup.homepage - hxxp://whoer.net/extended
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-Locked - (no file)
AddRemove-$XNTUninstall643$ - c:\windows\$XNTUninstall643$\apUninstall.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bb,23,e4,64,ee,bb,7b,4d,ad,02,42,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bb,23,e4,64,ee,bb,7b,4d,ad,02,42,\
.
[HKEY_USERS\S-1-5-21-3563985660-3096077780-4205837149-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3563985660-3096077780-4205837149-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'Explorer.exe'(2320)
c:\progra~1\ASUS\ASUSWE~1\service\ASUSWS~1.DLL
.
Zeit der Fertigstellung: 2011-07-23  19:06:25
ComboFix-quarantined-files.txt  2011-07-23 17:06
.
Vor Suchlauf: 9 Verzeichnis(se), 75.612.942.336 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 75.455.819.776 Bytes frei
.
- - End Of File - - 821E302C72A68295FD4CDE7460E60B29
balance
Active Member
 
Posts: 8
Joined: July 15th, 2011, 10:38 am

Re: Unable to get rid of Adware

Unread postby Alander » July 25th, 2011, 1:00 pm

Hi, How is your computer doing?

Step 1
ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    [HKEY_USERS\S-1-5-21-3563985660-3096077780-4205837149-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    [HKEY_USERS\S-1-5-21-3563985660-3096077780-4205837149-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Copy/paste the ComboFix log file in your next reply.

Step 2
Upload File/Files for testing

Please go to jotti.org or Virustotal

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\flvDX.dll
C:\WINDOWS\system32\msfDX.dll
C:\WINDOWS\system32\nbDX.dll

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Image

Repeat the procedure for each of the following files, you should come back with 3 results

Step 3
Uninstall Programs
I need you to uninstall some program(s).
  1. Click on Start...then... Click the Start Search box on the Start Menu.
  2. Copy and paste the value below, into the open text entry box:
    control appwiz.cpl
      Depending on your current view setting ...
    • Double click on Programs and Features.
    • Under Programs, click on Uninstall a program.
  3. Locate the following program(s):
    Adobe Reader 9.1 MUI
    Java(TM) 6 Update 13
    Street-Ads Browser Enhancer

  4. Select the program and click on Uninstall to uninstall it.
    Close the Control Panel window. when you are done


Step 4
Java SE Runtime Environment (JRE).

Please download from HERE
  • Find Java SE Runtime Environment (JRE) 6 Update 26.
  • Click the Download JRE button to the right.
  • Choose the correct Platform and Multi-language. Next, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click the Continue button.
  • Click on the filename under Windows Offline Installation and save it to your desktop.
  • Close all active windows.
  • Install the program.

Step 5
Update Adobe Reader
  • You should Download and Install the newest version of Adobe Reader for reading pdf files.
  • Older versions may have vulnerabilities that malware can use to infect your system.
  • Go Here to download and install Adobe Reader X (10.0.1).
User avatar
Alander
Regular Member
 
Posts: 1603
Joined: September 15th, 2007, 2:04 pm
Location: Singapore

Re: Unable to get rid of Adware

Unread postby balance » July 26th, 2011, 2:00 pm

Hi!
Nearly everything worked perfectly, except Step 3.1 and Step 3.2.
When i paste "control appwiz.cpl", the computer finds nothing!

However, here comes the log and then the VirusTotal Scan!

LOG.TXT:
Code: Select all
ComboFix 11-07-23.03 - Max 26.07.2011  19:22:21.2.2 - x86
Microsoft Windows 7 Starter   6.1.7600.0.1252.49.1031.18.1014.453 [GMT 2:00]
ausgeführt von:: c:\users\Max\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\Max\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
.
(((((((((((((((((((((((   Dateien erstellt von 2011-06-26 bis 2011-07-26  ))))))))))))))))))))))))))))))
.
.
2011-07-26 17:36 . 2011-07-26 17:36	--------	d-----w-	c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-26 17:36 . 2011-07-26 17:36	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-07-21 13:36 . 2009-03-04 21:22	124688	----a-w-	c:\windows\system32\MSWINSCK.OCX
2011-07-21 13:36 . 2011-07-21 13:36	--------	d-----w-	c:\program files\IndexBear.com Index Checker
2011-07-21 13:36 . 2003-10-27 12:06	140488	----a-w-	c:\windows\system32\comdlg32.ocx
2011-07-21 10:43 . 2011-07-21 10:44	--------	d-----w-	c:\users\Administrator
2011-07-12 18:22 . 2011-07-12 18:22	--------	d-----w-	c:\program files\Tweet Adder 3
2011-07-11 02:33 . 2011-07-11 02:33	--------	d-----w-	c:\program files\PageRage
2011-07-10 19:19 . 2011-07-10 19:19	--------	d-----w-	c:\program files\MSECache
2011-07-10 13:55 . 2011-07-10 13:55	--------	d-----w-	c:\program files\Oceanis
2011-07-10 02:48 . 2011-07-10 02:48	--------	d-----w-	c:\program files\Common Files\Apple
2011-07-10 02:47 . 2011-07-10 02:47	--------	d-----w-	c:\users\Max\AppData\Local\Apple
2011-07-10 02:47 . 2011-07-10 02:47	--------	d-----w-	c:\program files\Apple Software Update
2011-07-10 02:47 . 2011-07-10 02:47	--------	d-----w-	c:\programdata\Apple
2011-07-09 01:00 . 2011-07-09 01:00	--------	d-----w-	c:\users\Max\.thumbnails
2011-07-09 00:50 . 2011-07-12 22:57	--------	d-----w-	c:\users\Max\.gimp-2.6
2011-07-09 00:49 . 2011-07-09 00:49	--------	d-----w-	c:\program files\GIMP-2.0
2011-07-06 11:25 . 2011-07-06 11:25	--------	d-----w-	c:\program files\Apex Pacific
2011-07-01 08:42 . 2011-07-01 08:42	2106216	----a-w-	c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-01 08:42 . 2011-07-01 08:42	1998168	----a-w-	c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-29 06:33 . 2011-05-04 04:53	1553920	----a-w-	c:\windows\system32\tquery.dll
2011-06-29 06:33 . 2011-05-04 04:52	1401856	----a-w-	c:\windows\system32\mssrch.dll
2011-06-29 06:33 . 2011-05-04 04:52	666624	----a-w-	c:\windows\system32\mssvp.dll
2011-06-29 06:33 . 2011-05-04 04:52	337408	----a-w-	c:\windows\system32\mssph.dll
2011-06-29 06:33 . 2011-05-04 04:52	428032	----a-w-	c:\windows\system32\SearchIndexer.exe
2011-06-29 06:33 . 2011-05-04 04:52	164352	----a-w-	c:\windows\system32\SearchProtocolHost.exe
2011-06-29 06:33 . 2011-05-04 04:52	59392	----a-w-	c:\windows\system32\msscntrs.dll
2011-06-29 06:33 . 2011-05-04 04:52	197120	----a-w-	c:\windows\system32\mssphtb.dll
2011-06-29 06:33 . 2011-05-04 04:52	86528	----a-w-	c:\windows\system32\SearchFilterHost.exe
2011-06-29 06:32 . 2011-05-24 10:35	294912	----a-w-	c:\windows\system32\umpnpmgr.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-28 16:32 . 2011-04-27 19:27	66616	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2011-06-28 16:32 . 2011-04-27 19:27	138192	----a-w-	c:\windows\system32\drivers\avipbb.sys
2011-05-28 03:00 . 2011-06-16 10:04	1638912	----a-w-	c:\windows\system32\mshtml.tlb
2011-05-12 14:06 . 2010-06-24 10:33	18328	----a-w-	c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-05-04 02:43 . 2011-06-16 09:58	222720	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys
2011-05-04 02:43 . 2011-06-16 09:58	96256	----a-w-	c:\windows\system32\drivers\mrxsmb20.sys
2011-05-04 02:43 . 2011-06-16 09:58	123392	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-05-03 04:50 . 2011-06-16 10:00	740864	----a-w-	c:\windows\system32\inetcomm.dll
2011-04-29 02:57 . 2011-06-16 10:00	311296	----a-w-	c:\windows\system32\drivers\srv.sys
2011-04-29 02:57 . 2011-06-16 10:00	309760	----a-w-	c:\windows\system32\drivers\srv2.sys
2011-04-29 02:57 . 2011-06-16 10:00	114176	----a-w-	c:\windows\system32\drivers\srvnet.sys
2011-07-01 08:42 . 2011-04-21 16:52	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06	163328	--sha-r-	c:\windows\System32\flvDX.dll
2007-02-21 11:47	31232	--sha-r-	c:\windows\System32\msfDX.dll
2008-03-16 13:30	216064	--sha-r-	c:\windows\System32\nbDX.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}"
[HKEY_CLASSES_ROOT\CLSID\{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{618A47A2-528B-4D9A-AFC8-97D3233511E2}"
[HKEY_CLASSES_ROOT\CLSID\{618A47A2-528B-4D9A-AFC8-97D3233511E2}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"HotkeyMon"="AsusSender.exe" [2010-03-03 29184]
"HotkeyService"="AsusSender.exe" [2010-03-03 29184]
"SuperHybridEngine"="AsusSender.exe" [2010-03-03 29184]
"CapsHook"="AsusSender.exe" [2010-03-03 29184]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2010-03-29 415920]
"ASUS WebStorage"="c:\program files\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe" [2010-03-16 1754448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-22 173592]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-06-22 9177632]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-13 1594664]
"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2010-11-19 2429]
"ASUSPRP"="c:\program files\ASUS\APRP\APRP.EXE" [2010-06-24 2018032]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2010-04-13 83240]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [2009-08-19 219136]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-13 43944]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2005-01-31 163328]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-06-21 11520]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2010-04-13 51712]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-04-24 550760]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-04-24 195944]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-04-24 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-04-24 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
.
Inhalt des "geplante Tasks" Ordners
.
2011-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3563985660-3096077780-4205837149-1000Core.job
- c:\users\Max\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-28 15:35]
.
2011-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3563985660-3096077780-4205837149-1000UA.job
- c:\users\Max\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-28 15:35]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://asus.msn.com
uInternet Settings,ProxyServer = 208.98.45.3:52931
uInternet Settings,ProxyOverride = local
IE: Download with Xilisoft Download YouTube Video - c:\program files\Xilisoft\Download YouTube Video\upod_link.HTM
IE: Free YouTube Download - c:\users\Max\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
LSP: %SystemRoot%\system32\PrxerDrv.dll
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Max\AppData\Roaming\Mozilla\Firefox\Profiles\u36emkf4.default\
FF - prefs.js: browser.startup.homepage - hxxp://whoer.net/extended
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'Explorer.exe'(5116)
c:\progra~1\ASUS\ASUSWE~1\service\ASUSWS~1.DLL
.
Zeit der Fertigstellung: 2011-07-26  19:42:31
ComboFix-quarantined-files.txt  2011-07-26 17:42
ComboFix2.txt  2011-07-23 17:06
.
Vor Suchlauf: 12 Verzeichnis(se), 76.243.419.136 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 76.062.314.496 Bytes frei
.
- - End Of File - - 7FD6691DD85232337AB5ACF672BF30AE



VIRUSTOTAL SCANS:
C:\WINDOWS\system32\flvDX.dll
http://www.virustotal.com/file-scan/rep ... 1311701692

C:\WINDOWS\system32\msfDX.dll
http://www.virustotal.com/file-scan/rep ... 1311701702

C:\WINDOWS\system32\nbDX.dll
http://www.virustotal.com/file-scan/rep ... 1311701735


Thanks in Advance
balance
Active Member
 
Posts: 8
Joined: July 15th, 2011, 10:38 am

Re: Unable to get rid of Adware

Unread postby Alander » July 29th, 2011, 3:43 am

Hi, did you set the proxy with IP address 208.98.45.3 on port 52931 (Check your proxifier settings)?

Step 1. You can skip these if you already have done so.
Uninstall Programs
  1. Click on Start...then...
    Go to Control Panel and then Click on Programs
      Depending on your current view setting ...
    • Double click on Programs and Features.
    • Under Programs, click on Uninstall a program.
  2. Locate the following program(s):
    Adobe Reader 9.1 MUI
    Java(TM) 6 Update 13
    Street-Ads Browser Enhancer

  3. Select the program and click on Uninstall to uninstall it.
  4. Repeat steps 3 - 4 for each program in the list. When finished... Close the Control Panel window.

Step 2.
ATF Cleaner
Please download ATF Cleaner ... by Atribune. Alternate download site: here.
It does not require any installation and uses minimal system resources.
It is set up to clean IE, FireFox and Opera, detecting the browsers you have and grays out the other(s).

  1. Double-click ATF-Cleaner.exe to run the program.
  2. Under Main choose: Select All
    Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  3. Click the Empty Selected button.
      If you use Firefox browser
    • Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
    • Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
      If you use Opera browser
    • Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
    • Click the Empty Selected button.
      NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.
  4. Reply OK to the total bytes removed...box, then click Exit on the Main menu to close the program.

Step 3.
Please disable your Anti Virus AND Anti Spywares Programs before running this scan

Step 4
ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner
  • Then click on Run ESET Online Scanner
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on Start.
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
User avatar
Alander
Regular Member
 
Posts: 1603
Joined: September 15th, 2007, 2:04 pm
Location: Singapore

Re: Unable to get rid of Adware

Unread postby balance » July 31st, 2011, 2:46 am

Hello!

did you set the proxy with IP address 208.98.45.3 on port 52931 (Check your proxifier settings)?

No I didn't! I checked Proxifier and there's no entry with 208.98.45.3:52931.

Still trying to get rid of "Street-Ads Browser Enhancer", but actually I'm still not able to find it! Not in Control Panel, nor in Programs Folder or via Search-function :(

ESET FOUND THREATS:
Code: Select all
C:\Program Files\PageRage\YontooIEClient.dll	Win32/Adware.Yontoo.A application
C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir	Win32/Adware.Yontoo.B application
C:\Users\Max\Downloads\ChilkatHttp.dll	a variant of Win32/Packed.Enigma.AAA trojan
C:\Users\Max\Downloads\loader.zip	a variant of Win32/Packed.Themida application
C:\Users\Max\Downloads\setup_2.rar	a variant of Win32/Packed.Enigma.AAA trojan
C:\Users\Max\Downloads\SUPERsetup47.exe	Win32/OpenCandy application
C:\Users\Max\Downloads\x-download-youtube-video2-25de.exe	Win32/Toolbar.Zugo application
C:\Users\Max\Downloads\x-powerpoint-to-video-converter-free.exe	Win32/Toolbar.Zugo application



Thanks in Advance and have a good day
balance
Active Member
 
Posts: 8
Joined: July 15th, 2011, 10:38 am

Re: Unable to get rid of Adware

Unread postby Alander » July 31st, 2011, 8:57 am

Hi Balance can u please post the full log of the eset scan?

Please do not cut off the log files
User avatar
Alander
Regular Member
 
Posts: 1603
Joined: September 15th, 2007, 2:04 pm
Location: Singapore

Re: Unable to get rid of Adware

Unread postby balance » August 2nd, 2011, 12:05 pm

Did another ESET Scan, this is the full log:

Code: Select all
C:\Program Files\PageRage\YontooIEClient.dll	Win32/Adware.Yontoo.A application
C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir	Win32/Adware.Yontoo.B application
C:\Users\Max\AppData\Roaming\Article Marketing Robot\results\webmaster@what-is-the-best-gps.info-11767.html	HTML/ScrInject.B.Gen virus
C:\Users\Max\AppData\Roaming\Article Marketing Robot\results\webmaster@what-is-the-best-gps.info-11900.html	HTML/ScrInject.B.Gen virus
C:\Users\Max\AppData\Roaming\Article Marketing Robot\results\webmaster@what-is-the-best-gps.info-1704.html	HTML/ScrInject.B.Gen virus
C:\Users\Max\AppData\Roaming\Article Marketing Robot\results\webmaster@what-is-the-best-gps.info-4-4513.html	HTML/IFrame.J trojan
C:\Users\Max\AppData\Roaming\Article Marketing Robot\results\webmaster@what-is-the-best-gps.info-4-5042.html	HTML/ScrInject.B.Gen virus
C:\Users\Max\AppData\Roaming\Article Marketing Robot\results\webmaster@what-is-the-best-gps.info-4-8768.html	HTML/Agent.G trojan
C:\Users\Max\AppData\Roaming\Article Marketing Robot\results\webmaster@what-is-the-best-gps.info-4126.html	HTML/IFrame.J trojan
C:\Users\Max\AppData\Roaming\Article Marketing Robot\results\webmaster@what-is-the-best-gps.info-4513.html	HTML/IFrame.J trojan
C:\Users\Max\AppData\Roaming\Article Marketing Robot\results\webmaster@what-is-the-best-gps.info-5042.html	HTML/ScrInject.B.Gen virus
C:\Users\Max\AppData\Roaming\Article Marketing Robot\results\webmaster@what-is-the-best-gps.info-7399.html	HTML/ScrInject.B.Gen virus
C:\Users\Max\AppData\Roaming\Article Marketing Robot\results\webmaster@what-is-the-best-gps.info-8768.html	HTML/Agent.G trojan
C:\Users\Max\AppData\Roaming\Article Marketing Robot\results\webmaster@what-is-the-best-gps.info-8865.html	HTML/Iframe.B.Gen virus
C:\Users\Max\Downloads\ChilkatHttp.dll	a variant of Win32/Packed.Enigma.AAA trojan
C:\Users\Max\Downloads\loader.zip	a variant of Win32/Packed.Themida application
C:\Users\Max\Downloads\setup_2.rar	a variant of Win32/Packed.Enigma.AAA trojan
C:\Users\Max\Downloads\SUPERsetup47.exe	Win32/OpenCandy application
C:\Users\Max\Downloads\x-download-youtube-video2-25de.exe	Win32/Toolbar.Zugo application
C:\Users\Max\Downloads\x-powerpoint-to-video-converter-free.exe	Win32/Toolbar.Zugo application

balance
Active Member
 
Posts: 8
Joined: July 15th, 2011, 10:38 am

Re: Unable to get rid of Adware

Unread postby Alander » August 4th, 2011, 1:26 pm

Hi,

Step 1.

The listed programs below are bundled with ad-ware, so lets remove them
Uninstall Programs

  1. Click on Start...then...
    Go to Control Panel and then Click on Programs
      Depending on your current view setting ...
    • Double click on Programs and Features.
    • Under Programs, click on Uninstall a program.
  2. Locate the following program(s):
    Article Marketing Robot
    PageRage 1.10.01
    Xilisoft Download YouTube Video
    Xilisoft PowerPoint to Video Converter Free
  3. Select the program and click on Uninstall to uninstall it.
  4. Repeat steps 3 - 4 for each program in the list. When finished... Close the Control Panel window

Step 2.
ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    Folder::
    C:\Program Files\PageRage
    C:\Users\Max\AppData\Roaming\Article Marketing Robot
    c:\program files\xilisoft
    c:\users\max\appdata\roaming\dvdvideosoftiehelpers
    
    File::
    C:\Users\Max\Downloads\ChilkatHttp.dll   
    C:\Users\Max\Downloads\loader.zip   
    C:\Users\Max\Downloads\setup_2.rar 
    C:\Users\Max\Downloads\SUPERsetup47.exe 
    C:\Users\Max\Downloads\x-download-youtube-video2-25de.exe 
    C:\Users\Max\Downloads\x-powerpoint-to-video-converter-free.exe   
    
    DDS::
    uProxyServer = 208.98.45.3:52931
    dURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
    IE: Download with Xilisoft Download YouTube Video - c:\program files\xilisoft\download youtube video\upod_link.HTM
    IE: Free YouTube Download - c:\users\max\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
    
    
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.
User avatar
Alander
Regular Member
 
Posts: 1603
Joined: September 15th, 2007, 2:04 pm
Location: Singapore

Re: Unable to get rid of Adware

Unread postby Alander » August 6th, 2011, 6:15 pm

3 Day Response
Hi...
It has been 2 days since my last post to you.
  • Do you still need help with this problem?
  • Do you need more time?
  • Are you having problems understanding or following my instructions?
Just let me know what's going on otherwise...
After 24 hrs., if you have not replied to this thread... it will be closed!
User avatar
Alander
Regular Member
 
Posts: 1603
Joined: September 15th, 2007, 2:04 pm
Location: Singapore
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 309 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware