View Full Version : Help removing Google Redirect virus?
shinysideup
2011-10-14, 04:11
Help removing Google Redirect virus?
Hi,
I noticed my searches were leading to spammy sites and I noticed an odd IP address at the head of them (or sometimes the get-answers-fast.com domain).
After doing some research, I found a recommendation to try the Free Virus Remover at Symantec. It didn't find the virus.
Through more research, I wound up searching through my registry for particular entries and searching the system for files (such as sstray.exe)...but nothing was found. No files, no registry entries.
I've also immunized and scanned my system with Spybot S&D today and it only found a couple random tracker cookies. It "fixed" them without issue, but I updated before doing this.
No luck, so I need to ask for an assist.
I've backed up my registry and run DDS. Here are both the log file contents and attachment. Tea-timer is disabled.
Really hoping someone can help! Anyway, thanks in advance for at least reading. :)
dds.txt
.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Run by John Alan at 18:48:59 on 2011-10-13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.7934.5505 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files (x86)\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.facebook.com
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: {B7CF5C23-CA56-440B-8E87-8E2D05BE2113} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {283B4AA3-1B7A-46E6-B56D-90EF4743FB2C} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [V0510Mon.exe] C:\Windows\V0510Mon.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [ClickPotatoLiteSA] "C:\Program Files (x86)\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteSA.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{6EC0F224-EF5E-49E6-8A9B-1A93AA941275} : DhcpNameServer = 192.168.0.1 205.171.3.25
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: DivX HiQ: {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - No File
BHO-X64: {B7CF5C23-CA56-440B-8E87-8E2D05BE2113} - No File
BHO-X64: Video Downloader BHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {283B4AA3-1B7A-46E6-B56D-90EF4743FB2C} - No File
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [V0510Mon.exe] C:\Windows\V0510Mon.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [ClickPotatoLiteSA] "C:\Program Files (x86)\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteSA.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\John Alan\AppData\Roaming\Mozilla\Firefox\Profiles\ythxg1q2.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\NOS\bin\np_gp.dll
FF - plugin: C:\Program Files (x86)\PACE Anti-Piracy\iLok\NPPaceILok.dll
FF - plugin: C:\ProgramData\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: C:\Users\John Alan\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 FixTDSS;TDSS Fixtool driver;C:\Windows\system32\drivers\FixTDSS.sys --> C:\Windows\system32\drivers\FixTDSS.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
S2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S2 PaceLicenseDServices;PACE License Services;C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe [2010-11-8 2647552]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-10-3 1153368]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-10-11 89920]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-10-28 1038088]
S3 gupdate1ca5ac954b0d243;Google Update Service (gupdate1ca5ac954b0d243);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-11-1 133104]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-11-1 133104]
S3 iLokDrvr;Usb Driver;C:\Windows\system32\DRIVERS\iLokDrvr.sys --> C:\Windows\system32\DRIVERS\iLokDrvr.sys [?]
S3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;C:\Windows\system32\DRIVERS\MAudioFastTrackPro.sys --> C:\Windows\system32\DRIVERS\MAudioFastTrackPro.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 V0510Dev;Rocketfish Webcam VF0510 Driver;C:\Windows\system32\DRIVERS\V0510Vid.sys --> C:\Windows\system32\DRIVERS\V0510Vid.sys [?]
S3 V0510Vfx;Rocketfish Webcam VF0510 Video VFX Driver;C:\Windows\system32\DRIVERS\V0510Vfx.sys --> C:\Windows\system32\DRIVERS\V0510Vfx.sys [?]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
S3 VST64_DPV;VST64_DPV;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 VST64HWBS2;VST64HWBS2;C:\Windows\system32\DRIVERS\VSTBS26.SYS --> C:\Windows\system32\DRIVERS\VSTBS26.SYS [?]
S4 ahcix64s;ahcix64s;C:\Windows\system32\drivers\ahcix64s.sys --> C:\Windows\system32\drivers\ahcix64s.sys [?]
S4 nosGetPlusHelper;getPlus(R) Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2008-1-20 21504]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-10-13 20:53:28 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{691D976D-4693-4CDF-8A15-C6693CFDE279}\offreg.dll
2011-10-13 18:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-13 16:46:39 9049936 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{691D976D-4693-4CDF-8A15-C6693CFDE279}\mpengine.dll
2011-10-13 16:38:00 876032 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-10-13 16:38:00 1653760 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-10-13 16:37:57 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2011-10-13 16:37:57 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-10-13 16:29:01 -------- d-----w- C:\Users\John Alan\AppData\Local\NPE
2011-10-13 16:29:00 -------- d-----w- C:\ProgramData\Norton
2011-10-13 16:19:08 27256 ----a-w- C:\Windows\System32\drivers\FixTDSS.sys
2011-10-13 16:19:08 -------- d-----w- C:\Users\John Alan\AppData\Roaming\FixTDSS
2011-10-13 00:10:46 -------- d-----w- C:\ProgramData\PC Tools
2011-10-12 19:09:29 200976 ----a-w- C:\Windows\SysWow64\drivers\tmcomm.sys
2011-10-12 18:56:50 -------- d-----w- C:\Users\John Alan\AppData\Roaming\f-secure
2011-10-12 18:56:38 -------- d-----w- C:\ProgramData\F-Secure
2011-10-09 23:25:59 -------- d-----w- C:\Users\John Alan\AppData\Local\Deployment
.
==================== Find3M ====================
.
2011-10-05 18:24:07 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-06 13:56:50 2764288 ----a-w- C:\Windows\System32\win32k.sys
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-08-25 16:20:38 735744 ----a-w- C:\Windows\System32\UIAutomationCore.dll
2011-08-25 16:19:32 847360 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-25 16:19:32 332288 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-25 16:15:04 555520 ----a-w- C:\Windows\SysWow64\UIAutomationCore.dll
2011-08-25 16:14:01 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-25 16:14:01 238080 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-25 13:54:14 4096 ----a-w- C:\Windows\System32\oleaccrc.dll
2011-08-25 13:31:01 4096 ----a-w- C:\Windows\SysWow64\oleaccrc.dll
2011-07-29 16:08:29 375808 ----a-w- C:\Windows\System32\psisdecd.dll
2011-07-29 16:08:27 289792 ----a-w- C:\Windows\System32\psisrndr.ax
2011-07-29 16:06:52 73216 ----a-w- C:\Windows\System32\MSDvbNP.ax
2011-07-29 16:06:42 100352 ----a-w- C:\Windows\System32\Mpeg2Data.ax
2011-07-29 16:01:34 293376 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-07-29 16:01:33 217088 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-07-29 16:00:14 57856 ----a-w- C:\Windows\SysWow64\MSDvbNP.ax
2011-07-29 16:00:05 69632 ----a-w- C:\Windows\SysWow64\Mpeg2Data.ax
.
============= FINISH: 18:49:26.93 ===============
Hello shinysideup and :welcome:
My name is JonTom
Malware Logs can sometimes take a lot of time to research and interpret.
Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
PLEASE NOTE: If you do not reply after 5 days your thread will be closed.
Before we begin I would like to see the report from the following scan:
aswMBR
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.
Right click the aswMBR.exe and select "Run as Administrator" to run it.
Click the "Scan" button to start scan.
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply.
http://public.avast.com/~gmerek/aswMBR2.png
Please post the aswMBR log in your next reply :)
shinysideup
2011-10-14, 20:52
Hi JonTom,
...and thanks for the warm welcome. :) I appreciate your time and expertise and am not expecting a quick fix. I've subscribed to the thread to ensure timeliness on my end.
I've downloaded and run the aswMBR application you linked, but it's giving me a blue screen after I click "Scan" and I am unable to produce a log.
To make sure we're on the same page, these are the steps I followed:
1) download the application and ran it elevated as admin
2) download the updated definitions at the prompt
3) left the "Trace disk IO calls" box checked.
4) clicked Scan*
* I tried both a quick scan and a C: scan with the same blue screen result.
In case it is helpful, I will note that the aswMBR does offer the expected several lines of text... OS version, # of processors, computer name, initialization success and the updated definitions.
I tried it several times -- both after starting Windows normally and in Safe Mode (with networking.) When Windows restarts (automatically after the blue screen) it gives me a dialog indicating the problem, so I expanded the details (from both a normal and safe mode crash) and have copied them to a text file, should you need them.
Thanks again for your patience, insight and assistance!!
Hello shinysideup
it's giving me a blue screen That is known to happen from time to time.
Lets try this one instead:
MBRCheck
Please download MBRCheck by clicking here (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe) and save it to your desktop.
Be sure to disable your security programs.
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
A window will open on your desktop.
If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter.
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file in your next reply.
shinysideup
2011-10-14, 21:13
That one worked. :) Here's the log. Because it was highlighted, I see that there is a new program installed to "Accessories" called Windows Power Shell... is this related to either one of the programs you recommended?
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 64-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 546S
Logical Drives Mask: 0x000003fc
Kernel Drivers (total 142):
0x02C61000 \SystemRoot\system32\ntoskrnl.exe
0x02C1B000 \SystemRoot\system32\hal.dll
0x00601000 \SystemRoot\system32\kdcom.dll
0x0060B000 \SystemRoot\system32\PSHED.dll
0x0061F000 \SystemRoot\system32\CLFS.SYS
0x0067C000 \SystemRoot\system32\CI.dll
0x0072E000 \SystemRoot\system32\drivers\FixTDSS.sys
0x0080F000 \SystemRoot\system32\drivers\Wdf01000.sys
0x008E9000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x008F7000 \SystemRoot\system32\drivers\acpi.sys
0x0094D000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00956000 \SystemRoot\system32\drivers\msisadrv.sys
0x00960000 \SystemRoot\system32\drivers\pci.sys
0x00990000 \SystemRoot\System32\drivers\partmgr.sys
0x009A5000 \SystemRoot\system32\drivers\volmgr.sys
0x00738000 \SystemRoot\System32\drivers\volmgrx.sys
0x009B9000 \SystemRoot\system32\drivers\pciide.sys
0x009C0000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x009D0000 \SystemRoot\System32\drivers\mountmgr.sys
0x009E3000 \SystemRoot\system32\drivers\atapi.sys
0x0079E000 \SystemRoot\system32\drivers\ataport.SYS
0x00A0F000 \SystemRoot\system32\drivers\fltmgr.sys
0x00A56000 \SystemRoot\system32\drivers\fileinfo.sys
0x00A6A000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x00A77000 \SystemRoot\System32\Drivers\ksecdd.sys
0x00C0C000 \SystemRoot\system32\drivers\ndis.sys
0x00AFE000 \SystemRoot\system32\drivers\msrpc.sys
0x00B4E000 \SystemRoot\system32\drivers\NETIO.SYS
0x00E00000 \SystemRoot\System32\drivers\tcpip.sys
0x00F74000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01004000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01184000 \SystemRoot\system32\drivers\volsnap.sys
0x011C8000 \SystemRoot\System32\Drivers\Tpkd.sys
0x011EB000 \SystemRoot\System32\Drivers\spldr.sys
0x00FA0000 \SystemRoot\System32\Drivers\mup.sys
0x00FB2000 \SystemRoot\System32\drivers\ecache.sys
0x00FDE000 \SystemRoot\system32\drivers\disk.sys
0x00DCF000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x011F3000 \SystemRoot\system32\drivers\crcdisk.sys
0x00BAF000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x00BB8000 \SystemRoot\system32\DRIVERS\processr.sys
0x0420A000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x048BD000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x049A0000 \SystemRoot\System32\drivers\watchdog.sys
0x04A09000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x04AF6000 \SystemRoot\system32\DRIVERS\Rtlh64.sys
0x04B47000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x04B63000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x04B6E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x04BB4000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x04C0A000 \SystemRoot\system32\DRIVERS\VSTBS26.SYS
0x04C74000 \SystemRoot\system32\DRIVERS\ks.sys
0x04E07000 \SystemRoot\system32\DRIVERS\VSTDPV6.SYS
0x04CA8000 \SystemRoot\system32\DRIVERS\VSTCNXT6.SYS
0x04F85000 \SystemRoot\system32\drivers\modem.sys
0x04F94000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x04D6F000 \SystemRoot\system32\DRIVERS\storport.sys
0x04FCD000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x04FDA000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x04DCC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04BC5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x04DD8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x049B0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x04DE8000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x049CE000 \SystemRoot\system32\DRIVERS\termdd.sys
0x049E1000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x049EF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x04FFD000 \SystemRoot\system32\DRIVERS\swenum.sys
0x05009000 \SystemRoot\system32\DRIVERS\MarvinBus64.sys
0x0504D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x05058000 \SystemRoot\system32\DRIVERS\umbus.sys
0x05068000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x050B0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x050C4000 \SystemRoot\system32\drivers\HdAudio.sys
0x0510D000 \SystemRoot\system32\drivers\portcls.sys
0x05148000 \SystemRoot\system32\drivers\drmk.sys
0x0516B000 \SystemRoot\system32\drivers\ksthunk.sys
0x05C09000 \SystemRoot\system32\drivers\viahduaa.sys
0x05D2E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x05D38000 \SystemRoot\System32\Drivers\Null.SYS
0x05D4C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x05D54000 \SystemRoot\System32\drivers\vga.sys
0x05D62000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x05D87000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x05D90000 \SystemRoot\system32\drivers\rdpencdd.sys
0x05D99000 \SystemRoot\System32\Drivers\Msfs.SYS
0x05DA4000 \SystemRoot\System32\Drivers\Npfs.SYS
0x05DB5000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x05DBE000 \SystemRoot\system32\DRIVERS\tdx.sys
0x05DDB000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x05DE4000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x05DF6000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x05D41000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x05171000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x05189000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x051A5000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x051B0000 \SystemRoot\system32\DRIVERS\iLokDrvr.sys
0x051BB000 \SystemRoot\system32\DRIVERS\MAudioFastTrackPro.sys
0x00BCB000 \SystemRoot\system32\DRIVERS\smb.sys
0x05E0A000 \SystemRoot\system32\drivers\afd.sys
0x05E75000 \SystemRoot\System32\DRIVERS\netbt.sys
0x05EB9000 \SystemRoot\system32\DRIVERS\vsdatant.sys
0x05F4D000 \SystemRoot\system32\DRIVERS\pacer.sys
0x05F6B000 \SystemRoot\system32\DRIVERS\netbios.sys
0x05F7A000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x05F95000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x05FE2000 \SystemRoot\system32\drivers\nsiproxy.sys
0x007C2000 \SystemRoot\System32\Drivers\dfsc.sys
0x05FEE000 \SystemRoot\System32\Drivers\crashdmp.sys
0x051EB000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x05E00000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x00020000 \SystemRoot\System32\win32k.sys
0x00FF2000 \SystemRoot\System32\drivers\Dxapi.sys
0x00BE6000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00480000 \SystemRoot\System32\TSDDD.dll
0x00600000 \SystemRoot\System32\cdd.dll
0x00840000 \SystemRoot\System32\ATMFD.DLL
0x07403000 \SystemRoot\system32\drivers\luafv.sys
0x07425000 \SystemRoot\system32\drivers\spsys.sys
0x074BF000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x074D3000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x07507000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x07512000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x0752A000 \SystemRoot\system32\DRIVERS\bowser.sys
0x07548000 \SystemRoot\system32\drivers\mrxdav.sys
0x0756F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x07598000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x075E1000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x007DF000 \SystemRoot\System32\Drivers\adfs.SYS
0x08200000 \SystemRoot\system32\drivers\HTTP.sys
0x082A3000 \SystemRoot\System32\Drivers\fastfat.SYS
0x082D8000 \SystemRoot\system32\drivers\peauth.sys
0x0838E000 \SystemRoot\System32\Drivers\secdrv.SYS
0x08399000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x083C2000 \SystemRoot\System32\drivers\tcpipreg.sys
0x08800000 \SystemRoot\System32\DRIVERS\srv2.sys
0x08832000 \SystemRoot\System32\DRIVERS\srv.sys
0x088C5000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x088E5000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0x088FB000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x08917000 \??\C:\Users\JOHNAL~1\AppData\Local\Temp\aswMBR.sys
0x76EE0000 \Windows\System32\ntdll.dll
Processes (total 49):
0 System Idle Process
4 System
376 C:\Windows\System32\smss.exe
448 csrss.exe
504 C:\Windows\System32\wininit.exe
524 csrss.exe
560 C:\Windows\System32\services.exe
588 C:\Windows\System32\lsass.exe
596 C:\Windows\System32\lsm.exe
672 C:\Windows\System32\winlogon.exe
788 C:\Windows\System32\svchost.exe
852 C:\Windows\System32\svchost.exe
900 C:\Windows\System32\svchost.exe
980 C:\Windows\System32\Ati2evxx.exe
1004 C:\Windows\System32\svchost.exe
220 C:\Windows\System32\svchost.exe
256 C:\Windows\System32\svchost.exe
452 C:\Windows\System32\audiodg.exe
620 C:\Windows\System32\svchost.exe
776 C:\Windows\System32\SLsvc.exe
1032 C:\Windows\System32\svchost.exe
1160 C:\Windows\System32\svchost.exe
1336 C:\Windows\System32\Ati2evxx.exe
1572 C:\Windows\System32\dwm.exe
1604 C:\Windows\explorer.exe
1808 C:\Windows\System32\svchost.exe
1872 C:\Windows\System32\taskeng.exe
1908 C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
1916 C:\Windows\System32\taskeng.exe
1976 C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe
552 C:\Windows\System32\svchost.exe
1292 C:\Windows\System32\svchost.exe
1396 C:\Windows\System32\svchost.exe
2220 C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
2412 WUDFHost.exe
1888 C:\Program Files\Windows Defender\MSASCui.exe
1436 C:\Windows\System32\M-AudioTaskBarIcon.exe
2592 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
1564 C:\Windows\V0510Mon.exe
2912 C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
3108 C:\Program Files\Windows Media Player\wmpnscfg.exe
3228 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
3308 C:\Windows\System32\wbem\unsecapp.exe
3336 WmiPrvSE.exe
3444 C:\Windows\System32\svchost.exe
3320 C:\Program Files (x86)\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
3860 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
3596 C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
3936 C:\Users\John Alan\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`ac000000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`02800000 (NTFS)
\\.\J: --> \\.\PhysicalDrive1 at offset 0x00000000`00100000 (NTFS)
PhysicalDrive0 Model Number: WDCWD6400AAKS-75A7B2, Rev: 01.03B01
PhysicalDrive1 Model Number: WDCWD800JD-60LSA0, Rev: 07.01D07
Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 Dell Inspiron MBR code detected
SHA1: AE3E0A945D44C8EA304A19A8F50F69065C34344B
74 GB \\.\PhysicalDrive1 Legit MBR code detected
SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972
Done!
Hello shinysideup
Thank you for the log.
You have Spybot, Windows Defender and the Zonealarm firewall installed, but no real time antivirus? Please keep your browsing to a minimum until we have cleaned your system. Once it is clean I will provide you with some links to free and trusted AV programs.
Please make sure that TeaTimer is still disabled before continuing:
Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216).
Right click on ComboFix.exe and select "Run as Administrator" to run the program. Follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Should there be issues with internet afterward:
In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.
shinysideup
2011-10-15, 01:17
It's true that I don't have realtime AV software. I will appreciate your recommendations, thanks. I will limit my browsing to this website until you give me the okay. Here's the log you requested.
ComboFix 11-10-14.04 - John Alan 10/14/2011 15:45:08.1.3 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.7934.5841 [GMT -7:00]
Running from: c:\users\John Alan\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *Disabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files (x86)\ClickPotatoLite
c:\program files (x86)\ClickPotatoLite\bin\10.0.659.0\firefox\extensions\install.rdf
c:\program files (x86)\ClickPotatoLite\bin\10.0.659.0\LaunchHelp.dll
c:\programdata\ClickPotatoLiteSA
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSA.dat
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSAAbout.mht
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSAEULA.mht
c:\programdata\Microsoft\Windows\Start Menu\Programs\ClickPotato
c:\programdata\Microsoft\Windows\Start Menu\Programs\ClickPotato\About Us.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\ClickPotato\ClickPotato Customer Support.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\ClickPotato\ClickPotato Uninstall Instructions.lnk
c:\users\John Alan\AppData\Local\Downloaded Installations\DownloadedUpdate\Downloadedupdt32.dll
c:\users\John Alan\AppData\Roaming\Mozilla\Firefox\Profiles\ythxg1q2.default\extensions\{3b58cf48-de0a-4d4e-b25b-4ecc339d33f1}
c:\users\John Alan\AppData\Roaming\Mozilla\Firefox\Profiles\ythxg1q2.default\extensions\{3b58cf48-de0a-4d4e-b25b-4ecc339d33f1}\chrome.manifest
c:\users\John Alan\AppData\Roaming\Mozilla\Firefox\Profiles\ythxg1q2.default\extensions\{3b58cf48-de0a-4d4e-b25b-4ecc339d33f1}\chrome\xulcache.jar
c:\users\John Alan\AppData\Roaming\Mozilla\Firefox\Profiles\ythxg1q2.default\extensions\{3b58cf48-de0a-4d4e-b25b-4ecc339d33f1}\defaults\preferences\xulcache.js
c:\users\John Alan\AppData\Roaming\Mozilla\Firefox\Profiles\ythxg1q2.default\extensions\{3b58cf48-de0a-4d4e-b25b-4ecc339d33f1}\install.rdf
c:\windows\SysWow64\ReadMe.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-09-14 to 2011-10-14 )))))))))))))))))))))))))))))))
.
.
2011-10-14 22:59 . 2011-10-14 22:59 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7F62215D-5CAC-46E0-B67F-32F6E6FBFF90}\offreg.dll
2011-10-14 22:58 . 2011-10-14 23:00 -------- d-----w- c:\users\John Alan\AppData\Local\temp
2011-10-14 22:58 . 2011-10-14 22:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-14 22:58 . 2011-10-14 22:58 -------- d-----w- c:\users\GuestAccess\AppData\Local\temp
2011-10-14 16:22 . 2011-09-21 16:00 9049936 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7F62215D-5CAC-46E0-B67F-32F6E6FBFF90}\mpengine.dll
2011-10-14 01:19 . 2011-10-14 01:20 -------- d-----w- c:\program files (x86)\ERUNT
2011-10-13 18:16 . 2011-09-01 05:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-13 16:40 . 2011-02-22 14:47 479744 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-10-13 16:38 . 2011-03-12 22:52 1653760 ----a-w- c:\windows\system32\XpsPrint.dll
2011-10-13 16:38 . 2011-03-12 21:55 876032 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-10-13 16:37 . 2011-09-14 10:52 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-10-13 16:37 . 2011-09-14 10:51 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2011-10-13 16:29 . 2011-10-14 01:02 -------- d-----w- c:\users\John Alan\AppData\Local\NPE
2011-10-13 16:29 . 2011-10-13 16:29 -------- d-----w- c:\programdata\Norton
2011-10-13 16:19 . 2011-10-13 16:19 27256 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2011-10-13 16:19 . 2011-10-13 16:19 -------- d-----w- c:\users\John Alan\AppData\Roaming\FixTDSS
2011-10-13 00:10 . 2011-10-13 00:31 -------- d-----w- c:\programdata\PC Tools
2011-10-12 19:09 . 2011-06-21 04:09 200976 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-10-12 18:56 . 2011-10-12 18:56 -------- d-----w- c:\users\John Alan\AppData\Roaming\f-secure
2011-10-12 18:56 . 2011-10-12 18:56 -------- d-----w- c:\programdata\F-Secure
2011-10-09 23:25 . 2011-10-09 23:26 -------- d-----w- c:\users\John Alan\AppData\Local\Deployment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-05 18:24 . 2011-05-17 12:51 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"V0510Mon.exe"="c:\windows\V0510Mon.exe" [2007-12-07 32768]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ZoneAlarm Client"="c:\program files (x86)\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-06 421888]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Java\jre6\bin\jusched.exe"
"AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"BlackBerryAutoUpdate"="c:\program files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" /background
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" -r
.
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-10-28 1038088]
R3 gupdate1ca5ac954b0d243;Google Update Service (gupdate1ca5ac954b0d243);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-11-01 133104]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-11-01 133104]
R3 netr28ux;Belkin USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 V0510Dev;Rocketfish Webcam VF0510 Driver;c:\windows\system32\DRIVERS\V0510Vid.sys [x]
R3 V0510Vfx;Rocketfish Webcam VF0510 Video VFX Driver;c:\windows\system32\DRIVERS\V0510Vfx.sys [x]
R3 vsdatant7;vsdatant7;c:\windows\system32\drivers\vsdatant.win7.sys [x]
R4 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [x]
R4 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2008-01-21 27648]
S0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S2 PaceLicenseDServices;PACE License Services;c:\program files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe [2010-11-08 2647552]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 iLokDrvr;Usb Driver;c:\windows\system32\DRIVERS\iLokDrvr.sys [x]
S3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows\system32\DRIVERS\MAudioFastTrackPro.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
S3 VST64_DPV;VST64_DPV;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
S3 VST64HWBS2;VST64HWBS2;c:\windows\system32\DRIVERS\VSTBS26.SYS [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-11-01 07:59]
.
2011-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-11-01 07:59]
.
2011-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2681611162-97042652-2360177576-1000Core.job
- c:\users\John Alan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-11 16:05]
.
2011-10-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2681611162-97042652-2360177576-1000UA.job
- c:\users\John Alan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-11 16:05]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-11-09 798216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.facebook.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\John Alan\AppData\Roaming\Mozilla\Firefox\Profiles\ythxg1q2.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{B7CF5C23-CA56-440B-8E87-8E2D05BE2113} - (no file)
Toolbar-{283B4AA3-1B7A-46E6-B56D-90EF4743FB2C} - (no file)
Wow6432Node-HKLM-Run-ClickPotatoLiteSA - c:\program files (x86)\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteSA.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2681611162-97042652-2360177576-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*W%�*�*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2681611162-97042652-2360177576-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*W%�*�*\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-14 16:05:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-14 23:05
.
Pre-Run: 43,318,636,544 bytes free
Post-Run: 67,827,916,800 bytes free
.
- - End Of File - - 7000095080DC56354B6DF4A73DFF0864
Hello shinysideup
Thank you for the log.
I will appreciate your recommendations We'll get an AV installed in due course :)
Lets continue as follows:
Temporary File Cleaner
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Close any open windows.
Right click the TFC icon and select "Run as Administrator" to run the program.
TFC will close all open programs itself in order to run.
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish.
Once complete it should automatically reboot your machine.
If your machine does not reboot automatically, manually reboot to ensure a complete clean.
Note: After running TFC your machine may take slightly longer to boot the first time. This is normal.
Please perform the following scan:
Please download MalwareBytes AntiMalware by clicking here (http://www.besttechie.net/tools/mbam-setup.exe) and save the file (called mbam-setup.exe) to your desktop.
Right click on the mbam-setup.exe icon and select "Run as Administrator" to install the program.
Follow the prompts during installation and have the Installation Wizzard create a desktop icon.
Once installed, double click on the MalwareBytes AntiMalware icon to launch the program.
Click on the "Update" tab and then on "Check for Updates".
The program will now install the latest Malware definition files.
Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
Once the program has scanned your computer, a log file will be created in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
Come back here to this thread and Paste the log in your next reply.
Please update your Java
To update your Java, Click on the "Windows Orb" then on "Control Panel" and then on the Java icon (looks like a coffee cup).
In the window that opens, click on the "Update" tab, and then on "Update Now".
Your Java should begin to update. Please follow any prompts that you receive.
Please run the following scan
Note: You will need to use Internet Explorer for this scan.
Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
Please disable your real time security programs before performing the scan.
Scan your system with Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use.
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option to "Remove Found Threats" is UN checked.
Push the "Start" button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the "Back" button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please post the MBAM log and the ESET log in your next reply and let me know how the machine is running now.
shinysideup
2011-10-15, 20:11
Hi *JonTom*,
I asked before, but I think you may have missed it...I note there is a new program installed under "Accessories" called "Windows PowerShell". Is this related to the fixes we've been working through?
Thanks for the heads up on the time it would take ESET to complete; I think it was 3.5 hours. I've followed all your instructions and the logs are below.
Thanks for your continued help!
The machine DOES seem to be running smoother. For one thing, my fan's not running so fast and furious as it has been. Previously, inputting text into the browser would cause it to hang a bit, but that seems ok now, too...no lags. Also, when I would search before, I could hover the links and see on the status bar that the links were being redirected to sites that weren't correct, but they appear to be pointing to the proper websites now. I didn't actually click any results, just in case, but they are at least showing properly on the status bar when hovered.
------------------------------------------------------------
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7953
Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421
10/15/2011 7:25:57 AM
mbam-log-2011-10-15 (07-25-57).txt
Scan type: Quick scan
Objects scanned: 194234
Time elapsed: 2 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{D2083641-E57F-4eab-BB85-0582424F4A29} (Adware.HotBar.CP) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Value: ClickPotatoLite@ClickPotatoLite.com -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
END OF REPORT
------------------------------------------------------
C:\Qoobox\Quarantine\C\Users\John Alan\AppData\Local\Downloaded Installations\DownloadedUpdate\Downloadedupdt32.dll.vir a variant of Win32/Kryptik.TXQ trojan
C:\Qoobox\Quarantine\C\Users\John Alan\AppData\Roaming\Mozilla\Firefox\Profiles\ythxg1q2.default\extensions\{3b58cf48-de0a-4d4e-b25b-4ecc339d33f1}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Users\John Alan\AppData\Local\Google\Chrome\User Data\Default\Default\paeppcipagaoidkchjkoamhllbncdnel\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
END OF REPORT
Hello shinysideup
Is this related to the fixes we've been working through? It may possibly be used by one of the tools we have run on your machine (nothing to worry about).
Thank you for the logs.
MBAM has removed a small number of malicious registry entries and ESET has detected some files held in Combofix quarantine (which we will deal with later) and a file which we will deal with now:
Please download OTM
Please download OTM by OldTimer by clicking here. (http://oldtimer.geekstogo.com/OTM.exe)
Save the file (called OTM.exe) to your desktop.
Double click on the OTM.exe icon to run the program. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Files
C:\Users\John Alan\AppData\Local\Google\Chrome\User Data\Default\Default\paeppcipagaoidkchjkoamhllbncdnel\contentscript.js
:Commands
[Purity]
[EmptyTemp]
[Emptyflash]
[Reboot]
Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File -> Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Lets get an AV installed:
Security programs
I have provided links to three trusted programs (just choose one).
Avast! (http://www.avast.com/free-antivirus-download)
Avira AntiVir (http://www.free-av.com/)
MicroSoft Security Essentials (http://www.microsoft.com/security_essentials/)
IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system.
Please post the OTM log in your next reply along with a new DDS scan log.
shinysideup
2011-10-16, 02:13
Thanks for the extra info. I've followed your steps and here's the logs.
------------------------------------------------------------
OTM LOG
All processes killed
========== FILES ==========
C:\Users\John Alan\AppData\Local\Google\Chrome\User Data\Default\Default\paeppcipagaoidkchjkoamhllbncdnel\contentscript.js moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: GuestAccess
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: John Alan
->Temp folder emptied: 2002906 bytes
->Temporary Internet Files folder emptied: 5495495 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 123470001 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 2100 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 256 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 670 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 125.00 mb
OTM by OldTimer - Version 3.1.18.0 log created on 10152011_163118
Files moved on Reboot...
C:\Users\John Alan\AppData\Local\Temp\~DF4792.tmp moved successfully.
File C:\Windows\temp\ZLT0299e.TMP not found!
Registry entries deleted on Reboot...
------------------------------------------------------------
DDS LOG
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by John Alan at 17:08:22 on 2011-10-15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.7934.6203 [GMT -7:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Firewall *Disabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\M-AudioTaskBarIcon.exe
C:\Windows\V0510Mon.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.facebook.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: {B7CF5C23-CA56-440B-8E87-8E2D05BE2113} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {283B4AA3-1B7A-46E6-B56D-90EF4743FB2C} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [V0510Mon.exe] C:\Windows\V0510Mon.exe
mRun: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{6EC0F224-EF5E-49E6-8A9B-1A93AA941275} : DhcpNameServer = 192.168.0.1 205.171.3.25
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: DivX HiQ: {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: {B7CF5C23-CA56-440B-8E87-8E2D05BE2113} - No File
BHO-X64: Video Downloader BHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {283B4AA3-1B7A-46E6-B56D-90EF4743FB2C} - No File
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [V0510Mon.exe] C:\Windows\V0510Mon.exe
mRun-x64: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\John Alan\AppData\Roaming\Mozilla\Firefox\Profiles\ythxg1q2.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\NOS\bin\np_gp.dll
FF - plugin: C:\Program Files (x86)\PACE Anti-Piracy\iLok\NPPaceILok.dll
FF - plugin: C:\Users\John Alan\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R0 FixTDSS;TDSS Fixtool driver;C:\Windows\system32\drivers\FixTDSS.sys --> C:\Windows\system32\drivers\FixTDSS.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-10-15 44768]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 PaceLicenseDServices;PACE License Services;C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe [2010-11-8 2647552]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-10-3 1153368]
R3 iLokDrvr;Usb Driver;C:\Windows\system32\DRIVERS\iLokDrvr.sys --> C:\Windows\system32\DRIVERS\iLokDrvr.sys [?]
R3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;C:\Windows\system32\DRIVERS\MAudioFastTrackPro.sys --> C:\Windows\system32\DRIVERS\MAudioFastTrackPro.sys [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
R3 VST64_DPV;VST64_DPV;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 VST64HWBS2;VST64HWBS2;C:\Windows\system32\DRIVERS\VSTBS26.SYS --> C:\Windows\system32\DRIVERS\VSTBS26.SYS [?]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-10-11 89920]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-10-28 1038088]
S3 gupdate1ca5ac954b0d243;Google Update Service (gupdate1ca5ac954b0d243);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-11-1 133104]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-11-1 133104]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 V0510Dev;Rocketfish Webcam VF0510 Driver;C:\Windows\system32\DRIVERS\V0510Vid.sys --> C:\Windows\system32\DRIVERS\V0510Vid.sys [?]
S3 V0510Vfx;Rocketfish Webcam VF0510 Video VFX Driver;C:\Windows\system32\DRIVERS\V0510Vfx.sys --> C:\Windows\system32\DRIVERS\V0510Vfx.sys [?]
S4 ahcix64s;ahcix64s;C:\Windows\system32\drivers\ahcix64s.sys --> C:\Windows\system32\drivers\ahcix64s.sys [?]
S4 nosGetPlusHelper;getPlus(R) Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2008-1-20 21504]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-10-15 23:54:19 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7F62215D-5CAC-46E0-B67F-32F6E6FBFF90}\offreg.dll
2011-10-15 23:40:39 601944 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-10-15 23:40:38 65368 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-10-15 23:40:29 41184 ----a-w- C:\Windows\avastSS.scr
2011-10-15 23:40:21 -------- d-----w- C:\ProgramData\AVAST Software
2011-10-15 23:40:21 -------- d-----w- C:\Program Files\AVAST Software
2011-10-15 23:31:18 -------- d-----w- C:\_OTM
2011-10-15 14:34:52 -------- d-----w- C:\Program Files (x86)\ESET
2011-10-15 14:30:03 -------- d-----w- C:\Users\John Alan\AppData\Roaming\PeerNetworking
2011-10-15 14:21:08 -------- d-----w- C:\Users\John Alan\AppData\Local\CrashDumps
2011-10-15 14:21:01 -------- d-----w- C:\Users\John Alan\AppData\Roaming\Malwarebytes
2011-10-15 14:20:46 -------- d-----w- C:\ProgramData\Malwarebytes
2011-10-15 14:20:42 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-10-15 14:20:42 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-10-15 14:14:52 -------- d-sh--w- C:\$RECYCLE.BIN
2011-10-14 23:05:17 -------- d-----w- C:\Users\John Alan\AppData\Local\temp
2011-10-14 22:43:15 98816 ----a-w- C:\Windows\sed.exe
2011-10-14 22:43:15 518144 ----a-w- C:\Windows\SWREG.exe
2011-10-14 22:43:15 256000 ----a-w- C:\Windows\PEV.exe
2011-10-14 22:43:15 208896 ----a-w- C:\Windows\MBR.exe
2011-10-14 16:23:05 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll
2011-10-14 16:23:05 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll
2011-10-14 16:23:05 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll
2011-10-14 16:23:04 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll
2011-10-14 16:22:59 9049936 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7F62215D-5CAC-46E0-B67F-32F6E6FBFF90}\mpengine.dll
2011-10-13 18:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-13 16:40:37 479744 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-10-13 16:40:37 288768 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-10-13 16:40:37 1555968 ----a-w- C:\Windows\System32\DWrite.dll
2011-10-13 16:40:37 1149440 ----a-w- C:\Windows\System32\FntCache.dll
2011-10-13 16:40:37 1068544 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-10-13 16:40:27 1927680 ----a-w- C:\Windows\System32\gameux.dll
2011-10-13 16:40:27 1696256 ----a-w- C:\Windows\SysWow64\gameux.dll
2011-10-13 16:38:00 876032 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-10-13 16:38:00 1653760 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-10-13 16:37:57 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2011-10-13 16:37:57 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-10-13 16:29:01 -------- d-----w- C:\Users\John Alan\AppData\Local\NPE
2011-10-13 16:29:00 -------- d-----w- C:\ProgramData\Norton
2011-10-13 16:19:08 27256 ----a-w- C:\Windows\System32\drivers\FixTDSS.sys
2011-10-13 16:19:08 -------- d-----w- C:\Users\John Alan\AppData\Roaming\FixTDSS
2011-10-13 00:10:46 -------- d-----w- C:\ProgramData\PC Tools
2011-10-12 19:09:29 200976 ----a-w- C:\Windows\SysWow64\drivers\tmcomm.sys
2011-10-12 18:56:50 -------- d-----w- C:\Users\John Alan\AppData\Roaming\f-secure
2011-10-12 18:56:38 -------- d-----w- C:\ProgramData\F-Secure
2011-10-09 23:25:59 -------- d-----w- C:\Users\John Alan\AppData\Local\Deployment
.
==================== Find3M ====================
.
2011-10-05 18:24:07 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-06 13:56:50 2764288 ----a-w- C:\Windows\System32\win32k.sys
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-08-25 16:20:38 735744 ----a-w- C:\Windows\System32\UIAutomationCore.dll
2011-08-25 16:19:32 847360 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-25 16:19:32 332288 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-25 16:15:04 555520 ----a-w- C:\Windows\SysWow64\UIAutomationCore.dll
2011-08-25 16:14:01 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-25 16:14:01 238080 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-25 13:54:14 4096 ----a-w- C:\Windows\System32\oleaccrc.dll
2011-08-25 13:31:01 4096 ----a-w- C:\Windows\SysWow64\oleaccrc.dll
2011-07-29 16:08:29 375808 ----a-w- C:\Windows\System32\psisdecd.dll
2011-07-29 16:08:27 289792 ----a-w- C:\Windows\System32\psisrndr.ax
2011-07-29 16:06:52 73216 ----a-w- C:\Windows\System32\MSDvbNP.ax
2011-07-29 16:06:42 100352 ----a-w- C:\Windows\System32\Mpeg2Data.ax
2011-07-29 16:01:34 293376 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-07-29 16:01:33 217088 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-07-29 16:00:14 57856 ----a-w- C:\Windows\SysWow64\MSDvbNP.ax
2011-07-29 16:00:05 69632 ----a-w- C:\Windows\SysWow64\Mpeg2Data.ax
.
============= FINISH: 17:08:55.69 ===============
Hello shinysideup
Thank you for the logs.
Now that you have Avast! installed, make sure that it is updated then please check to see if you are being re-directed when you browse.
Let me know how it goes in your next reply.
shinysideup
2011-10-16, 19:50
Updated the Avast! right off the bat yesterday. :) ...and very much liking the fact that the Google search results show an icon near each result indicating the level of trust of a given website...very handy, indeed. The search results are now back in working order!
I'm sure you will address it anyway, as you've been extremely thorough, but I feel compelled to ask: is it now safe to turn the TeaTimer back on? And, should I simply delete the downloaded applications.
Forgive me if I'm getting too far ahead of myself...I suppose it's the elation of having that insidious infection squashed. I will await any further instruction before proceeding with anything.
THANK YOU SO MUCH FOR YOUR TIME AND EFFORT ON THIS, IF YOU HAVE A DONATION LINK, PLEASE PROVIDE IT EITHER HERE OR IN A PM. I'M NOT "LOADED" BUT I DO WISH TO EXPRESS MY GRATITUDE AS BEST I CAN.
Hello shinysideup
I am glad to hear that your machine is running well.
Your DDS log appears to be clean and provided you are no longer experiencing any problems we can remove our tools:
Please Uninstall Combofix
Hold down the Windows key (has the Windows symbol on it) and press the "R" key.
A Run box will open.
Type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.
Please perform the following cleanup procedure
Double click on the OTM.exe icon on your desktop to run the program. (Note: If you are running Vista/Windows 7, right-click on the file and choose Run As Administrator).
Once OTM has opened, click on the "CleanUp!" button.
Follow any prompts that you receive.
Removal of Tools
You no longer need aswMBR or MBRCheck. Please delete them from your machine.
is it now safe to turn the TeaTimer back on? It is :)
Your Adobe Reader is out of date
You can obtain the latest version of Adobe Reader from here (http://get.adobe.com/uk/reader/), and the latest version of Flash Player from here. (http://www.adobe.com/products/flashplayer/)
For more information and links to Adobe updates and downloads click here. (http://www.adobe.com/downloads/)
I DO WISH TO EXPRESS MY GRATITUDE AS BEST I CAN You are very kind shinysideup. I never accept any donations for the help I provide, but if you would like to make a donation towards the upkeep of this site you may do so here: Donate (http://www.spybot.info/en/donate/index.html)
Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.
Finally, please take the time to read through the information provided below:
Enhance your System Security
For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here. (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)
IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
Once complete, remember to re-engage your resident security before going online.
Web Browsers and Browser Security
Firefox
You can download Firefox from here. (http://www.mozilla.com/en-US/firefox/)
No-Script
If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
You can download No-Script by clicking here. (https://addons.mozilla.org/en-US/firefox/addon/722)
Internet Explorer
The newest version of Internet Explorer is available from here. (http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_94735d11-65d1-4bb8-bf6f-72d7b059a928)
Please Note: IE9 is not configured to run on XP machines.
SpywareBlaster
If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
You can download SpywareBlaster by clicking here. (http://www.javacoolsoftware.com/sbdownload.html)
Web of Trust
When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
You can download Web of Trust by clicking here. (http://www.mywot.com/)
Keep your Software Updated
Outdated software can sometimes have vulnerabilities that are exploitable by malware.
Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here. (http://secunia.com/vulnerability_scanning/online/)
Passwords
Learn how to create strong passwords by clicking here (http://www.microsoft.com/protect/yourself/password/create.mspx) and test the strength of the passwords you already use by clicking here. (http://www.microsoft.com/protect/yourself/password/checker.mspx)
General Reading
PC Safety and Security - What do I need? (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)
How to prevent Malware (by Miekiemoes) (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
Learn How To Combat Malware
Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here. (http://forums.whatthetech.com/What_Tech_Classroom_t80368.html)
shinysideup
2011-10-17, 05:01
Yes, everything seems to be asymptomatic! :) Thank you, thank you! I've followed the rest of your instructions and am almost through the supplemental material. I am feeling confident that the thread can be closed and filed under "success". :D
You are very kind... I never accept donations... if you would like to make a donation...
Thank you for your devotion to the cause. I did make a donation to the project; a mere pittance in comparison to the valuable assistance you've provided, but a token of appreciation, at least.
Once again, I greatly appreciate your time and expertise!!
:bigthumb:
Hello shinysideup
Thank you for your kind donation.
Once again, I greatly appreciate your time and expertise!! You are more than Welcome :)
Glad we could help.
As your problem appears to be resolved this thread is now closed.
Best wishes
JonTom