Results 1 to 4 of 4

Thread: Incredibar Browser Hijack

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Dec 2012
    Posts
    1

    Default Incredibar Browser Hijack

    So I downloaded two applications from CNET. After the first one of these installed (and I am ALWAYS careful to click the correct download link and uncheck any unwanted 'crap-on' software), I noticed my Search Engine had been hijacked. And my default Search Toolbar. And my Start Page option. And my Home Tab. Across all 3 of my FireFox, IE and Chrome browsers. All by this despicable Incredibar, or its MyStart variant. Went through the tedious process of removing same. Only to have it show up again, after downloading the next application mentioned above (or maybe it was the first infection resurfacing again). I had been running clean after having to rebuild my system after a failed hard drive a week ago, and given that the Incredibar and MyStart hijacking occurred right after downloading the abovementioned apps, I am pretty certain that CNET was the source of my infection.

    Anyway, I followed a few posts about removing Incredibar, and it seems to have been gone for the last week, but one of the posts did recommend running Spybot S&D to ensure it's truly gone. So, I downloaded Spybot S&D 2 and ran that, which reported a number of things it flagged for me to 'Fix' if I so chose. At that point, I thought I'd better get some advice because I don't really know what 'Fix' would do. I ran ERUNT, saving the System Registry only.

    This is the report from the DDS program:

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16457
    Run by Jeffrey at 20:36:09 on 2012-12-20
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3062.1461 [GMT -5:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Box Sync\UpdateService.exe
    C:\IDrive\IDriveE Service.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
    C:\Program Files\Secunia\PSI\PSIA.exe
    C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
    C:\Windows\System32\WUDFHost.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Box Sync\BoxSyncHelper.exe
    C:\IDrive\IDrivePlugin.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Secunia\PSI\sua.exe
    C:\Program Files\Eraser\Eraser.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files\Box Sync\BoxSync.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Secunia\PSI\psi_tray.exe
    C:\Users\Jeffrey\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wuauclt.exe
    C:\IDrive\IDriveETray.exe
    C:\IDrive\IDriveEBackground.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\prevhost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\System32\svchost.exe -k secsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/ig?refresh=1
    BHO: PDFXChange 4.0 IE Plugin: {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - c:\program files\tracker software\pdf-xchange 4\PXCIEAddin4.dll
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPToolbar.dll
    TB: PDFXChange 4.0 IE Plugin: {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - c:\program files\tracker software\pdf-xchange 4\PXCIEAddin4.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [IDriveE Startup] "c:\idrive\IDrvieEStartup.exe" Hide
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [BoxSyncHelper] "c:\program files\box sync\BoxSyncHelper.exe"
    mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
    mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
    StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\jeffrey\appdata\roaming\dropbox\bin\Dropbox.exe
    StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\idrive~1.lnk - c:\idrive\IDriveEReg2ini.exe
    StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\boxsyn~1.lnk - c:\program files\box sync\BoxSync.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hypers~1.lnk - c:\program files\hypersnap-dx 5\HprSnap5.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\instal~1.lnk - c:\program files\common files\lpuninstall.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
    IE: LastPass - c:\users\jeffrey\appdata\locallow\lastpass\context.html?cmd=lastpass
    IE: LastPass Fill Forms - c:\users\jeffrey\appdata\locallow\lastpass\context.html?cmd=fillforms
    IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
    TCP: NameServer = 65.32.5.111 65.32.5.112
    TCP: Interfaces\{03DFF60F-2A27-4FB5-94F3-1785F5D1287A} : DHCPNameServer = 65.32.5.111 65.32.5.112
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: SDWinLogon - SDWinLogon.dll
    SSODL: WebCheck - <orphaned>
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\jeffrey\appdata\roaming\mozilla\firefox\profiles\es60cfo3.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?refresh=1
    FF - prefs.js: keyword.URL - hxxp://www.google.com.my/search?q=
    FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.124\npGoogleUpdate3.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
    FF - ExtSQL: 2012-11-10 19:21; isreaditlater@ideashower.com; c:\users\jeffrey\appdata\roaming\mozilla\firefox\profiles\es60cfo3.default\extensions\isreaditlater@ideashower.com.xpi
    FF - ExtSQL: 2012-12-01 15:28; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.incredibar_i.newTab - false
    FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6R8NQHxNuM&loc=IB_TB&i=26&search=
    FF - user.js: extensions.incredibar_i.id - 24b01e67000000000000002421a66bc0
    FF - user.js: extensions.incredibar_i.instlDay - 15685
    FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
    FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
    FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1415:34:38
    FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
    FF - user.js: extensions.incredibar_i.prdct - incredibar
    FF - user.js: extensions.incredibar_i.aflt - orgnl
    FF - user.js: extensions.incredibar_i.smplGrp - none
    FF - user.js: extensions.incredibar_i.tlbrId - base
    FF - user.js: extensions.incredibar_i.instlRef -
    FF - user.js: extensions.incredibar_i.dfltLng -
    FF - user.js: extensions.incredibar_i.excTlbr - false
    FF - user.js: extensions.incredibar_i.ms_url_id -
    FF - user.js: extensions.incredibar_i.upn2 - 6R8NQHxNuM
    FF - user.js: extensions.incredibar_i.upn2n - 92825549284318880
    FF - user.js: extensions.incredibar_i.productid - 26
    FF - user.js: extensions.incredibar_i.installerproductid - 26
    FF - user.js: extensions.incredibar_i.did - 10678
    FF - user.js: extensions.incredibar_i.ppd - 128
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-12-1 738504]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-12-1 361032]
    R2 #UpdateService;Box Sync Auto-updater;c:\program files\box sync\UpdateService.exe [2012-11-7 8704]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-12-1 21256]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-12-1 58680]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-12-1 44808]
    R2 IDriveE Service;IDriveE Service;c:\idrive\IDriveE Service.exe [2012-12-3 157128]
    R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-12-13 1103392]
    R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-12-13 1369624]
    R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2012-12-13 168384]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-9-24 1328736]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-9-24 656480]
    R2 TeamViewer8;TeamViewer 8;c:\program files\teamviewer\version8\TeamViewer_Service.exe [2012-12-10 3467768]
    R3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2011-12-16 15544]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-12-1 14848]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-12-1 49664]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-12-1 1343400]
    .
    =============== File Associations ===============
    .
    FileExt: .txt: txtfile="c:\program files\editpadlite\EditPad.exe" "%1"
    .
    =============== Created Last 30 ================
    .
    2012-12-20 18:57:12 569856 ----a-w- c:\users\jeffrey\appdata\roaming\microsoft\internet explorer\quick launch\ShowMan.exe
    2012-12-18 18:00:35 -------- d-----r- c:\users\jeffrey\Dropbox
    2012-12-18 17:49:35 -------- d-----w- c:\users\jeffrey\appdata\roaming\Dropbox
    2012-12-18 09:42:57 6812136 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{300d67bc-c35a-4d9c-a8d0-582365730612}\mpengine.dll
    2012-12-14 01:13:26 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-12-14 01:13:15 15224 ----a-w- c:\windows\system32\sdnclean.exe
    2012-12-14 01:13:08 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
    2012-12-13 01:14:23 2345984 ----a-w- c:\windows\system32\win32k.sys
    2012-12-12 21:06:27 -------- d-----w- C:\Acer
    2012-12-12 21:04:41 -------- d-----w- C:\totalcommander
    2012-12-12 21:04:23 -------- d-----w- C:\Social Security
    2012-12-12 21:04:12 -------- d-----w- C:\RMF
    2012-12-12 21:04:03 -------- d-----w- C:\RFFLOW
    2012-12-12 21:03:49 -------- d-----w- C:\Relocation Assessor
    2012-12-12 21:03:38 -------- d-----w- C:\Quickenw
    2012-12-12 21:03:07 -------- d-----w- C:\eDialog v 1.1
    2012-12-12 21:02:56 -------- d-----w- C:\eDialog Dev
    2012-12-12 16:30:44 -------- d-----w- c:\users\jeffrey\appdata\local\Eraser 6
    2012-12-12 01:57:34 -------- d-----w- c:\users\jeffrey\appdata\roaming\TeamViewer
    2012-12-11 21:44:53 -------- d-----w- C:\SM
    2012-12-11 21:44:12 -------- d-----w- C:\Prey
    2012-12-11 21:37:40 -------- d-----w- C:\GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
    2012-12-11 21:37:07 -------- d-----w- C:\eDialog
    2012-12-11 21:29:46 -------- d-----r- C:\DataSmiths Dev
    2012-12-11 20:37:53 -------- d-----w- c:\program files\Beyond Compare 3
    2012-12-11 20:25:27 -------- d-----w- c:\program files\Office Automation
    2012-12-11 18:41:57 -------- d---a-w- c:\program files\CustomUIEditor
    2012-12-11 01:41:56 -------- d-----w- c:\program files\TeamViewer
    2012-12-10 23:58:01 5 ----a-w- c:\windows\system32\lMMLDeleteUserData42107612FX.tmp
    2012-12-10 23:09:06 -------- d-----w- c:\users\jeffrey\appdata\roaming\Malwarebytes
    2012-12-10 23:08:47 -------- d-----w- c:\programdata\Malwarebytes
    2012-12-10 23:08:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-12-10 23:08:46 -------- d-----w- c:\program files\Malware
    2012-12-10 21:14:32 -------- d-----w- c:\program files\Eraser
    2012-12-10 21:12:08 632656 ----a-w- c:\windows\system32\msvcr80.dll
    2012-12-10 21:12:08 554832 ----a-w- c:\windows\system32\msvcp80.dll
    2012-12-10 21:12:08 479232 ----a-w- c:\windows\system32\msvcm80.dll
    2012-12-10 20:47:55 -------- d-----w- c:\program files\MZTools3VBA
    2012-12-10 20:46:30 -------- d-----w- C:\Python27
    2012-12-10 19:43:54 -------- d-----w- c:\users\jeffrey\appdata\roaming\Box Sync
    2012-12-10 19:43:54 -------- d-----w- c:\users\jeffrey\appdata\roaming\Box Desktop
    2012-12-10 19:42:36 -------- d-----w- c:\program files\Box Sync
    2012-12-10 19:41:05 -------- d-----w- c:\users\jeffrey\appdata\local\Box Sync
    2012-12-10 17:56:31 -------- d-----w- c:\users\jeffrey\appdata\local\Programs
    2012-12-10 17:47:02 -------- d-----w- c:\users\jeffrey\appdata\local\Secunia PSI
    2012-12-10 17:46:47 -------- d-----w- c:\program files\Secunia
    2012-12-06 12:24:04 -------- d-----w- c:\program files\MSXML 4.0
    2012-12-05 20:34:12 -------- d-----w- c:\users\jeffrey\appdata\roaming\HTC
    2012-12-05 20:34:11 -------- d-----w- c:\users\jeffrey\appdata\roaming\HTC Sync
    2012-12-05 20:33:55 -------- d-----w- c:\programdata\HTC
    2012-12-05 20:33:54 -------- d-----w- c:\users\jeffrey\appdata\local\Apple Computer
    2012-12-05 20:33:47 -------- d-----w- c:\users\jeffrey\appdata\local\HTC MediaHub
    2012-12-05 20:33:40 -------- d-----w- c:\programdata\Motorola
    2012-12-05 20:32:09 -------- d-----w- c:\program files\Spirent Communications
    2012-12-05 20:32:09 -------- d-----w- c:\program files\HTC
    2012-12-05 20:30:04 -------- d-----w- c:\users\jeffrey\appdata\local\Downloaded Installations
    2012-12-05 20:27:29 -------- d-----w- C:\Temp
    2012-12-05 19:36:54 -------- d-----w- c:\users\jeffrey\appdata\local\Macromedia
    2012-12-04 15:42:35 6812136 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
    2012-12-04 15:16:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-12-04 15:16:03 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-12-03 23:50:50 -------- d-----w- c:\windows\system32\appmgmt
    2012-12-03 23:21:21 -------- d-----w- c:\users\jeffrey\appdata\local\SpreadsheetTools
    2012-12-03 23:18:41 -------- d-----w- c:\program files\LockXLS
    2012-12-03 23:02:06 -------- d-----w- c:\users\jeffrey\appdata\roaming\ASAP Utilities
    2012-12-03 23:02:06 -------- d-----w- c:\program files\ASAP Utilities
    2012-12-03 22:57:05 -------- d-----w- c:\users\jeffrey\appdata\roaming\MB4Outlook
    2012-12-03 22:57:02 -------- d-----w- c:\users\jeffrey\appdata\local\assembly
    2012-12-03 22:54:48 -------- d-----w- c:\program files\Sizer
    2012-12-03 22:53:26 -------- d-----w- c:\program files\XML Marker
    2012-12-03 22:52:07 -------- dc----w- c:\programdata\{CB729112-340D-49BD-AC12-D6F6BB735838}
    2012-12-03 22:24:25 87 ----a-w- c:\windows\wpd99.drv
    2012-12-03 22:24:25 -------- d-----w- c:\programdata\pdf995
    2012-12-03 22:24:24 51716 ----a-w- c:\windows\system32\pdf995mon.dll
    2012-12-03 22:24:24 122880 ----a-w- c:\windows\system32\pdfmona.dll
    2012-12-03 22:24:23 -------- d-----w- c:\program files\pdf995
    2012-12-03 22:06:20 61440 ----a-w- c:\windows\UnDeploy.exe
    2012-12-03 22:06:20 -------- d-----w- c:\program files\EditPadLite
    2012-12-03 22:03:28 -------- d-----w- c:\program files\Agent Ransack
    2012-12-03 22:01:17 2712200 ----a-w- c:\users\jeffrey\appdata\roaming\microsoft\internet explorer\quick launch\procexp.exe
    2012-12-03 21:48:25 -------- d-----w- c:\users\jeffrey\appdata\roaming\Mobisynapse
    2012-12-03 21:48:13 -------- d-----w- c:\program files\Mobisynapse
    2012-12-03 21:01:48 18944 ----a-w- c:\windows\system32\pvk2pfx.exe
    2012-12-03 21:01:48 102912 ----a-w- c:\windows\system32\signtool.exe
    2012-12-03 19:53:46 -------- d-----w- C:\DataSmiths
    2012-12-03 19:21:49 -------- d-----w- C:\MyKeys
    2012-12-03 19:17:24 -------- d-----w- C:\DataSmiths Dump
    2012-12-03 19:10:31 -------- d-----w- c:\users\jeffrey\appdata\local\ProSoftnet
    2012-12-03 16:42:42 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2012-12-03 16:06:42 -------- d-----w- c:\users\jeffrey\appdata\local\Mozilla
    2012-12-02 23:02:23 -------- d-----w- c:\program files\HyperSnap-DX 5
    2012-12-02 18:42:31 54040 ----a-w- c:\windows\system32\pxc40pm.dll
    2012-12-02 18:42:20 -------- d-----w- c:\program files\Tracker Software
    2012-12-02 15:10:27 2205 ----a-w- c:\users\jeffrey\appdata\roaming\microsoft\internet explorer\quick launch\DeleteTemp Folder.vbs
    2012-12-01 23:49:33 -------- d-----w- c:\users\jeffrey\appdata\local\WindowsUpdate
    2012-12-01 23:44:30 -------- d-----w- c:\windows\PCHEALTH
    2012-12-01 23:42:37 -------- d-----w- c:\program files\Microsoft Analysis Services
    2012-12-01 23:42:13 -------- d-----w- c:\users\jeffrey\appdata\local\Microsoft Help
    2012-12-01 22:54:26 514560 ----a-w- c:\windows\system32\qdvd.dll
    2012-12-01 22:54:25 369856 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-12-01 22:54:25 247808 ----a-w- c:\windows\system32\schannel.dll
    2012-12-01 22:54:25 220160 ----a-w- c:\windows\system32\ncrypt.dll
    2012-12-01 22:54:25 136560 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-12-01 22:54:25 1039360 ----a-w- c:\windows\system32\lsasrv.dll
    2012-12-01 22:54:23 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
    2012-12-01 22:54:23 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
    2012-12-01 22:54:10 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
    2012-12-01 22:53:54 499712 ----a-w- c:\windows\system32\iphlpsvc.dll
    2012-12-01 22:53:54 240496 ----a-w- c:\windows\system32\drivers\netio.sys
    2012-12-01 22:53:54 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
    2012-12-01 22:53:54 175104 ----a-w- c:\windows\system32\netcorehc.dll
    2012-12-01 22:53:54 156672 ----a-w- c:\windows\system32\ncsi.dll
    2012-12-01 22:53:54 1293680 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-12-01 22:53:53 52224 ----a-w- c:\windows\system32\nlaapi.dll
    2012-12-01 22:53:53 35328 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2012-12-01 22:53:53 242176 ----a-w- c:\windows\system32\nlasvc.dll
    2012-12-01 22:53:53 18944 ----a-w- c:\windows\system32\netevent.dll
    2012-12-01 22:52:20 44032 ----a-w- c:\windows\system32\dhcpcsvc6.dll
    2012-12-01 22:52:20 193536 ----a-w- c:\windows\system32\dhcpcore6.dll
    2012-12-01 22:26:42 -------- d-----w- c:\windows\Panther
    2012-12-01 22:04:37 -------- d-----w- c:\windows\system32\SPReview
    2012-12-01 22:04:24 -------- d-----w- c:\windows\system32\EventProviders
    2012-12-01 21:51:59 941568 ----a-w- c:\windows\system32\mblctr.exe
    2012-12-01 21:50:55 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
    2012-12-01 21:50:55 363008 ----a-w- c:\windows\system32\wbemcomn.dll
    2012-12-01 21:31:11 -------- d-----w- c:\windows\system32\Wat
    2012-12-01 21:30:51 805376 ----a-w- c:\windows\system32\FntCache.dll
    2012-12-01 21:30:50 739840 ----a-w- c:\windows\system32\d2d1.dll
    2012-12-01 21:28:38 398336 ----a-w- c:\windows\system32\TVWizudlg.exe
    2012-12-01 21:28:38 140288 ----a-w- c:\windows\system32\igfxtvcx.dll
    2012-12-01 21:28:37 -------- d-----w- c:\windows\system32\Lang
    2012-12-01 21:12:23 1002008 ----a-w- c:\windows\system32\igxpun.exe
    2012-12-01 21:12:23 -------- d-----w- c:\windows\system32\x64
    2012-12-01 21:01:26 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
    2012-12-01 21:01:25 9728 ----a-w- c:\windows\system32\Wdfres.dll
    2012-12-01 21:01:25 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
    2012-12-01 21:00:54 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
    2012-12-01 21:00:53 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
    2012-12-01 21:00:53 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
    2012-12-01 21:00:53 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
    2012-12-01 21:00:52 613888 ----a-w- c:\windows\system32\WUDFx.dll
    2012-12-01 21:00:52 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
    2012-12-01 21:00:52 196608 ----a-w- c:\windows\system32\WUDFHost.exe
    2012-12-01 21:00:30 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-12-01 21:00:30 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-12-01 21:00:30 159232 ----a-w- c:\windows\system32\imagehlp.dll
    2012-12-01 20:55:52 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-12-01 20:54:59 492032 ----a-w- c:\windows\system32\win32spl.dll
    2012-12-01 20:46:07 769024 ----a-w- c:\windows\system32\localspl.dll
    2012-12-01 20:46:07 30208 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\winprint.dll
    2012-12-01 20:46:05 1077248 ----a-w- c:\windows\system32\DWrite.dll
    2012-12-01 20:46:00 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2012-12-01 20:46:00 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2012-12-01 20:46:00 107520 ----a-w- c:\windows\system32\cdd.dll
    2012-12-01 20:45:59 123904 ----a-w- c:\windows\system32\poqexec.exe
    2012-12-01 20:45:58 1164288 ----a-w- c:\windows\system32\mfc42u.dll
    2012-12-01 20:45:58 1137664 ----a-w- c:\windows\system32\mfc42.dll
    2012-12-01 20:45:47 442880 ----a-w- c:\windows\system32\ntshrui.dll
    2012-12-01 20:45:45 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
    2012-12-01 20:45:38 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
    2012-12-01 20:43:25 826880 ----a-w- c:\windows\system32\rdpcore.dll
    2012-12-01 20:43:25 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-12-01 20:43:25 18432 ----a-w- c:\windows\system32\drivers\tdpipe.sys
    2012-12-01 20:39:48 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-12-01 20:39:39 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-12-01 20:39:32 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-12-01 20:39:32 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-12-01 20:34:41 11004488 ----a-w- c:\program files\common files\lpuninstall.exe
    2012-12-01 20:34:30 -------- d-----w- c:\program files\LastPass
    2012-12-01 20:33:38 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-12-01 20:24:09 -------- d-----w- c:\users\jeffrey\appdata\local\Google
    2012-12-01 20:24:07 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-12-01 20:24:05 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-12-01 20:24:04 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-12-01 20:23:46 -------- d-sh--w- c:\windows\Installer
    2012-12-01 20:23:39 41224 ----a-w- c:\windows\avastSS.scr
    2012-12-01 20:23:17 -------- d-----w- c:\programdata\AVAST Software
    2012-12-01 20:23:17 -------- d-----w- c:\program files\AVAST Software
    2012-12-01 20:01:55 -------- d-----w- c:\windows\system32\wbem\Performance
    2012-12-01 20:00:57 -------- d-sh--w- C:\Recovery
    .
    ==================== Find3M ====================
    .
    2012-12-01 22:29:40 152576 ----a-w- c:\windows\system32\msclmd.dll
    2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
    2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
    2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
    2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-11-09 04:42:49 2048 ----a-w- c:\windows\system32\tzres.dll
    2012-11-05 20:32:16 295424 ----a-w- c:\windows\system32\atmfd.dll
    2012-11-05 20:32:09 34304 ----a-w- c:\windows\system32\atmlib.dll
    2012-11-02 05:11:31 376832 ----a-w- c:\windows\system32\dpnet.dll
    2012-10-16 07:39:52 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
    2012-10-04 16:47:18 169984 ----a-w- c:\windows\system32\winsrv.dll
    2012-10-04 16:43:05 293376 ----a-w- c:\windows\system32\KernelBase.dll
    2012-10-04 14:57:58 271360 ----a-w- c:\windows\system32\conhost.exe
    2012-10-04 14:41:50 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
    2012-10-04 14:41:50 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2012-10-04 14:41:50 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2012-10-04 14:41:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
    2012-09-25 22:47:43 78336 ----a-w- c:\windows\system32\synceng.dll
    .
    ============= FINISH: 20:36:38.54 ===============

    I have attached the zipped 'attach.txt' file.

    Below are the two logs from the 'aswMBR' program (Note: after running this scan the first time, I thought the program had finished, so I clicked the 'Save Log' and saved the report but when I came back to the 'aswMBR' screen, the Scan was running (either again, or perhaps it had just 'paused' in the initial scan?). At any rate, I have included the report from clicking the 'Save Log' button the 2nd time as it included all the info from the first run:

    2nd Log:

    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2012-12-20 20:37:18
    -----------------------------
    20:37:18.799 OS Version: Windows 6.1.7601 Service Pack 1
    20:37:18.799 Number of processors: 2 586 0x170A
    20:37:18.799 ComputerName: JEFFREY-DESKTOP UserName: Jeffrey
    20:37:21.471 Initialize success
    20:37:21.612 AVAST engine defs: 12122001
    20:37:58.627 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
    20:37:58.627 Disk 0 Vendor: ST31000524AS JC4B Size: 953869MB BusType: 3
    20:37:58.627 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-4
    20:37:58.627 Disk 1 Vendor: Hitachi_HDS721616PLA380 P22OA70A Size: 157066MB BusType: 3
    20:37:58.643 Disk 0 MBR read successfully
    20:37:58.659 Disk 0 MBR scan
    20:37:58.659 Disk 0 Windows 7 default MBR code
    20:37:58.659 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    20:37:58.674 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
    20:37:58.690 Disk 0 scanning sectors +1953521664
    20:37:58.737 Disk 0 scanning C:\Windows\system32\drivers
    20:38:06.784 Service scanning
    20:38:18.393 Modules scanning
    20:38:23.690 Disk 0 trace - called modules:
    20:38:23.721 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys
    20:38:23.721 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8607a460]
    20:38:23.721 3 CLASSPNP.SYS[8c27e59e] -> nt!IofCallDriver -> [0x852d9590]
    20:38:23.737 5 ACPI.sys[8ba4a3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x85be9030]
    20:38:30.331 AVAST engine scan C:\Windows
    20:38:42.127 AVAST engine scan C:\Windows\system32
    20:38:45.987 Disk 0 MBR has been saved successfully to "C:\Users\Jeffrey\Desktop\MBR.dat"
    20:38:46.002 The log file has been saved successfully to "C:\Users\Jeffrey\Desktop\aswMBR.txt"
    20:40:21.416 AVAST engine scan C:\Windows\system32\drivers
    20:40:30.212 AVAST engine scan C:\Users\Jeffrey
    20:41:30.369 Disk 0 MBR has been saved successfully to "C:\Users\Jeffrey\Desktop\MBR.dat"
    20:41:30.384 The log file has been saved successfully to "C:\Users\Jeffrey\Desktop\aswMBR2.txt"

    I note the following advice in the 'Sticky' at: http://forums.spybot.info/showthread.php?t=288

    "When Spybot-S&D is installed

    TeaTimer needs to be disabled so that its protection does not interfere with fixes.

    How Spybot-S&D protects against the installation of Spyware/Malware.

    TeaTimer can be re-enabled once the computer is clean.

    1. Open Spybot-S&D in Advanced Mode.
    2. If it is not already set to do this go to the "Mode" menu and select "Advanced Mode".
    3. On the left hand side, click on "Tools".
    4. Then click on the Resident Icon in the List.
    5. Uncheck "Resident TeaTimer" and OK any prompts.
    6. Restart your computer."

    ... However, I could not find a Mode menu, or a Resident Icon or a TeaTimer in the Spybot-S&D 2 interface ... so I am not sure what to do here - please advise.

    I did run a Spybot-S&D 2 Scan before I saw that I should have updated the program first, and that first run indicated: "39 items found". I noticed that a separate 'Immunization' program came up automatically, but I closed both it and Spybot S&D 2 until I got some instructions about what to do here. I have since done the Spybot S&D 2 'Update' but haven't re-run the Scan until I know what to do about the "Resident TeaTimer" setting mentioned above.

    Thanks for anyone's help!

    Jeff

  2. #2
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi and Welcome!! My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
    • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
    • The fixes are specific to your problem and should only be used for the issues on this machine.
    • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
    • It's often worth reading through these instructions and printing them for ease of reference.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • Please reply to this thread. Do not start a new topic.


    IMPORTANT NOTE : Please do not delete anything unless instructed to.
    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
    Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.


    Vista and Windows 7 users:
    These tools MUST be run from the executable (.exe) every time you run them
    with Admin Rights (Right click, choose "Run as Administrator")


    Stay with this topic until I give you the all clean post.
    ---------

    AdwCleaner

    Please download AdwCleaner by Xplode onto your desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[R1].txt as well.

    ----------

  3. #3
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Still need help?

  4. #4
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Due to lack of feedback, this topic will now be closed.
    If you are the original poster and you still require help, please start a new thread.
    -------------------

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •