Popup and redirects

This is a discussion on Popup and redirects within the Inactive Malware Help Topics forums, part of the Tech Support Forum category.


 
 
Thread Tools Search this Thread
Old 04-04-2014, 12:42 AM   #1
Registered Member
 
Join Date: Jun 2010
Posts: 75
OS: Windows 7


Idea

I have a Dell Inspiron 5520 laptop running Windows 7. Browsers are IE11, Google Chrome 33, and Firefox 28. On all of the browsers I encounter constant popups for advertisements and fake virus scan fixes; I am also bombarded with redirects almost everytime I click on something.

I have ran the DDS and DDS text and Attach text files were created. I have pasted them and attached report as directed.

GMER has been downloaded to my desktop but when I run the GMER.exe I get a message that GMER.exe has stopped working after about 6 seconds of execution. I don't even get a chance to UNCHECK the items as instructed. I made sure that the Norton Firewall and Antivirus were both disabled.

I have not been able to proceed beyond this point.

Below is the paste of the DDS text

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16521 BrowserJavaVersion: 10.51.2
Run by Frank at 23:55:56 on 2014-04-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8067.3970 [GMT -7:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k bthaudiosvc
C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe
C:\PROGRA~2\MYFUNC~2\bar\1.bin\5mbarsvc.exe
C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\N360.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\N360.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleCrashHandler.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleCrashHandler64.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\AppIntegrator64.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe
C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Program Files\Elantech\ETDGesture.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Intel\TurboBoost\TurboBoost.exe
C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_12_0_0_77_ActiveX.exe
C:\Users\Frank\AppData\Local\Apps\2.0\53G5QTRP.5P4\4T3D2D5D.7QZ\dell..tion_0f612f649c4a10af_0005.0006_f9e15713f5aac8ac\DellSystemDetect.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Program Files (x86)\FindRight\updateFindRight.exe
C:\Program Files (x86)\FindRight\bin\utilFindRight.exe
C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe
C:\Program Files (x86)\FindRight\bin\XTLSApp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.yahoo.com/
uSearch Bar = Preserve
uSearch Page = hxxp://feed.helperbar.com/?publisher=TuguuBS&dpid=TuguuBS_CH&co=US&userid=f7499aa7-0edb-5379-dafb-ec3b373e9005&searchtype=ds&q={searchTerms}&installDate={installDate}&barcodeid={barcodeID}&um={UM}
uProxyServer = hxxp=127.0.0.1:13828
uSearchAssistant = hxxp://feed.helperbar.com/?publisher=TuguuBS&dpid=TuguuBS_CH&co=US&userid=f7499aa7-0edb-5379-dafb-ec3b373e9005&searchtype=ds&q={searchTerms}&installDate={installDate}&barcodeid={barcodeID}&um={UM}
mWinlogon: Userinit = userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\IPS\ipsbho.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL
BHO: Constant Guard Protection Suite: {B84CDBE7-1B46-494B-A188-01D4C52DEB61} - C:\ProgramData\White Sky, Inc\ID Vault\IEBHO1.13.1211.1\NativeBHO.dll
BHO: Search Assistant BHO: {c4b22c87-45ef-4f43-89f2-40db2078864e} - C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mSrcAs.dll
BHO: Toolbar BHO: {da71fd14-5f7b-46ae-b8b1-44074a38f331} - C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: MyFunCards: {210f1b36-3b7f-41a4-b5da-3eb87f5a56c2} - C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mbar.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\coieplg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [DellSystemDetect] C:\Users\Frank\AppData\Local\Apps\2.0\53G5QTRP.5P4\4T3D2D5D.7QZ\dell..tion_0f612f649c4a10af_0005.0006_f9e15713f5aac8ac\DellSystemDetect.exe
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [MyFunCards Search Scope Monitor] "C:\PROGRA~2\MYFUNC~2\bar\1.bin\5msrchmn.exe" /m=2 /w /h
mRun: [MyFunCards_5m Browser Plugin Loader] C:\PROGRA~2\MYFUNC~2\bar\1.bin\5mbrmon.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\Frank\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\INTEL(~1.LNK - C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CONSTA~1.LNK - C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SOFTWA~1.LNK - C:\Program Files (x86)\Software Updater\SoftwareUpdater.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
Trusted Zone: dell.com
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{A6C6B953-F8B3-4DD9-BB8D-F510628BC7D5} : DHCPNameServer = 192.168.0.10 192.168.0.11
TCP: Interfaces\{C45F360E-B32F-4085-B871-48B15A0534B2} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{C45F360E-B32F-4085-B871-48B15A0534B2}\051627B667965677D2745756374737 : DHCPNameServer = 74.40.74.40 74.40.74.41
TCP: Interfaces\{C45F360E-B32F-4085-B871-48B15A0534B2}\14342554 : DHCPNameServer = 10.1.10.1
TCP: Interfaces\{C45F360E-B32F-4085-B871-48B15A0534B2}\143737564702255616C64797027427F65707 : DHCPNameServer = 192.168.68.10 192.168.68.254
TCP: Interfaces\{C45F360E-B32F-4085-B871-48B15A0534B2}\7586F6C65664F6F64637D41627B65647 : DHCPNameServer = 172.16.1.1
TCP: Interfaces\{C45F360E-B32F-4085-B871-48B15A0534B2}\8445C454E44494E474 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{C45F360E-B32F-4085-B871-48B15A0534B2}\F4E6762416 : DHCPNameServer = 192.168.254.254
TCP: Interfaces\{C5873428-741D-4A1C-9EBE-550515AF2A89} : DHCPNameServer = 192.168.1.1
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= c:\progra~2\keycry~1\keycry~3.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.1.0.18\CoIEPlg.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.1.0.18\CoIEPlg.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [nwiz] nwiz.exe /install
x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
x64-Run: [NVHotkey] rundll32.exe C:\Windows\System32\nvHotkey.dll,Start
x64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
x64-Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs"
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [IntelPROSet] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PROSet/Wireless
x64-Run: [ETDCtrl] C:\Program Files\Elantech\ETDCtrl.exe
x64-Run: [MyFunCards Home Page Guard 64 bit] "C:\PROGRA~2\MYFUNC~2\bar\1.bin\AppIntegrator64.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\3rv2tjii.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-synd1&type=W3i_SP,221,0_0,StartPage,20140313,19670,0,IE11,7635
FF - prefs.js: keyword.URL - hxxp://us.yhs4.search.yahoo.com/yhs/search?ei=UTF-8&hspart=w3i&hsimp=yhs-synd1&type=W3i_DS,221,0_0,Search,00000000,0,0,0,7635&p=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\NP5mStub.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1210150.dll
.
---- FIREFOX POLICIES ----
.
FF - user.js: extensions.autoDisableScopes - 0
FF - user.js: extensions.shownSelectionUI - true
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-3-7 20024]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1502000.026\symds64.sys [2014-4-3 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1502000.026\symefa64.sys [2014-4-3 1148120]
R1 AntiLog32;AntiLog32;C:\Windows\System32\drivers\AntiLog64.sys [2013-4-24 49240]
R1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20140319.001\BHDrvx64.sys [2014-3-18 1525976]
R1 ccSet_N360;N360 Settings Manager;C:\Windows\System32\drivers\N360x64\1502000.026\ccsetx64.sys [2014-4-3 162392]
R1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20140403.001\IDSviA64.sys [2014-4-3 525016]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1502000.026\ironx64.sys [2014-4-3 264280]
R1 wStLib64;wStLib64;C:\Windows\System32\drivers\wStLib64.sys [2014-3-18 61112]
R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-3-15 659976]
R2 BTHSSecurityMgr;Intel(R) Centrino(R) Wireless Bluetooth(R) + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-4-23 135952]
R2 ClickToRunSvc;Microsoft Office ClickToRun Service;C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe [2014-3-18 2169016]
R2 HFGService;Handsfree Headset Service;C:\Windows\System32\svchost.exe -k bthaudiosvc [2009-7-13 27136]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2013-3-7 2451456]
R2 IDVaultSvc;CGPS Service;C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe [2013-12-11 41024]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2013-6-28 14624]
R2 MyFunCards_5mService;MyFunCardsService;C:\PROGRA~2\MYFUNC~2\bar\1.bin\5mbarsvc.exe [2013-10-28 44752]
R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\21.2.0.38\n360.exe [2014-4-3 265040]
R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\System32\drivers\TurboB.sys [2012-5-30 16168]
R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2012-3-15 198144]
R3 BthAudioHF;BthAudioHF Service;C:\Windows\System32\drivers\BthAudioHF.sys [2009-12-21 52224]
R3 BthAvrcp;Bluetooth AVRCP Profile;C:\Windows\System32\drivers\BthAvrcp.sys [2009-8-13 29184]
R3 csr_a2dp;Bluetooth AV Profile;C:\Windows\System32\drivers\bthav.sys [2009-12-21 78848]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-1-24 137648]
R3 ETD;Dell Touchpad;C:\Windows\System32\drivers\ETD.sys [2013-7-9 211280]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-3-7 358456]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-3-7 791608]
R3 keycrypt;keycrypt;C:\Windows\System32\drivers\KeyCrypt64.sys [2013-4-24 25056]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-2-2 412264]
R3 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1501000.012\symnets.sys [2013-11-29 590936]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2012-3-15 198144]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y60x64.sys [2009-6-10 281088]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2013-3-7 57856]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-9-12 1512448]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-3-11 111616]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2012-6-25 272688]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-3-22 19456]
S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUVStor.sys [2013-3-7 315536]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-3-22 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2014-3-22 30208]
.
=============== Created Last 30 ================
.
2014-04-03 17:24:41 593112 ----a-w- C:\Windows\System32\drivers\N360x64\1502000.026\symnets.sys
2014-04-03 17:24:41 493656 ----a-r- C:\Windows\System32\drivers\N360x64\1502000.026\symds64.sys
2014-04-03 17:24:41 23568 ----a-r- C:\Windows\System32\drivers\N360x64\1502000.026\symelam.sys
2014-04-03 17:24:41 1148120 ----a-w- C:\Windows\System32\drivers\N360x64\1502000.026\symefa64.sys
2014-04-03 17:24:40 36952 ----a-r- C:\Windows\System32\drivers\N360x64\1502000.026\srtspx64.sys
2014-04-03 17:24:39 875736 ----a-w- C:\Windows\System32\drivers\N360x64\1502000.026\srtsp64.sys
2014-04-03 17:24:39 264280 ----a-r- C:\Windows\System32\drivers\N360x64\1502000.026\ironx64.sys
2014-04-03 17:24:39 162392 ----a-r- C:\Windows\System32\drivers\N360x64\1502000.026\ccsetx64.sys
2014-04-03 17:24:01 -------- d-----w- C:\Windows\System32\drivers\N360x64\1502000.026
2014-03-25 04:57:32 -------- d-----w- C:\Program Files (x86)\Yahoo!
2014-03-25 04:57:26 -------- d-----w- C:\Program Files (x86)\Software Updater
2014-03-24 04:31:38 6574592 ----a-w- C:\Windows\System32\mstscax.dll
2014-03-24 04:31:38 5694464 ----a-w- C:\Windows\SysWow64\mstscax.dll
2014-03-23 04:29:02 44544 ----a-w- C:\Windows\System32\TsUsbGDCoInstaller.dll
2014-03-23 04:29:02 3072 ----a-w- C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui
2014-03-23 04:29:00 83968 ----a-w- C:\Windows\System32\TSWbPrxy.exe
2014-03-23 04:29:00 62976 ----a-w- C:\Windows\System32\tsgqec.dll
2014-03-23 04:29:00 56832 ----a-w- C:\Windows\System32\MsRdpWebAccess.dll
2014-03-23 04:29:00 56832 ----a-w- C:\Windows\System32\drivers\TsUsbFlt.sys
2014-03-23 04:29:00 53248 ----a-w- C:\Windows\SysWow64\tsgqec.dll
2014-03-23 04:29:00 50176 ----a-w- C:\Windows\SysWow64\MsRdpWebAccess.dll
2014-03-23 04:29:00 18944 ----a-w- C:\Windows\System32\wksprtPS.dll
2014-03-23 04:29:00 17920 ----a-w- C:\Windows\SysWow64\wksprtPS.dll
2014-03-23 04:29:00 13824 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe
2014-03-23 04:29:00 12800 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
2014-03-23 04:28:59 420864 ----a-w- C:\Windows\System32\wksprt.exe
2014-03-23 04:28:59 1147392 ----a-w- C:\Windows\System32\mstsc.exe
2014-03-23 04:28:59 1068544 ----a-w- C:\Windows\SysWow64\mstsc.exe
2014-03-23 04:28:58 855552 ----a-w- C:\Windows\SysWow64\rdvidcrl.dll
2014-03-23 04:28:58 1057280 ----a-w- C:\Windows\System32\rdvidcrl.dll
2014-03-23 04:28:14 15360 ----a-w- C:\Windows\System32\RdpGroupPolicyExtension.dll
2014-03-23 04:28:07 19456 ----a-w- C:\Windows\System32\drivers\rdpvideominiport.sys
2014-03-23 04:28:06 30208 ----a-w- C:\Windows\System32\drivers\TsUsbGD.sys
2014-03-23 04:28:03 3174912 ----a-w- C:\Windows\System32\rdpcorets.dll
2014-03-23 04:28:03 243200 ----a-w- C:\Windows\System32\rdpudd.dll
2014-03-23 04:28:03 228864 ----a-w- C:\Windows\System32\rdpendp_winip.dll
2014-03-23 04:28:03 192000 ----a-w- C:\Windows\SysWow64\rdpendp_winip.dll
2014-03-23 04:27:37 792576 ----a-w- C:\Windows\SysWow64\TSWorkspace.dll
2014-03-23 04:27:37 1030144 ----a-w- C:\Windows\System32\TSWorkspace.dll
2014-03-23 04:27:26 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2014-03-23 04:27:26 366592 ----a-w- C:\Windows\System32\qdvd.dll
2014-03-23 03:53:05 -------- d-----w- C:\Windows\SysWow64\Adobe
2014-03-19 05:05:03 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-03-19 04:55:06 -------- d-----w- C:\Program Files (x86)\Uninstaller
2014-03-19 02:47:32 -------- d-----w- C:\Users\Frank\AppData\Local\SevereWeatherAlerts
2014-03-19 02:46:16 -------- d-----w- C:\Users\Frank\AppData\Local\SearchProtect
2014-03-18 17:51:12 61112 ----a-w- C:\Windows\System32\drivers\wStLib64.sys
2014-03-13 20:08:02 -------- d-----w- C:\Frank Bui
2014-03-12 05:32:10 -------- d-----w- C:\Asset Realty
2014-03-11 21:59:41 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-03-11 21:59:41 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-03-11 21:59:40 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-03-11 21:59:40 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
.
==================== Find3M ====================
.
2014-03-11 22:47:28 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-11 22:47:28 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-03-01 05:17:02 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-03-01 05:16:26 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-01 04:52:55 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-01 04:51:59 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-01 04:33:52 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-01 04:33:34 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-01 04:32:59 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-01 04:23:49 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-01 04:11:20 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-03-01 03:54:33 5768704 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-01 03:52:43 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-01 03:51:53 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:38:26 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-01 03:37:35 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-01 03:35:11 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-01 03:14:15 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-01 03:10:28 2334208 ----a-w- C:\Windows\System32\wininet.dll
2014-03-01 03:00:08 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-01 02:32:16 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 0247 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2014-01-28 02:32:46 228864 ----a-w- C:\Windows\System32\wwansvc.dll
2014-01-22 01:28:54 20312 ----a-w- C:\Windows\System32\roboot64.exe
2014-01-16 00:42:40 608032 ----a-w- C:\SecurityScanner.dll
.
============= FINISH: 23:56:38.15 ===============
Attached Files
File Type: txt attach.txt (4.4 KB, 18 views)

__________________
dont_float is offline  
Old 04-07-2014, 09:37 AM   #2
Registered Member
 
Join Date: Jun 2010
Posts: 75
OS: Windows 7



BUMP please

__________________
dont_float is offline  
Old 04-07-2014, 11:33 AM   #3
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,763
OS: XP Win7 Ubuntu 10.10



Hello and welcome to TSF.

It appears you have MyFunCards Internet Explorer Toolbar installed. Please see the link below and uninstall it via Programs and Features in Control Panel, if present.

SystemLookup - c4b22c87-45ef-4f43-89f2-40db2078864e

===================

Quote:
uProxyServer = hxxp=127.0.0.1:13828
Did you set this proxy yourself?

===================

Quote:
GMER has been downloaded to my desktop but when I run the GMER.exe I get a message that GMER.exe has stopped working after about 6 seconds of execution. I don't even get a chance to UNCHECK the items as instructed.
Let's try another tool to check for rootkits.

Download TDSSKiller.exe to your desktop from this link:
http://media.kaspersky.com/utilities...tdsskiller.exe
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Click Accept on the End User License Agreement.
  • Click Accept or Decline on the KSN Statement <Kaspersky Security Network Statement is about uploading data for Kaspersky's analysis>
  • Press Start Scan
  • If Malicious objects are found, select Skip by changing the default Cure selection at the upper right
Once complete, a log will be produced at the root drive which is typically C:\
For example, C:\TDSSKiller.3.0.0.19_date_time_log.txt
Attach that log in your next reply, please.

==============

Also, please download AdwCleaner from here and save it to your desktop.
  • Do NOT click the green 'Download' button(if visible).
  • Click the blue 'Download now @bleepingcomputer' button.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Clean
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[S#].txt
  • Please copy/paste the contents of the log in your next reply.
__________________

amateur is offline  
Old 04-07-2014, 09:34 PM   #4
Registered Member
 
Join Date: Jun 2010
Posts: 75
OS: Windows 7



MyFunCards Internet Explorer Toolbar has been uninstalled.

I did not set the proxy, but I did allow Dell support take over my laptop to changed some settings to make it run faster. They my have changed it; I don't know.

below is the AdwCleaner log report.

# AdwCleaner v3.023 - Report created 07/04/2014 at 21:14:39
# Updated 01/04/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Frank - FRANK-PC
# Running from : C:\Users\Frank\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : MyFunCards_5mService
[#] Service Deleted : Re-markit
[#] Service Deleted : Update FindRight
[#] Service Deleted : Util FindRight

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\StarApp
[!] Folder Deleted : C:\Program Files (x86)\FindRight
Folder Deleted : C:\Program Files (x86)\MyFunCards_5m
Folder Deleted : C:\Users\Frank\AppData\Local\SearchProtect
Folder Deleted : C:\Users\Frank\AppData\Local\Temp\AirInstaller
Folder Deleted : C:\Users\Frank\AppData\LocalLow\MyFunCards_5m
Folder Deleted : C:\Users\Frank\AppData\Roaming\DigitalSites
Folder Deleted : C:\Users\Frank\AppData\Roaming\Systweak
Folder Deleted : C:\Users\Frank\Documents\Optimizer Pro
Folder Deleted : C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\3rv2tjii.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
File Deleted : C:\END
File Deleted : C:\Windows\System32\roboot64.exe
File Deleted : C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\3rv2tjii.default\searchplugins\bingp.xml
File Deleted : C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\3rv2tjii.default\searchplugins\Web Search.xml
File Deleted : C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\3rv2tjii.default\user.js
File Deleted : C:\Windows\Tasks\Digital Sites.job
File Deleted : C:\Windows\System32\Tasks\Digital Sites

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_vuze_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_vuze_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{13119113-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{33119133-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{03119103-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C4B22C87-45EF-4F43-89F2-40DB2078864E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DA71FD14-5F7B-46AE-B8B1-44074A38F331}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C4B22C87-45EF-4F43-89F2-40DB2078864E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DA71FD14-5F7B-46AE-B8B1-44074A38F331}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{37F4A335-D085-423E-A425-0370799166FB}
Key Deleted : HKCU\Software\dsiteproducts
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\MyFunCards_5m
Key Deleted : HKCU\Software\SoftwareUpdater
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\MyFunCards_5m
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\Software\MyFunCards_5m
Key Deleted : HKLM\Software\systweak
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Digital Sites

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16521

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Search [SearchAssistant]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Search [Default_Search_URL]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [Default]

-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\3rv2tjii.default\prefs.js ]

Line Deleted : user_pref("browser.newtab.url", "hxxp://feed.helperbar.com/?publisher=TuguuBS&dpid=TuguuBS_CH&co=US&userid=f7499aa7-0edb-5379-dafb-ec3b373e9005&searchtype=nt&installDate={installDate}&barcodeid={barco[...]

-\\ Google Chrome v33.0.1750.154

[ File : C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [6772 octets] - [07/04/2014 21:13:11]
AdwCleaner[S0].txt - [5706 octets] - [07/04/2014 21:14:39]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5766 octets] ##########
Attached Files
File Type: txt TDSSKiller.3.0.0.30_07.04.2014_21.02.34_log.txt (204.7 KB, 9 views)
__________________
dont_float is offline  
Old 04-08-2014, 05:52 AM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,763
OS: XP Win7 Ubuntu 10.10



Hi,

Please read through this entire procedure and if you have any questions, ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

===========================

Please download ComboFix from here:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Download & save ComboFix to your Desktop but don't run it yet.

----------------------
  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.


Code:
DDS::
uProxyServer = hxxp=127.0.0.1:13828

ClearJavaCache::
Save this as CFScript.txt on your Desktop.




------------------------------

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Disable your Security Applications

-----------------------------
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, please post the log it produced in your next reply and let me know how things are now.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.


------------------------------

Please re-enable your antivirus before connecting to internet.
__________________

amateur is offline  
Old 04-08-2014, 09:54 PM   #6
Registered Member
 
Join Date: Jun 2010
Posts: 75
OS: Windows 7



ComboFix 14-04-08.01 - Frank 04/08/2014 21:43:04.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8067.5475 [GMT -7:00]
Running from: c:\users\Frank\Desktop\ComboFix.exe
Command switches used :: c:\users\Frank\Desktop\CFScript.txt
AV: Norton Security Suite *Disabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
FW: Norton Security Suite *Disabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
SP: Norton Security Suite *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\users\Frank\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2014-03-09 to 2014-04-09 )))))))))))))))))))))))))))))))
.
.
2014-04-09 04:48 . 2014-04-09 04:48 -------- d-----w- c:\users\Jennifer Nguyen\AppData\Local\temp
2014-04-09 04:48 . 2014-04-09 04:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-04-08 04:13 . 2014-04-08 04:14 -------- d-----w- C:\AdwCleaner
2014-04-06 08:49 . 2014-04-06 08:50 -------- d-----w- c:\programdata\WinZip
2014-04-06 08:45 . 2014-04-06 08:45 -------- d-----w- c:\users\Frank\AppData\Local\Caphyon
2014-04-06 08:44 . 2014-04-06 08:45 -------- d-----w- c:\users\Frank\AppData\Roaming\ii-download.com
2014-04-04 16:24 . 2014-04-07 17:35 -------- d-----w- c:\users\Frank\AppData\Local\CUSTPDF Writer
2014-04-03 17:24 . 2014-04-07 19:57 -------- d-----w- c:\windows\system32\drivers\N360x64\1502000.026
2014-03-25 04:57 . 2014-03-28 19:47 -------- d-----w- c:\programdata\Yahoo!
2014-03-25 04:57 . 2014-03-25 04:57 -------- d-----w- c:\program files (x86)\Software Updater
2014-03-24 04:31 . 2014-01-09 02:22 5694464 ----a-w- c:\windows\SysWow64\mstscax.dll
2014-03-24 04:31 . 2014-01-03 22:44 6574592 ----a-w- c:\windows\system32\mstscax.dll
2014-03-23 04:29 . 2013-10-02 04:38 3072 ----a-w- c:\windows\system32\drivers\en-US\tsusbflt.sys.mui
2014-03-23 04:29 . 2013-10-02 01:10 44544 ----a-w- c:\windows\system32\TsUsbGDCoInstaller.dll
2014-03-23 04:29 . 2013-10-02 02:22 56832 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys
2014-03-23 04:29 . 2013-10-02 02:11 13824 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-03-23 04:29 . 2013-10-02 02:08 12800 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-03-23 04:29 . 2013-10-02 01:48 56832 ----a-w- c:\windows\system32\MsRdpWebAccess.dll
2014-03-23 04:29 . 2013-10-02 01:48 18944 ----a-w- c:\windows\system32\wksprtPS.dll
2014-03-23 04:29 . 2013-10-02 01:29 62976 ----a-w- c:\windows\system32\tsgqec.dll
2014-03-23 04:29 . 2013-10-02 00:14 50176 ----a-w- c:\windows\SysWow64\MsRdpWebAccess.dll
2014-03-23 04:29 . 2013-10-02 00:14 17920 ----a-w- c:\windows\SysWow64\wksprtPS.dll
2014-03-23 04:29 . 2013-10-02 00:08 83968 ----a-w- c:\windows\system32\TSWbPrxy.exe
2014-03-23 04:29 . 2013-10-01 23:58 53248 ----a-w- c:\windows\SysWow64\tsgqec.dll
2014-03-23 04:28 . 2013-10-02 00:01 420864 ----a-w- c:\windows\system32\wksprt.exe
2014-03-23 04:28 . 2013-10-01 23:31 1147392 ----a-w- c:\windows\system32\mstsc.exe
2014-03-23 04:28 . 2013-10-01 22:34 1068544 ----a-w- c:\windows\SysWow64\mstsc.exe
2014-03-23 04:28 . 2013-10-02 00:15 1057280 ----a-w- c:\windows\system32\rdvidcrl.dll
2014-03-23 04:28 . 2013-10-01 23:08 855552 ----a-w- c:\windows\SysWow64\rdvidcrl.dll
2014-03-23 04:28 . 2012-08-23 13:24 15360 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
2014-03-23 04:28 . 2012-08-23 14:10 19456 ----a-w- c:\windows\system32\drivers\rdpvideominiport.sys
2014-03-23 04:28 . 2012-08-23 14:08 30208 ----a-w- c:\windows\system32\drivers\TsUsbGD.sys
2014-03-23 04:28 . 2012-08-23 14:13 243200 ----a-w- c:\windows\system32\rdpudd.dll
2014-03-23 04:28 . 2012-08-23 11:12 192000 ----a-w- c:\windows\SysWow64\rdpendp_winip.dll
2014-03-23 04:28 . 2012-08-23 10:51 228864 ----a-w- c:\windows\system32\rdpendp_winip.dll
2014-03-23 04:28 . 2012-08-23 09:51 3174912 ----a-w- c:\windows\system32\rdpcorets.dll
2014-03-23 04:27 . 2013-09-25 02:23 1030144 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-03-23 04:27 . 2013-09-25 01:57 792576 ----a-w- c:\windows\SysWow64\TSWorkspace.dll
2014-03-23 04:27 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2014-03-23 04:27 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-03-23 03:53 . 2014-03-23 03:53 -------- d-----w- c:\windows\SysWow64\Adobe
2014-03-19 05:06 . 2014-03-19 05:06 -------- d-----w- c:\users\Frank\AppData\Roaming\Oracle
2014-03-19 05:05 . 2013-12-19 04:09 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-03-19 04:55 . 2014-03-19 04:55 -------- d-----w- c:\program files (x86)\Uninstaller
2014-03-19 02:47 . 2014-03-19 02:54 -------- d-----w- c:\users\Frank\AppData\Local\SevereWeatherAlerts
2014-03-18 17:51 . 2014-03-18 17:51 61112 ----a-w- c:\windows\system32\drivers\wStLib64.sys
2014-03-13 20:08 . 2014-04-04 06:46 -------- d-----w- C:\Frank Bui
2014-03-12 05:32 . 2014-03-26 21:35 -------- d-----w- C:\Asset Realty
2014-03-11 21:59 . 2014-02-04 02:32 624128 ----a-w- c:\windows\system32\qedit.dll
2014-03-11 21:59 . 2014-02-04 02:04 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2014-03-11 21:59 . 2014-02-04 02:32 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-03-11 21:59 . 2014-02-04 02:04 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-19 16:52 . 2012-08-02 18:33 90015360 ----a-w- c:\windows\system32\MRT.exe
2014-03-19 03:03 . 2013-04-25 17:06 578256 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-03-11 22:47 . 2012-08-03 00:48 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-11 22:47 . 2012-08-03 00:48 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-01-16 00:42 . 2014-01-16 00:42 608032 ----a-w- C:\SecurityScanner.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-04-25 17:22 222712 ----a-w- c:\users\Frank\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-04-25 17:22 222712 ----a-w- c:\users\Frank\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-04-25 17:22 222712 ----a-w- c:\users\Frank\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSystemDetect"="c:\users\Frank\AppData\Local\Apps\2.0\53G5QTRP.5P4\4T3D2D5D.7QZ\dell..tion_0f612f649c4a10af_0005.0006_f9e15713f5aac8ac\DellSystemDetect.exe" [2014-03-25 258160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-10-24 290688]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
.
c:\users\Frank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Intel(R) Turbo Boost Technology Monitor 2.6.lnk - c:\program files\Intel\TurboBoost\SignalIslandUi.exe [2012-5-30 207400]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Constant Guard.lnk - c:\program files (x86)\Constant Guard Protection Suite\IDVault.exe /startdesktopidv /startup [2013-12-11 4383296]
SoftwareUpdater.lnk - c:\program files (x86)\Software Updater\SoftwareUpdater.exe [2014-3-24 1934016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt32(3).dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys;c:\windows\SYSNATIVE\DRIVERS\amppal.sys [x]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1y60x64.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 iscFlash;iscFlash;c:\users\Frank\AppData\Local\Temp\7zSE149.tmp\iscflashx64.sys;c:\users\Frank\AppData\Local\Temp\7zSE149.tmp\iscflashx64.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUVStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TDKLIB;TDKLIB;c:\users\ADMINI~1\AppData\Local\Temp\ExtactTemp\TdkLib64.sys;c:\users\ADMINI~1\AppData\Local\Temp\ExtactTemp\TdkLib64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 uxddrv;Dynamically loaded UxdDrv;c:\windows\Temp\DIAG\uxddrv64.sys;c:\windows\Temp\DIAG\uxddrv64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\1502000.026\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1502000.026\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\1502000.026\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1502000.026\SYMEFA64.SYS [x]
S1 AntiLog32;AntiLog32;c:\windows\system32\drivers\AntiLog64.sys;c:\windows\SYSNATIVE\drivers\AntiLog64.sys [x]
S1 BHDrvx64;BHDrvx64;c:\program files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20140319.001\BHDrvx64.sys;c:\program files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20140319.001\BHDrvx64.sys [x]
S1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\N360x64\1502000.026\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\N360x64\1502000.026\ccSetx64.sys [x]
S1 IDSVia64;IDSVia64;c:\program files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20140408.001\IDSvia64.sys;c:\program files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20140408.001\IDSvia64.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\1502000.026\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1502000.026\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\1502000.026\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\N360x64\1502000.026\SYMNETS.SYS [x]
S1 wStLib64;wStLib64;c:\windows\system32\drivers\wStLib64.sys;c:\windows\SYSNATIVE\drivers\wStLib64.sys [x]
S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [x]
S2 BTHSSecurityMgr;Intel(R) Centrino(R) Wireless Bluetooth(R) + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe;c:\program files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [x]
S2 IDVaultSvc;CGPS Service;c:\program files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe;c:\program files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe [x]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
S2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\21.2.0.38\N360.exe;c:\program files (x86)\Norton Security Suite\Engine\21.2.0.38\N360.exe [x]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]
S2 ZeroConfigService;Intel(R) PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys;c:\windows\SYSNATIVE\DRIVERS\AMPPAL.sys [x]
S3 BthAudioHF;BthAudioHF Service;c:\windows\system32\DRIVERS\BthAudioHF.sys;c:\windows\SYSNATIVE\DRIVERS\BthAudioHF.sys [x]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys;c:\windows\SYSNATIVE\DRIVERS\BthAvrcp.sys [x]
S3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys;c:\windows\SYSNATIVE\drivers\bthav.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 ETD;Dell Touchpad;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 TurboBoost;Intel(R) Turbo Boost Technology Monitor 2.6;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-31 01:38 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 22:47]
.
2014-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-25 07:16]
.
2014-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-25 07:16]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-04-25 17:22 261624 ----a-w- c:\users\Frank\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-04-25 17:22 261624 ----a-w- c:\users\Frank\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-04-25 17:22 261624 ----a-w- c:\users\Frank\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-03-19 03:04 2333400 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-03-19 03:04 2333400 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-03-19 03:04 2333400 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-01-30 23:05 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-01-30 23:05 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-01-30 23:05 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-01-30 23:05 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-01-30 23:05 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2009-06-11 1712672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 16329760]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 93728]
"IntelTBRunOnce"="wscript.exe" [2013-10-12 168960]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-09-05 1664000]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2012-09-20 682904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-04-05 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-04-05 398616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-04-05 439064]
"IntelPROSet"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2012-06-25 4802864]
"ETDCtrl"="c:\program files\Elantech\ETDCtrl.exe" [2013-01-09 2774864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt64(3).dll
.
------- Supplementary Scan -------
.
uStart Page = https://www.yahoo.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:13828
uSearchAssistant = hxxp://www.google.com
Trusted Zone: dell.com
Trusted Zone: trueforms.com\*
Trusted Zone: trueforms.com\www
Trusted Zone: trueformsonline.com\*
Trusted Zone: trueformsonline.com\www
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\3rv2tjii.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-synd1&type=W3i_SP,221,0_0,StartPage,20140313,19670,0,IE11,7635
FF - prefs.js: keyword.URL - hxxp://us.yhs4.search.yahoo.com/yhs/search?ei=UTF-8&hspart=w3i&hsimp=yhs-synd1&type=W3i_DS,221,0_0,Search,00000000,0,0,0,7635&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\21.2.0.38\N360.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\21.2.0.38\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\System32\Drivers\N360x64\1502000.026\SYMNETS.SYS"
"TrustedImagePaths"="c:\program files (x86)\Norton Security Suite\Engine\21.2.0.38;c:\program files (x86)\Norton Security Suite\Engine64\21.2.0.38"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.12"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-04-08 21:51:00
ComboFix-quarantined-files.txt 2014-04-09 04:51
.
Pre-Run: 848,050,700,288 bytes free
Post-Run: 847,955,288,064 bytes free
.
- - End Of File - - B0D1672B70293CEC4D1515067E46840A
5C616939100B85E558DA92B899A0FC36
__________________
dont_float is offline  
Old 04-09-2014, 05:32 AM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,763
OS: XP Win7 Ubuntu 10.10



Hi,

Have the popups and redirects stopped?

Let's continue to make sure the system is clean.

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Launch Malwarebyte's, and select Perform Quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop.
Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

===============

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
__________________

amateur is offline  
Old 04-11-2014, 06:17 AM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,763
OS: XP Win7 Ubuntu 10.10



Hello dont_float,

Are you having problems with the Malwarebytes and ESET scans?

Please note that if I don't hear from you in 24 hrs, this topic will be closed.
__________________

amateur is offline  
Old 04-11-2014, 12:59 PM   #9
Registered Member
 
Join Date: Jun 2010
Posts: 75
OS: Windows 7



Hi,

I don't get the popup and redirections anymore but I do still have ads that comes on the screen here and there. My Internet Explorer default page has changed and also I don't recognize the type of search engine when I type on the address bar.

I also have the malware/virus PC Speed Maximizer on my computer that I can't close.

Below is the result of the ESET Report and also Malwarebyte reports are attached. They both found problems.

C:\AdwCleaner\Quarantine\C\Program Files (x86)\FindRight\FindRightUninstall.exe.vir Win32/BrowseFox.C potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\FindRight\updateFindRight.exe.vir a variant of Win32/BrowseFox.H potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\FindRight\bin\FilterApp_C64.exe.vir Win64/BrowseFox.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\FindRight\bin\utilFindRight.exe.vir a variant of Win32/BrowseFox.H potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\FindRight\bin\XTLS.dll.vir a variant of Win32/BrowseFox.K potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\FindRight\bin\XTLSApp.dll.vir Win32/BrowseFox.I potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\FindRight\bin\XTLSApp.exe.vir a variant of Win32/BrowseFox.I potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mauxstb.dll.vir Win32/Toolbar.MyWebSearch.W potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mbar.dll.vir a variant of Win32/Toolbar.MyWebSearch.W potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mbprtct.dll.vir Win32/Toolbar.MyWebSearch.W potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mbrmon.exe.vir Win32/Toolbar.MyWebSearch.W potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mdatact.dll.vir a variant of Win32/Toolbar.MyWebSearch.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mhtmlmu.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mieovr.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.P potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mimpipe.exe.vir Win32/Toolbar.MyWebSearch.W potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mPlugin.dll.vir probably a variant of Win32/Toolbar.MyWebSearch potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mreghk.dll.vir Win32/Toolbar.MyWebSearch.W potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mskin.dll.vir a variant of Win32/Toolbar.MyWebSearch.P potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mskplay.exe.vir Win32/Toolbar.MyWebSearch.W potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mSrchMn.exe.vir Win32/Toolbar.MyWebSearch.W potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\AppIntegrator64.exe.vir Win64/Toolbar.MyWebSearch.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\AppIntegratorStub64.dll.vir Win64/Toolbar.MyWebSearch.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\CREXT.DLL.vir a variant of Win32/Toolbar.MyWebSearch.W potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\Hpg64.dll.vir Win64/Toolbar.MyWebSearch.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\NP5mStub.dll.vir Win32/Toolbar.MyWebSearch.T potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\T8HTML.DLL.vir probably a variant of Win32/Toolbar.MyWebSearch.F potentially unwanted application
C:\Program Files (x86)\BrowseBurst\BrowseBurstUninstall.exe Win32/BrowseFox.C potentially unwanted application
C:\Program Files (x86)\BrowseBurst\updateBrowseBurst.exe a variant of Win32/BrowseFox.H potentially unwanted application
C:\Program Files (x86)\BrowseBurst\bin\utilBrowseBurst.exe a variant of Win32/BrowseFox.H potentially unwanted application
C:\Program Files (x86)\FindRight\bin\XTLS.dll a variant of Win32/BrowseFox.K potentially unwanted application
C:\Program Files (x86)\FindRight\bin\XTLSApp.dll Win32/BrowseFox.I potentially unwanted application
C:\Program Files (x86)\FindRight\bin\XTLSApp.exe a variant of Win32/BrowseFox.I potentially unwanted application
C:\Program Files (x86)\PC Speed Maximizer\PCSpeedMaximizer.exe a variant of Win32/SpeedingUpMyPC application
C:\Program Files (x86)\SearchProtect\Main\bin\SPTool.dll a variant of Win32/Conduit.SearchProtect.H potentially unwanted application
C:\Program Files (x86)\SearchProtect\Main\bin\uninstall.exe a variant of Win32/Conduit.SearchProtect.H potentially unwanted application
C:\Program Files (x86)\The weDownload Manager\49074.crx JS/Toolbar.Crossrider.B potentially unwanted application
C:\Program Files (x86)\The weDownload Manager\49074.xpi JS/Toolbar.Crossrider.B potentially unwanted application
C:\Program Files (x86)\The weDownload Manager\The weDownload Manager-bg.exe a variant of Win32/Toolbar.CrossRider.AA potentially unwanted application
C:\Program Files (x86)\The weDownload Manager\The weDownload Manager-bho64.dll probably a variant of Win64/Toolbar.Crossrider.D potentially unwanted application
C:\Program Files (x86)\The weDownload Manager\utils.exe a variant of Win32/Packed.VMDetector.E potentially unwanted application
C:\Program Files (x86)\Uninstaller\Uninstall.exe a variant of MSIL/DomaIQ.A potentially unwanted application
C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MOF76WX\microsoft security essentials setup.exe a variant of MSIL/Soft32Downloader.A potentially unwanted application
C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MOF76WX\monetizationLoader[1].js JS/Toolbar.Crossrider.B potentially unwanted application
C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DXE3QMPR\microsoft security essentials setup.exe a variant of MSIL/Soft32Downloader.A potentially unwanted application
C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DXE3QMPR\OfferBrokerage_14220I[1].exe a variant of Win32/InstallIQ.A potentially unwanted application
C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DXE3QMPR\Setup[1].exe a variant of Win32/BrowseFox.F potentially unwanted application
C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DXE3QMPR\SPSetup[1].exe a variant of Win32/Conduit.SearchProtect.H potentially unwanted application
C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWIKMVTG\microsoft security essentials setup.exe a variant of MSIL/Soft32Downloader.A potentially unwanted application
C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWIKMVTG\Software Update.exe a variant of Win32/AirAdInstaller.A potentially unwanted application
C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IVHL710F\Software Update.exe a variant of Win32/AirAdInstaller.A potentially unwanted application
C:\Users\Frank\AppData\Local\Temp\1395301676_PCSpeedMaximizer.exe a variant of Win32/SpeedingUpMyPC application
C:\Users\Frank\AppData\Local\Temp\sp_downloader.exe Win32/Toolbar.Conduit.R potentially unwanted application
C:\Users\Frank\AppData\Local\Temp\nsdD6B2\SpSetup.exe a variant of Win32/Conduit.SearchProtect.H potentially unwanted application
C:\Users\Frank\AppData\Roaming\0D0S1L2Z1P1B\PDF Creator Packages\uninstaller.exe Win32/InstallCore.AZ potentially unwanted application
C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\3rv2tjii.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\91.js JS/Toolbar.Crossrider.B potentially unwanted application
C:\Users\Frank\Documents\Downloads\iLivid_Setup(2).exe Win32/Toolbar.Zugo potentially unwanted application
C:\Users\Frank\Documents\Downloads\iLivid_Setup.exe Win32/Toolbar.Zugo potentially unwanted application
C:\Users\Frank\Downloads\flashplayerpro-setup.exe Win32/DownloadAdmin.G potentially unwanted application
Operating memory a variant of Win32/SpeedingUpMyPC application
__________________
dont_float is offline  
Old 04-11-2014, 01:05 PM   #10
Registered Member
 
Join Date: Jun 2010
Posts: 75
OS: Windows 7



Here is the Malwarebyte files. The HTML format could not attach so I saved it to text
Attached Files
File Type: txt mbam-log-2014-04-09.txt (2.6 KB, 10 views)
File Type: txt mbam-protection log-2014-04-09.txt (2.9 KB, 6 views)
File Type: txt mbam-protection log-2014-04-10.txt (18.1 KB, 7 views)
File Type: txt mbam-protection log-2014-04-11.txt (3.5 KB, 9 views)
__________________
dont_float is offline  
Old 04-11-2014, 07:01 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,763
OS: XP Win7 Ubuntu 10.10



Hi,

Quote:
I don't get the popup and redirections anymore
That's good.

Quote:
but I do still have ads that comes on the screen here and there.
Some webpages do allow ads. You may even see them in this forum if you visit without logging in.

Quote:
My Internet Explorer default page has changed
Changed to what? It appears to be set to yahoo.com.

Quote:
and also I don't recognize the type of search engine when I type on the address bar.
Not sure what you mean, please explain in detail.

Quote:
I also have the malware/virus PC Speed Maximizer on my computer that I can't close.
That should be taken care of shortly.


Please open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MOF76WX\microsoft security essentials setup.exe"
"C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MOF76WX\monetizationLoader[1].js"
"C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DXE3QMPR\microsoft security essentials setup.exe"
"C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DXE3QMPR\OfferBrokerage_14220I[1].exe"
"C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DXE3QMPR\Setup[1].exe"
"C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DXE3QMPR\SPSetup[1].exe"
"C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWIKMVTG\microsoft security essentials setup.exe"
"C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWIKMVTG\Software Update.exe"
"C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IVHL710F\Software Update.exe"
"C:\Users\Frank\AppData\Local\Temp\1395301676_PCSpeedMaximizer.exe"
"C:\Users\Frank\AppData\Local\Temp\sp_downloader.exe"
"C:\Users\Frank\AppData\Local\Temp\nsdD6B2\SpSetup.exe"
"C:\Users\Frank\AppData\Roaming\0D0S1L2Z1P1B\PDF Creator Packages\uninstaller.exe"
"C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\3rv2tjii.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\91.js"
"C:\Users\Frank\Documents\Downloads\iLivid_Setup(2).exe"
"C:\Users\Frank\Documents\Downloads\iLivid_Setup.exe"
"C:\Users\Frank\Downloads\flashplayerpro-setup.exe"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

for %%g in (

"C:\Program Files (x86)\BrowseBurst"
"C:\Program Files (x86)\FindRight"
"C:\Program Files (x86)\PC Speed Maximizer"
"C:\Program Files (x86)\SearchProtect"
"C:\Program Files (x86)\The weDownload Manager"
"C:\Program Files (x86)\Uninstaller"

) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files to your desktop then close the Notepad file.
It should look like this:

Right-click on fix.bat and select Run as Administrator.

Tell me what it says in your next reply. Press any key to continue.

==================

When done, please run DDS again and post the fresh logs, i.e. DDS.txt and Attach.txt (if necessary name it as Attach2.txt)
__________________

amateur is offline  
Old 04-13-2014, 12:12 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,763
OS: XP Win7 Ubuntu 10.10



Hi,

Please note that I'll be away for the next couple of days and my reply to you may be delayed.

Thanks.
__________________

amateur is offline  
Old 05-04-2014, 12:24 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,763
OS: XP Win7 Ubuntu 10.10



Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

__________________

amateur is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
WINDOWS XP - combination of IE popup when IE isn't open and FireFox redirect on searc
Problems: 1) Firefox search redirects over and over 2) internet explorer (when not even open), creates little popup windows taking me to random sites. . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13 Run by Pinny at 14:51:30 on 2012-01-01...
PinJo Inactive Malware Help Topics 43 01-21-2012 10:39 AM
browser redirects and svchost.exe uses 100% cpu
Hi, My XP system seems to be infected.. It always shows popup at the starting of the window stating "Personalised setting for Search Helper. also after sometime or when i connect to internet the specific svchost.exe process shows 100% cpu around 700MB of RAM utilisation. Also invalid...
samjpandya Inactive Malware Help Topics 17 08-19-2011 09:43 AM
BAD Internet explorer popup VIRUS
I saw this virus on my mums computer a year ago and it broke the computer over time. Now I have it. It started when I stupidly downloaded a.. crack for fruity loops. (I was tired and stupid). Symptoms: Every 10 minutes or so, it autospawns an internet explorer with a random site. If I...
Noface94 Resolved HJT Threads 3 07-23-2011 08:09 AM
Browser Search Redirects
Hello, I'm an IT admin and on 4/19/11 one of our users on a domain got hit with the FakeAlert.AM! trojan (bmdkqkpoeawbt.exe). First I ran malwarebytes which found a couple infiltrations but did not fix the problem. I then ran SuperAntispyware which found 98 threats but still no fix. I then ran...
shutdown Resolved HJT Threads 16 05-08-2011 08:52 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 10:34 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts