Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

Action center constantly set to disabled and browser links being redirected

This is a discussion on Action center constantly set to disabled and browser links being redirected within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Excellent information, especially about this not occurring on other machines using the same router. That eliminates a hacked router as


Reply
 
Thread Tools Search this Thread
Old 08-28-2012, 06:20 AM   #21
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



Excellent information, especially about this not occurring on other machines using the same router. That eliminates a hacked router as being the source. As this occurs with all browsers and the router is not the source, I highly suspect a bootkit at work here, however neither TDSSKiller nor aswmbr are seeing anything amiss.

Please run TDSSKiller once again and let's see if it picks up on anything this time around. Allow it to update if it prompts you to do so. As before, if it detects anything, do not allow it to Cure just yet. I need to see the report so I know in advance, what it would be going after in case a problem arises during any type of 'fixing'.

If TDSSKiller comes up with no threats detected, please do the following:

Download MBRFix Utility from here. You'll have to scroll down a bit to locate the MBRFix product. Click the Download button in the lower right corner of that description box and save the MBRFix.zip to your desktop. Extract all files.

Once extracted, there will be three files in the folder. Copy just the MBRFix64 application to the same USB drive that has FRST64.exe on it.

Open notepad and copy the contents of the quote box below, and save it on the flashdrive as fixlist.txt
Code:
SaveMbr: Drive=0
Same as you did earlier, restart the machine tapping F8. Select Repair your computer

Follow the prompt to enter language, keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
  • In the command window type F:\frst64.exe and press Enter.

    Note: The last time you ran FRST64.exe, the flash drive had been assigned the driver letter of F:\. If the above command does not work, type in Notepad and press enter. Locate the drive letter of the flash drive and replace letter F with the drive letter of your flash drive.

  • The tool will start to run.
  • Click the Fix button just once and wait.
  • When it has completed, there should be a file on the flashdrive named MBRDUMP.txt. Although it may look a text file, it is a hex file so you must attach this report on your reply instead of posting its contents.

__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 08-29-2012, 09:37 AM   #22
Registered Member
 
Join Date: Aug 2012
Posts: 32
OS: Windows 7



Will it make a difference if I run tdsskiller in safe mode or normal mode?
I think before when I started up in safe mode I managed to activate the service center service and keep it running.

__________________
battbun is offline   Reply With Quote
Old 08-29-2012, 03:30 PM   #23
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



It doesn't really make a difference, but I would prefer you run it from Normal Mode.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 08-30-2012, 07:04 AM   #24
Registered Member
 
Join Date: Aug 2012
Posts: 32
OS: Windows 7



Hi Ried,

I ran tdsskiller after taking a new version. The first time I ran it with standard settings it detected no threats.
I ran it a second time with the additional options (broken digital signatures and something else) checked.
This time it found 3 unsigned files:
Service: Bigfoot Networks Killer Service - suspicious object medium risk
Service: HiPatchService - suspicious object medium risk
Service: IDriverT - suspicious object medium risk

I told tdsskiller to skip these for now.

Do you still want me to mbrfix.exe? re your last post?
__________________
battbun is offline   Reply With Quote
Old 08-30-2012, 12:54 PM   #25
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



Yes, please.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 08-30-2012, 01:18 PM   #26
Registered Member
 
Join Date: Aug 2012
Posts: 32
OS: Windows 7



File as requested attached.
Attached Files
File Type: txt MBRDUMP.txt (512 Bytes, 3 views)
__________________
battbun is offline   Reply With Quote
Old 08-30-2012, 01:38 PM   #27
Registered Member
 
Join Date: Aug 2012
Posts: 32
OS: Windows 7



file attached as requested
Attached Files
File Type: txt MBRDUMP.txt (512 Bytes, 4 views)
__________________
battbun is offline   Reply With Quote
Old 08-30-2012, 03:27 PM   #28
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



Thanks. The good news is that scanners are finding that mbr to be clean. Problem is I cannot locate the source of malware in any of these logs.

Download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 08-30-2012, 04:44 PM   #29
Registered Member
 
Join Date: Aug 2012
Posts: 32
OS: Windows 7



Log file details

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.30.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Thomas :: THOMAS-ALIEN [administrator]
31/08/2012 01:34:54
mbam-log-2012-08-31 (01-34-54).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202577
Time elapsed: 2 minute(s), 16 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 13
HKCR\CLSID\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044044435} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055045535} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO.1 (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4F4C5E11-0612-48D2-8055-987992AAC432} (PUP.wxDfast) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 1
C:\ProgramData\wxDfast (PUP.wxDfast) -> Quarantined and deleted successfully.
Files Detected: 6
C:\ProgramData\wxDfast\background.html (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\bccldkoinakjmmgebambiaggjobhikfg.crx (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\content.js (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\daagpplbhllcgijggohnbciehkhdpdgm.crx (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\settings.ini (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\uninstall.exe (PUP.wxDfast) -> Quarantined and deleted successfully.
(end)
__________________
battbun is offline   Reply With Quote
Old 08-30-2012, 05:00 PM   #30
Registered Member
 
Join Date: Aug 2012
Posts: 32
OS: Windows 7



The problem has not been resolved.
The services are still being turned off and links are still being redirected.
For example
avast! blocked the virus:

Abuse Report

Getting strange behaviour from google chrome. When it loaded it crashed, then when it reloaded the links appeared OK but when I changed the search term, it reloaded a blank the search page and then crashed again. Definitely not correct behaviour.

Firefox links sometime work and sometimes don't. Avast picked up this redirection in firefox
avast! blocked the virus:

Find what you need!
__________________
battbun is offline   Reply With Quote
Old 08-30-2012, 08:52 PM   #31
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



I'd like for you to try running ComboFix again. Delete your existing Combofix.exe and download the latest version from here and save it to your desktop.

Disable your Anti Virus program, the double click ComboFix.exe to run it. Follow all prompts, and post the C:\Combofix.txt when it has completed.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 08-31-2012, 01:04 AM   #32
Registered Member
 
Join Date: Aug 2012
Posts: 32
OS: Windows 7



ComboFix 12-08-30.05 - Thomas 31/08/2012 9:50.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.6092.4157 [GMT 1:00]
Running from: c:\users\Thomas\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
C:\prefs.js
c:\programdata\PCDr\6032\AddOnDownloaded\0d85b53c-d766-4bf0-8940-17b534910268.dll
c:\programdata\PCDr\6032\AddOnDownloaded\140239b3-d59a-46fa-b856-17682a46cb44.dll
c:\programdata\PCDr\6032\AddOnDownloaded\16837627-a839-41c5-a88f-3a0335128383.dll
c:\programdata\PCDr\6032\AddOnDownloaded\2ee79d71-badc-46b4-b731-42b15f3cd1c3.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3972fea3-214c-4935-a7d1-96bf66115683.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3a79f062-8f3e-464f-9815-2c45840494ee.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3e4c86d5-a5c1-4c3f-8fc7-6258992b16c5.dll
c:\programdata\PCDr\6032\AddOnDownloaded\493f295d-1a46-46f6-926c-63b474cedab4.dll
c:\programdata\PCDr\6032\AddOnDownloaded\5e1c102f-bfde-420c-87c0-64fe851888e5.dll
c:\programdata\PCDr\6032\AddOnDownloaded\7014e871-cc3b-4dec-b82b-bc70222b40ed.dll
c:\programdata\PCDr\6032\AddOnDownloaded\8d357f17-07ad-4392-ba06-fb67564c98cd.dll
c:\programdata\PCDr\6032\AddOnDownloaded\a4930af9-016c-4915-a740-a3364e7618aa.dll
c:\programdata\PCDr\6032\AddOnDownloaded\ae67b364-b69e-471e-b177-2459120b84d4.dll
c:\programdata\PCDr\6032\AddOnDownloaded\b2ed8d53-41ce-48e6-b4ac-8b8e5e1a4fdf.dll
c:\programdata\PCDr\6032\AddOnDownloaded\b9ce760f-6209-48f2-a4a3-695324591c45.dll
c:\programdata\PCDr\6032\AddOnDownloaded\d1f4dc82-bc4c-4916-b37c-3ab9c30ae468.dll
c:\programdata\PCDr\6032\AddOnDownloaded\daf30858-49d8-434b-b4b1-068b5dc9267c.dll
c:\programdata\PCDr\6032\AddOnDownloaded\e9bb45d9-5a2b-47e8-9c48-168276d422cc.dll
c:\programdata\PCDr\6032\AddOnDownloaded\f0fc9c9c-10ba-435b-8365-dadb523644ff.dll
c:\programdata\PCDr\6032\AddOnDownloaded\f9dc840b-c6f7-42a5-acec-50cc7a2827fd.dll
c:\users\Thomas\AppData\Local\Microsoft\Windows\Temporary Internet Files\{384F9472-D854-4225-82AA-6D89A16087BF}.xps
c:\users\Thomas\AppData\Local\Temp\{496EB104-2C7D-46CE-9BE4-61BE2998D1C7}\fpb.tmp
c:\windows\SysWow64\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-31 )))))))))))))))))))))))))))))))
.
.
2012-08-31 08:57 . 2012-08-31 08:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-31 00:34 . 2012-08-31 00:34 -------- d-----w- c:\users\Thomas\AppData\Roaming\Malwarebytes
2012-08-31 00:34 . 2012-08-31 00:34 -------- d-----w- c:\programdata\Malwarebytes
2012-08-31 00:34 . 2012-08-31 00:34 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-31 00:34 . 2012-07-03 12:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 07:20 . 2012-08-28 07:20 -------- d-----w- c:\users\Thomas\AppData\Local\Macromedia
2012-08-28 07:08 . 2012-08-28 07:08 -------- d-----w- c:\users\Thomas\AppData\Local\Mozilla
2012-08-28 07:07 . 2012-08-28 07:08 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-08-25 03:40 . 2012-08-25 03:40 -------- d-----w- C:\FRST
2012-08-24 08:31 . 2012-08-20 00:53 9309624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{62ECBE49-A63B-419B-9DAA-AB0E912283A0}\mpengine.dll
2012-08-24 08:12 . 2012-08-24 08:12 -------- d-----w- c:\programdata\PC-Doctor for Windows
2012-08-18 20:41 . 2012-08-21 09:13 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-18 20:41 . 2012-08-21 09:13 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-18 20:41 . 2012-08-21 09:13 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-08-18 20:41 . 2012-08-21 09:13 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-18 20:41 . 2012-08-21 09:13 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-18 20:41 . 2012-08-21 09:13 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-18 20:41 . 2012-08-21 09:12 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-08-18 20:41 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-08-18 20:41 . 2012-08-21 09:12 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-08-18 20:41 . 2012-08-18 20:41 -------- d-----w- c:\programdata\AVAST Software
2012-08-18 20:41 . 2012-08-18 20:41 -------- d-----w- c:\program files\AVAST Software
2012-08-18 20:34 . 2012-08-18 20:34 -------- d-----w- c:\programdata\GFI Software
2012-08-18 15:25 . 2012-08-18 15:25 -------- d-----w- c:\users\Thomas\AppData\Local\Downloaded Installations
2012-08-18 15:24 . 2012-08-18 15:24 -------- d-----w- c:\users\Thomas\AppData\Local\adawarebp
2012-08-18 12:28 . 2012-08-18 12:28 -------- d-----w- c:\program files\CCleaner
2012-08-17 23:22 . 2012-08-18 12:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-08-17 23:22 . 2012-08-17 23:37 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-08-15 20:22 . 2012-07-06 20:07 552960 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-08-15 11:53 . 2012-08-15 11:53 191264 ----a-w- c:\windows\system32\javaws.exe
2012-08-15 11:53 . 2012-08-15 11:53 172320 ----a-w- c:\windows\system32\javaw.exe
2012-08-15 11:53 . 2012-08-15 11:53 172320 ----a-w- c:\windows\system32\java.exe
2012-08-10 18:23 . 2012-08-10 18:23 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-08-10 18:23 . 2012-08-10 18:23 -------- d-----w- c:\program files (x86)\JAVA
2012-08-10 18:09 . 2012-08-17 17:01 -------- d-----w- c:\users\Thomas\AppData\Roaming\.techniclauncher
2012-08-10 17:43 . 2012-08-15 11:53 -------- d-----w- c:\program files\JAVA
2012-08-08 16:51 . 2012-08-08 16:56 -------- d-----w- c:\users\Thomas\.chunky
2012-08-07 16:50 . 2012-08-07 16:50 0 ----a-w- c:\windows\SysWow64\REN82CC.tmp
2012-08-07 16:50 . 2012-08-07 16:50 0 ----a-w- c:\windows\SysWow64\REN82CB.tmp
2012-08-07 16:49 . 2012-08-07 16:49 0 ----a-w- c:\windows\system32\RENA72E.tmp
2012-08-07 16:49 . 2012-08-07 16:49 0 ----a-w- c:\windows\system32\RENA72D.tmp
2012-08-05 14:34 . 2012-08-05 14:34 122880 --sha-r- c:\windows\SysWow64\OpenCLY.dll
2012-08-04 18:43 . 2012-08-04 18:43 -------- d-----w- c:\users\Thomas\.java
2012-08-03 20:48 . 2012-08-03 20:48 -------- d-----w- c:\users\Thomas\AppData\Roaming\Blender Foundation
2012-08-03 20:45 . 2012-08-03 20:45 -------- d-----w- c:\users\Thomas\.thumbnails
2012-08-03 20:45 . 2012-08-03 20:45 -------- d-----w- c:\program files\Blender Foundation
2012-08-03 13:28 . 2012-08-03 13:33 -------- d-----w- c:\users\Thomas\AppData\Local\MCEdit-64bit
2012-08-02 22:56 . 2012-08-10 18:29 -------- d-----w- c:\users\Thomas\AppData\Roaming\.minecraft
2012-08-01 09:51 . 2012-08-01 09:51 -------- d-----w- c:\users\Thomas\AppData\Roaming\Mount&Blade With Fire and Sword
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 20:20 . 2012-01-31 17:13 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-15 11:53 . 2012-01-23 13:25 525544 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-15 09:11 . 2012-04-08 08:49 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-15 09:11 . 2012-01-23 13:09 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-10 18:23 . 2012-01-31 22:20 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-07 19:10 . 2012-07-12 17:10 955840 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-06 14:57 . 2012-07-06 14:57 0 ----a-w- c:\windows\SysWow64\REN5DD8.tmp
2012-07-05 21:06 . 2012-07-11 14:28 772544 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-06-09 05:43 . 2012-07-11 11:06 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 07:49 . 2012-06-06 07:49 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-06-06 06:06 . 2012-07-11 11:06 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-11 11:06 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-11 11:06 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-11 11:06 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-11 11:06 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-11 11:06 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-24 12:16 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-24 12:16 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-24 12:16 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-24 12:16 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-24 12:16 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-24 12:16 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-24 12:16 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 14:19 . 2012-06-24 12:15 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 14:15 . 2012-06-24 12:15 36864 ----a-w- c:\windows\system32\wuapp.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-09-14 283160]
"AlienwareOn-ScreenDisplay"="c:\program files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe" [2011-09-03 1636208]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-06-10 336384]
"Integrated Webcam Live! Central"="c:\program files (x86)\Integrated Webcam\Live! Central\WebcamInt.exe" [2011-04-13 503942]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-01-03 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-06-27 1996200]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bigfoot Killer Network Manager.lnk - c:\program files\Bigfoot Networks\Killer Network Manager\KillerNetManager.exe [2011-3-30 778752]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-08-13 3064000]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-03 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]
R3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [2009-07-24 11264]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 PCDSRVC{0FF99CEB-15C9CE9E-06020200}_0;PCDSRVC{0FF99CEB-15C9CE9E-06020200}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\alienautopsy\pcdsrvc_x64.pkms [2012-08-17 25584]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-31 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2010-08-20 21616]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 BfLwf;Bigfoot Networks Bandwidth Control;c:\windows\system32\DRIVERS\bflwfx64.sys [2011-03-30 68712]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AlienFusionService;Alienware Fusion Service;c:\program files\Alienware\Command Center\AlienFusionService.exe [2011-03-22 15296]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-06-20 203776]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
S2 Bigfoot Networks Killer Service;Bigfoot Networks Killer Service;c:\program files\Bigfoot Networks\Killer Network Manager\BFNService.exe [2011-03-30 763904]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-06-27 2369960]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-06-24 8704]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-14 13336]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\AlienRespawn\sftservice.EXE [2011-09-22 1692480]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-09-07 27760]
S3 Ak27x64;Killer Wireless-N 1102 device driver;c:\windows\system32\DRIVERS\Ak27x64.sys [2011-03-30 2705000]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-06-20 9320448]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-06-20 306688]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-08-17 344616]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2011-01-20 176096]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys [2011-06-20 12229664]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-11-30 76912]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-12-09 56344]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2011-03-04 82432]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2011-03-04 181760]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-05-04 337512]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 09:11]
.
2012-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-202297130-3945824560-89399665-1000Core.job
- c:\users\Thomas\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-20 11:22]
.
2012-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-202297130-3945824560-89399665-1000UA.job
- c:\users\Thomas\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-20 11:22]
.
2012-08-31 c:\windows\Tasks\Ssarujmm.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-17 1128448]
"Command Center Controllers"="c:\program files\Alienware\Command Center\AWCCStartupOrchestrator.exe" [2011-04-13 13256]
"Stage Remote"="c:\program files (x86)\Dell\Stage Remote\StageRemote.exe" [2011-06-28 2022976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-20 168216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-20 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-20 416024]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 825184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.co.uk/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: Search the Web - c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
LSP: %SYSTEMROOT%\system32\BfLLR.dll
FF - ProfilePath - c:\users\Thomas\AppData\Roaming\Mozilla\Firefox\Profiles\dpkcmvwf.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-03473724.sys
SafeBoot-60213938.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-(Default) - (no file)
AddRemove-Codec-V - c:\program files (x86)\Codec-V\Uninstall.exe
AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~1\UNWISE.EXE
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{0FF99CEB-15C9CE9E-06020200}_0]
"ImagePath"="\??\c:\program files\alienautopsy\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-202297130-3945824560-89399665-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:0e,80,2f,fd,2b,9c,a4,5d,fd,89,db,f8,2c,42,c7,2c,ef,25,82,d5,f9,
cd,08,2d,91,fa,e0,b4,93,36,71,5c,fc,18,0f,99,af,97,dd,9b,7d,e0,a4,2d,12,f0,\
"rkeysecu"=hex:52,cb,cf,e6,eb,ed,e5,77,fd,a4,34,66,dc,47,cf,4b
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-31 10:00:21
ComboFix-quarantined-files.txt 2012-08-31 09:00
.
Pre-Run: 338,901,757,952 bytes free
Post-Run: 338,820,038,656 bytes free
.
- - End Of File - - A3BC5571FA452E78EF7DB042260A5CE5
__________________
battbun is offline   Reply With Quote
Old 08-31-2012, 05:01 AM   #33
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



Are you still getting those redirect alerts from Avast?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 08-31-2012, 05:59 AM   #34
Registered Member
 
Join Date: Aug 2012
Posts: 32
OS: Windows 7



I put a search term in Google Chrome and the links on the results page appeared to work. I changed the search term and when I clicked on a link on the new results page, Avast trapped this redirection:
avast! blocked the virus:
Find what you need!
In IE, I put a search term into google and a popup security alert was displayed
You are about to view pages over a secure connection.
Any information you exchange with the site cannot be viewed by anyone else on the web.
I changed the internet security options from custom back to medium-high and entered a search term into google and Avast trapped the following redirection:
Infection Details
URL: Abuse Report
Process: C:\Program Files (x86)\Internet Explorer...
Infection: URL:Mal
Changing internet security options to high, when a search term is entered into google, the results page is displayed and when you click on any link, the URL is set to www.co.uk
When internet security options are set back to medium-high, Avast traps the redirection.
Using Firefox, I entered a search term into google, when I clicked on a link on the results page Avast trapped the redirection and firefox displayed "Connection was reset" popup.
And the services are being disabled still.
__________________
battbun is offline   Reply With Quote
Old 08-31-2012, 09:05 AM   #35
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



Let's see if an online scan reveals anything. Please go to here to run the online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked

  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 08-31-2012, 01:47 PM   #36
Registered Member
 
Join Date: Aug 2012
Posts: 32
OS: Windows 7



C:\Program Files (x86)\AlienRespawn\hstart.exe a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\AlienRespawn\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application
C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM142.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM144.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM211.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM220.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM41.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM43.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SweetIM142.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SweetIM144.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SweetIM211.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SweetIM220.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SweetIM41.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SweetIM43.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
__________________
battbun is offline   Reply With Quote
Old 08-31-2012, 01:52 PM   #37
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



Delete this folder:

C:\ProgramData\Tarma Installer

If that doesn't take care of the issue, I'm afraid we are at an impasse here.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 08-31-2012, 04:21 PM   #38
Registered Member
 
Join Date: Aug 2012
Posts: 32
OS: Windows 7



I deleted the folder as you said, but the redirections are still being trapped by Avast on all three internet browsers bringing up the messages:

URL: http://click.gethotresults.com/ads-click...
Process: C:\Program Files (x86)\Internet Explorer...
Infection: URL:Mal
avast! blocked the virus:
Find what you need!
avast! blocked the virus:
Abuse Report

Also, the Windows Security Centre is still being disabled.
__________________
battbun is offline   Reply With Quote
Old 08-31-2012, 04:28 PM   #39
Registered Member
 
Join Date: Aug 2012
Posts: 32
OS: Windows 7



I have noticed a folder in program files that starts with a hex string (looks a bit like a SID) and underneath it there is an x64 folder and within that something called Difxinstall64 and GEARAspiWDM. Would you know what these are?
__________________
battbun is offline   Reply With Quote
Old 08-31-2012, 06:44 PM   #40
Registered Member
 
Join Date: Aug 2012
Posts: 32
OS: Windows 7



Hi Ried,
Thanks for all your assistance.
I have resorted to the ultimate fix..... restored the laptop to factory settings.
Problem has been resolved.

__________________
battbun is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
~*~Mixed Bag of Problems~*~
Hi, everyone! I have had a lot of problems with my computer lately and I'm hoping someone would be able to help me out. The most pressing issue right now is that my e-mail is sending out Spam links when I'm not even on my computer. The first time it happened, I changed my password, but tonight the...
TabbyCat725 Virus/Trojan/Spyware Help 156 07-09-2012 07:50 PM
Browser homepage redirected to "startsear.ch" and antivirus disabled
Some sort of malware/virus has gotten into my system, probably when I downloaded a V-Share plug in. The most obvious initial symptoms was that the home page for my browsers (Chrome, Firefox, Explorer) was redirected to a site called “startsear.ch” and I cannot reset the homepage. At first, I...
xlissmore Resolved HJT Threads 7 07-14-2011 11:48 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 06:04 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts