PDA

View Full Version : Delta Toolbar



jeff1955
2013-06-20, 14:01
My Chrome Browser is insisting on running Delta Toolbar. I ran a fully updated Spybot S&D check which found Delta Toolbar among other malware, and 'fixed' the problem. However Chrome still runs Delta. I ran Spybot several times it found no evidence of anything. I have read round the subject and the wisdom seems to be contact a trusted Malware Removal group. I have turned to you several times in the past and you've always sorted out my problems, so here I am again!

DDS pasted below and Attach.txt zipped and attached.

Thanks in advance
Jeff Simpson

DDS

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16490 BrowserJavaVersion: 10.7.2
Run by Owner at 11:47:52 on 2013-06-20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.4094.1692 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\SysWOW64\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
D:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = hxxp://www.pctools.com/mrc/fix_homepage/
mDefault_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=ixtreme_m3720&r=1v3607090606p0385vq55y46619201
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?40512.2579166667
DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{3A6A56F4-96DF-4F86-9C5E-8E784021646C} : DHCPNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
x64-mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=ixtreme_m3720&r=1v3607090606p0385vq55y46619201
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-Explorer: NoDrives = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - LocalServer32 - <no file>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\830\G2AWinLogon_x64.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]
R2 ezGOSvc;Easybits GO Services for Windows;C:\Windows\System32\svchost.exe -k netsvcs [2008-1-21 27648]
R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 27648]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 130008]
R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-3-23 87040]
R2 SBSDWSCService;SBSD Security Center Service;D:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-10-11 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-1-18 351136]
R3 LVUVC64;Logitech HD Webcam C270(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-1-18 4865568]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]
R3 SaiH0004;SaiH0004;C:\Windows\System32\drivers\SaiH0004.sys [2007-5-1 171144]
R3 SaiL0004;SaiL0004;C:\Windows\System32\drivers\SaiL0004.sys [2007-5-1 18048]
R3 SaiU0004;SaiU0004;C:\Windows\System32\drivers\SaiU0004.sys [2007-5-1 34304]
R3 SaiUFF52;SaiUFF52;C:\Windows\System32\drivers\saiuFF52.sys [2007-5-1 34304]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-6-3 162408]
S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\ANDROIDUSB.sys [2009-6-10 31744]
S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\System32\drivers\htcnprot.sys [2010-6-25 36928]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-21 19968]
S3 PSI;PSI;C:\Windows\System32\drivers\psi_mf.sys [2010-7-7 17464]
S3 SaiHFF52;SaiHFF52;C:\Windows\System32\drivers\SaiHFF52.sys [2007-5-1 171144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-3 89920]
.
=============== File Associations ===============
.
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2013-06-18 18:06:38 270336 ----a-w- C:\Windows\IHelper.exe
2013-06-17 05:28:33 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-17 05:28:33 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-06-14 05:38:11 75825640 ----a-w- C:\Windows\System32\mrt.exe
2013-05-17 04:05:41 17824768 ----a-w- C:\Windows\System32\mshtml.dll
2013-05-17 03:27:25 10926080 ----a-w- C:\Windows\System32\ieframe.dll
2013-05-17 03:09:56 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-05-17 03:02:53 1346560 ----a-w- C:\Windows\System32\urlmon.dll
2013-05-17 03:02:29 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-05-17 03:01:13 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-05-17 03:00:22 237056 ----a-w- C:\Windows\System32\url.dll
2013-05-17 02:58:20 85504 ----a-w- C:\Windows\System32\jsproxy.dll
2013-05-17 02:56:09 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-05-17 02:56:00 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-05-17 02:55:59 816640 ----a-w- C:\Windows\System32\jscript.dll
2013-05-17 02:54:09 729088 ----a-w- C:\Windows\System32\msfeeds.dll
2013-05-17 02:53:20 2147840 ----a-w- C:\Windows\System32\iertutil.dll
2013-05-17 02:51:49 96768 ----a-w- C:\Windows\System32\mshtmled.dll
2013-05-17 02:51:27 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-05-17 02:46:31 248320 ----a-w- C:\Windows\System32\ieui.dll
2013-05-16 23:08:55 12329984 ----a-w- C:\Windows\SysWow64\mshtml.dll
2013-05-16 22:49:25 9738752 ----a-w- C:\Windows\SysWow64\ieframe.dll
2013-05-16 22:39:39 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-05-16 22:28:40 1104384 ----a-w- C:\Windows\SysWow64\urlmon.dll
2013-05-16 22:28:26 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-05-16 22:27:30 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-05-16 22:26:07 231936 ----a-w- C:\Windows\SysWow64\url.dll
2013-05-16 22:23:35 65024 ----a-w- C:\Windows\SysWow64\jsproxy.dll
2013-05-16 22:21:37 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-05-16 22:21:34 717824 ----a-w- C:\Windows\SysWow64\jscript.dll
2013-05-16 22:20:30 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-05-16 22:19:25 607744 ----a-w- C:\Windows\SysWow64\msfeeds.dll
2013-05-16 22:17:30 1796096 ----a-w- C:\Windows\SysWow64\iertutil.dll
2013-05-16 22:17:21 73216 ----a-w- C:\Windows\SysWow64\mshtmled.dll
2013-05-16 22:16:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-05-16 22:12:55 176640 ----a-w- C:\Windows\SysWow64\ieui.dll
2013-05-08 04:14:40 1417576 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-05-08 02:27:42 40448 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
2013-05-02 15:29:56 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-05-02 04:16:27 686080 ----a-w- C:\Windows\System32\win32spl.dll
2013-05-02 04:04:25 443904 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-05-02 04:03:42 37376 ----a-w- C:\Windows\SysWow64\printcom.dll
2013-04-24 04:09:48 174592 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-04-24 04:09:48 132096 ----a-w- C:\Windows\System32\cryptnet.dll
2013-04-24 04:09:48 1269248 ----a-w- C:\Windows\System32\crypt32.dll
2013-04-24 04:09:41 50688 ----a-w- C:\Windows\System32\certenc.dll
2013-04-24 04:00:30 985600 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-04-24 04:00:30 98304 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-04-24 04:00:30 133120 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-04-24 04:00:24 41984 ----a-w- C:\Windows\SysWow64\certenc.dll
2013-04-24 02:10:00 1078272 ----a-w- C:\Windows\System32\certutil.exe
2013-04-24 01:46:29 812544 ----a-w- C:\Windows\SysWow64\certutil.exe
2013-04-17 13:04:03 30720 ----a-w- C:\Windows\System32\cryptdlg.dll
2013-04-17 12:30:06 24576 ----a-w- C:\Windows\SysWow64\cryptdlg.dll
2013-04-15 14:17:12 901496 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-13 03:34:30 47104 ----a-w- C:\Windows\System32\cdd.dll
2013-04-09 01:55:57 2774016 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 11:48:20.55 ===============

Apologies, I should read your stickies more carefully. Below the results of the aswMBR scan;

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-06-20 12:05:50
-----------------------------
12:05:50.356 OS Version: Windows x64 6.0.6002 Service Pack 2
12:05:50.356 Number of processors: 4 586 0x170A
12:05:50.357 ComputerName: PACKARDBELL UserName: Owner
12:05:51.936 Initialize success
12:25:44.827 AVAST engine defs: 13062001
13:00:47.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000065
13:00:47.377 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
13:00:47.462 Disk 0 MBR read successfully
13:00:47.464 Disk 0 MBR scan
13:00:47.576 Disk 0 unknown MBR code
13:00:47.586 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 15000 MB offset 2048
13:00:47.604 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 297763 MB offset 30722048
13:00:47.628 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 297715 MB offset 640540672
13:00:47.713 Disk 0 scanning C:\Windows\system32\drivers
13:01:02.789 Service scanning
13:01:28.917 Modules scanning
13:01:28.923 Disk 0 trace - called modules:
13:01:28.943 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
13:01:29.275 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80063263e0]
13:01:29.279 3 CLASSPNP.SYS[fffffa600120dc33] -> nt!IofCallDriver -> [0xfffffa8004cafdb0]
13:01:29.283 5 acpi.sys[fffffa60008defde] -> nt!IofCallDriver -> \Device\00000065[0xfffffa8004c0e060]
13:01:30.743 AVAST engine scan C:\Windows
13:01:37.360 AVAST engine scan C:\Windows\system32
13:07:01.612 AVAST engine scan C:\Windows\system32\drivers
13:07:36.634 AVAST engine scan C:\Users\Owner
13:52:29.280 AVAST engine scan C:\ProgramData
13:56:38.943 Scan finished successfully
14:29:31.775 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Desktop\MBR.dat"
14:29:31.838 The log file has been saved successfully to "C:\Users\Owner\Desktop\aswMBR.txt"