User Tag List

url:mal virus

This is a discussion on url:mal virus within the Resolved HJT Threads forums, part of the Tech Support Forum category. I am in need of expert assistance in removal the nemesis virus "url:mal" . I've also seen pop up from


 
 
Thread Tools Search this Thread
Old 12-24-2013, 09:04 AM   #1
Registered Member
 
Join Date: May 2007
Posts: 60
OS: xp



I am in need of expert assistance in removal the nemesis virus "url:mal" . I've also seen pop up from Avast blocking "url:mal2".
I tried running gmr and something prevents it from completion, so I'm not sure if it will give you the data you need
Thanks in advance.:bang head:

Dell Inspiron 8250
WinXP


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.45.2
Run by Larry Crooms at 9:30:34 on 2013-12-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.118 [GMT -5:00]
.
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\afwServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\SAgent4.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\Larry Crooms\Application Data\Fyzoin\ocgec.exe
C:\Program Files\Allen Datagraph\Cutter Driver\AllenSpooler.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.bigseekpro.com/tempcleaner/{F5CE43F7-0125-48AC-9771-A262CFA85AC1}
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Do Not Track Me: {6E45F3E8-2683-4824-A6BE-08108022FB36} - c:\program files\donottrackplus\ie\DNTPAddon.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live Toolbar Helper: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
BHO: Somoto Toolbar: {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} -
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: TransSend Object: {E8AC0181-7B34-4507-BFFD-2B020BCC645A} - c:\program files\bluetooth sig\transsend\TransSend.dll
BHO: SMTTB2009 Class: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - c:\program files\temp file cleaner db toolbar\tbcore3.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Temp File Cleaner DB Toolbar: {338B4DFE-2E2C-4338-9E41-E176D497299E} - c:\program files\temp file cleaner db toolbar\tbcore3.dll
TB: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Somoto Toolbar: {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} -
TB: Temp File Cleaner DB Toolbar: {338B4DFE-2E2C-4338-9E41-E176D497299E} - c:\program files\temp file cleaner db toolbar\tbcore3.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {0494D0DE-F8E0-41AD-92A3-14154ECE70AC} - <orphaned>
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [EPSON Stylus CX7000F Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibka.exe /fu "c:\windows\temp\E_S89.tmp" /EF "HKCU"
uRun: [\\P3 LARRY C\EPSON CX7000] c:\windows\system32\spool\drivers\w32x86\3\e_fatibka.exe /fu "c:\windows\temp\E_S10B.tmp" /EF "HKCU"
uRun: [WorkForce 610(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifja.exe /fu "c:\windows\temp\E_S1FF.tmp" /EF "HKCU"
uRun: [Auto WorkForce 610(Network) on INSPIRON] c:\windows\system32\spool\drivers\w32x86\3\e_fatifja.exe /fu "c:\windows\temp\E_S2E7.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Auto WorkForce 610(Network) on BETHSLAPTOP2] c:\windows\system32\spool\drivers\w32x86\3\e_fatifja.exe /fu "c:\windows\temp\E_SA6.tmp" /EF "HKCU"
uRun: [EPSON WorkForce 610 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifja.exe /fu "c:\windows\temp\E_S565.tmp" /EF "HKCU"
uRun: [EPSON WorkForce 610 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifja.exe /fu "c:\windows\temp\E_S3C6.tmp" /EF "HKCU"
uRun: [Auto EPSON Stylus CX7000F Series on BETHSLAPTOP2] c:\windows\system32\spool\drivers\w32x86\3\e_fatibka.exe /fu "c:\windows\temp\E_S22.tmp" /EF "HKCU"
uRun: [Auto EPSON WorkForce 610 Series on BETHSLAPTOP2] c:\windows\system32\spool\drivers\w32x86\3\e_fatifja.exe /fu "c:\windows\temp\E_S25.tmp" /EF "HKCU"
uRun: [Auto EPSONDDBBEB on BETHSLAPTOP2] c:\windows\system32\spool\drivers\w32x86\3\e_fatifja.exe /fu "c:\windows\temp\E_S27.tmp" /EF "HKCU"
uRun: [Auto EPSON WorkForce 610 Series (Copy 2) on BETHSLAPTOP2] c:\windows\system32\spool\drivers\w32x86\3\e_fatifja.exe /fu "c:\windows\temp\E_S29.tmp" /EF "HKCU"
uRun: [Alyrluy] "c:\documents and settings\larry crooms\application data\fyzoin\ocgec.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
mRun: [SSRunScript] "c:\program files\support.com\charter\bin\ssrunscript.exe" /script "c:\program files\support.com\charter\vbs\verifyconnection.vbs" /args //b startupdelay
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [SnoopFreeUI] SnoopFreeUI.exe
mRun: [EPSON Stylus C88 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE /P32 "EPSON Stylus C88 Series (Copy 1)" /O15 "IP_192.168.0.10" /M "Stylus C88"
mRun: [Auto EPSON Stylus C88 Series (Copy 1) on BETHSLAPTOP2] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaba.exe /p53 "auto epson stylus c88 series (copy 1) on bethslaptop2" /o23 "\\bethslaptop2\Printer4" /M "Stylus C88"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Alyrluy] "c:\documents and settings\larry crooms\application data\fyzoin\ocgec.exe"
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
StartupFolder: c:\documents and settings\larry crooms\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\allens~1.lnk - c:\program files\allen datagraph\cutter driver\AllenSpooler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\corelm~1.lnk - c:\corel\graphics8\programs\MFIndexer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\windows\twain_32\scanwiz5\SDII.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: dontdisplaysecondusername = dword:775409736
mPolicies-System: dontdisplayfirstusername = 1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - https://favorites.live.com/quickadd.aspx
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {6E45F3E8-2683-4824-A6BE-08108022FB36} - {23249465-AA46-4DED-BD4B-8EFB20F968FE} - c:\program files\donottrackplus\ie\DNTPAddon.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/24/install/gtdownls.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - hxxp://www.cadlink.com/download/disk1/setup.exe
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - hxxp://web1.nugs.net/dev/dlControl.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5330/mcfscan.cab
TCP: NameServer = 24.159.64.23 24.217.201.67 24.177.176.38
TCP: Interfaces\{E43BA632-488D-4885-9D8D-83CB969B9BE7} : DHCPNameServer = 24.159.64.23 24.217.201.67 24.177.176.38
Notify: dimsntfy - <no file>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\larry crooms\application data\mozilla\firefox\profiles\h0pillt2.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/tempcleaner/{F5CE43F7-0125-48AC-9771-A262CFA85AC1}?q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_117.dll
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
============= SERVICES / DRIVERS ===============
.
R0 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2012-6-7 21576]
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2011-2-14 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2011-2-14 204784]
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-6-21 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-6-21 175176]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-13 64288]
R0 SnoopFree;SnoopFree Driver;c:\windows\system32\drivers\SnopFree.sys [2007-5-27 9472]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2011-2-14 104752]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-2-14 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-7 369584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-7 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-6-21 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-7 46808]
R2 avast! Firewall;avast! Firewall;c:\program files\alwil software\avast5\afwServ.exe [2011-2-14 137960]
R2 SnoopFreeSvc;Snoop Free Service;System32\SnoopFreeSvc.exe --> System32\SnoopFreeSvc.exe [?]
R3 SNXPCARD;Sunix PCI Multi I/O Card Driver;c:\windows\system32\drivers\snxpcard.sys [2002-6-12 20704]
R3 SNXPPALXP;Sunix XP PCI Multi I/O Parallel Port Driver ;c:\windows\system32\drivers\snxppalxp.sys [2002-6-4 75264]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1355968]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S2 ptssvc;ptssvc;c:\program files\kodak\kodak picture transfer software\ptssvc.exe --> c:\program files\kodak\kodak picture transfer software\PTSsvc.exe [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Beomga6min;Beomga6min; [x]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 ONXPAR;ONXPAR;\??\c:\windows\system32\onxpar.sys --> c:\windows\system32\ONXPAR.SYS [?]
S3 RSPSC;RSPSC;c:\windows\system32\drivers\rspsc.sys --> c:\windows\system32\drivers\rspsc.sys [?]
S3 TMSPPCI;PCI Multi I/O Card Driver;c:\windows\system32\drivers\snxpcard.sys [2002-6-12 20704]
S3 TMSPPCIP;PCI Multi I/O Parallel Port Driver;c:\windows\system32\drivers\snxppal.sys [2002-6-12 23039]
S4 0263961200348408mcinstcleanup;McAfee Application Installer Cleanup (0263961200348408);c:\windows\temp\026396~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\026396~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
.
=============== File Associations ===============
.
ShellExec: mkwACT.exe: verify="c:\program files\michael k. weise\mkw audio compression toolkit\mkwACT.exe"
.
=============== Created Last 30 ================
.
2013-12-24 14:05:07 -------- d-----w- C:\TEMP
2013-12-24 12:09:58 -------- d-----w- c:\windows\system32\wbem\Logs
2013-12-23 16:51:33 -------- d-----w- c:\documents and settings\larry crooms\application data\Kahuipr
2013-12-23 16:50:52 -------- d-----w- c:\documents and settings\larry crooms\application data\Sulyfo
2013-12-23 16:49:55 -------- d-----w- c:\documents and settings\larry crooms\application data\Nynewaa
2013-12-23 16:48:55 -------- d-----w- c:\documents and settings\larry crooms\application data\Siypry
2013-12-23 16:41:24 -------- d-----w- c:\documents and settings\larry crooms\application data\Ahivwod
2013-12-23 16:39:30 -------- d-----w- c:\documents and settings\larry crooms\application data\Gabiisy
2013-12-23 16:38:36 -------- d-----w- c:\documents and settings\larry crooms\application data\Iqpivuc
2013-12-23 16:36:11 -------- d-----w- c:\documents and settings\larry crooms\application data\Ybqeyw
2013-12-23 16:34:22 -------- d-----w- c:\documents and settings\larry crooms\application data\Ehpihyme
2013-12-23 16:28:38 -------- d-----w- c:\documents and settings\larry crooms\application data\Fuifsoy
2013-12-23 16:25:25 -------- d-----w- c:\documents and settings\larry crooms\application data\Caalkis
2013-12-23 16:17:39 -------- d-----w- c:\documents and settings\larry crooms\application data\Vuawasok
2013-12-23 16:14:47 -------- d-----w- c:\documents and settings\larry crooms\application data\Ikahyhmy
2013-12-23 16:13:23 -------- d-----w- c:\documents and settings\larry crooms\application data\Utsixasa
2013-12-23 16:12:00 -------- d-----w- c:\documents and settings\larry crooms\application data\Ymnauzi
2013-12-23 14:56:50 -------- d-----w- c:\documents and settings\larry crooms\application data\Owiveka
2013-12-23 14:53:55 -------- d-----w- c:\documents and settings\larry crooms\application data\Fyzoin
2013-12-23 14:46:46 94208 ----a-w- c:\documents and settings\larry crooms\local settings\application data\ngsjcspq.exe
2013-12-11 16:57:24 -------- d-----w- c:\documents and settings\larry crooms\gemini fonts
.
==================== Find3M ====================
.
2013-12-11 16:39:39 71048 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 16:39:39 692616 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-13 02:59:42 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-07 05:38:51 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03:31 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-10-30 02:26:17 1879040 ----a-w- c:\windows\system32\win32k.sys
2013-10-29 07:57:34 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-29 07:57:33 43520 ------w- c:\windows\system32\licmgr10.dll
2013-10-29 07:57:33 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-29 07:57:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-29 00:45:02 385024 ------w- c:\windows\system32\html.iec
2013-10-23 23:45:49 172032 ----a-w- c:\windows\system32\scrrun.dll
2013-10-12 15:56:19 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12:48 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-08 11:50:41 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-08 11:29:36 145408 ----a-w- c:\windows\system32\javacpl.cpl
2013-10-07 10:59:21 603136 ----a-w- c:\windows\system32\crypt32.dll
2011-06-27 15:35:05 9435312 -c--a-w- c:\program files\mbam-setup-1.51.0.1200.exe
2011-06-27 02:57:16 204496 -c--a-w- c:\program files\StartUpLite.exe
2011-05-23 22:38:51 80869160 -c--a-w- c:\program files\iTunesSetup.exe
2010-11-20 15:29:53 9880064 -c--a-w- c:\program files\allen datagraph SetupCutterDriver2.09a.EXE
2010-05-05 03:23:16 5856418 -c--a-w- c:\program files\burnaware_free.exe
2009-09-16 00:04:16 60857536 -c--a-w- c:\program files\Ad-AwareAE.exe
2009-09-12 17:24:02 3012768 -c--a-w- c:\program files\spywareblastersetup42.exe
2009-01-03 17:01:12 54157776 -c--a-w- c:\program files\avg_free_stf_en_8_176a1400.exe
2008-12-05 23:11:26 8303652 -c--a-w- c:\program files\signcutx2.exe
2008-04-18 02:37:56 133197120 -c--a-w- c:\program files\OOo_2.4.0_Win32Intel_install_wJRE_en-US.exe
2008-02-13 03:43:39 14153016 -c--a-w- c:\program files\network magic setup.exe
2007-10-18 03:29:37 27024112 -c--a-w- c:\program files\PowerPointViewer.exe
2006-12-21 02:01:06 1364256 -c--a-w- c:\program files\WLToolbarSetup_en.exe
2004-11-10 15:10:26 97293845 -c--a-w- c:\program files\j2sdk-1_4_2_04-nb-3_6-bin-windows.exe
1998-10-20 01:51:12 524800 -c--a-r- c:\program files\CADtools.aip
.
============= FINISH: 9:31:38.64 ===============
Attached Files
File Type: zip attach.zip (11.0 KB, 51 views)
File Type: txt dds.txt (23.7 KB, 60 views)
Larry Crooms is offline  
Sponsored Links
Advertisement
 
Old 12-25-2013, 03:30 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

I noticed you have Ask Toolbar and Ask Toolbar Updater installed.

Please read this and decide if you want to keep them >> Current Practices of IAC/Ask Toolbars

You can uninstall them via Add or Remove Programs in your Control Panel.

If you decide to uninstall them, please delete the following Folder if it still exists:

C:\Program Files\Ask.com

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

Coupon Printer for Windows<<Please read here

Also delete the following Folder if it still exists:

C:\Program Files\Coupons

------------------------------------------------------

Please uninstall the following via Start->(or Computer)->Control Panel->Add or Remove Programs if it still exists:

Temp File Cleaner and Temp File Cleaner DB Toolbar<<Please read this

Although the name for this reference is BigSeekPro, Temp File Cleaner DB Toolbar does redirect searches to BigSeekPro.com.

Please delete the following Folders if they still exist:

C:\Program Files\temp file cleaner
C:\Program Files\temp file cleaner db toolbar

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner[S#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please go to: VirusTotal
  • Click the Choose File button.
  • Please copy/paste the following bolded text into the 'File name:' box:

    c:\documents and settings\larry crooms\local settings\application data\ngsjcspq.exe

  • Click Open then click the Scan it! button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already analyzed: click Reanalyse
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
------------------------------------------------------

Check for additional security risks:
  • Please download CKScanner© by askey127 and save to your desktop.
  • Double-click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, just click OK.
  • Post the contents of ckfiles.txt in your next reply. It is located on your desktop.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-27-2013, 09:10 PM   #3
Registered Member
 
Join Date: May 2007
Posts: 60
OS: xp



I will be delayed in following up on the instructions until Monday evening due to unforseen circumstances. Much appreciation for your quick response.
LC
Larry Crooms is offline  
Sponsored Links
Advertisement
 
Old 12-27-2013, 09:57 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello Larry Crooms. That's fine. Post when ready. Have a great day!
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-30-2013, 10:07 PM   #5
Registered Member
 
Join Date: May 2007
Posts: 60
OS: xp



# AdwCleaner v3.016 - Report created 30/12/2013 at 23:45:00
# Updated 23/12/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Larry Crooms - PENT4
# Running from : C:\Documents and Settings\Larry Crooms\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Ask
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\Free Offers from Freeze.com
Folder Deleted : C:\Documents and Settings\Larry Crooms\Application Data\Toolbar4
Folder Deleted : C:\Documents and Settings\Larry Crooms\Application Data\Mozilla\Firefox\Profiles\h0pillt2.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
File Deleted : C:\Program Files\Mozilla Firefox\.autoreg
File Deleted : C:\Program Files\Mozilla Firefox\Components\AskSearch.js
File Deleted : C:\Documents and Settings\Larry Crooms\Application Data\Mozilla\Firefox\Profiles\h0pillt2.default\searchplugins\Askcom.xml
File Deleted : C:\Documents and Settings\Larry Crooms\Application Data\Mozilla\Firefox\Profiles\h0pillt2.default\searchplugins\search.xml
File Deleted : C:\Documents and Settings\Larry Crooms\Application Data\Mozilla\Firefox\Profiles\h0pillt2.default\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{338B4DFE-2E2C-4338-9E41-E176D497299E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{338B4DFE-2E2C-4338-9E41-E176D497299E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{96BD48DD-741B-41AE-AC4A-AFF96BA00F7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Key Deleted : HKCU\Software\Viewpoint
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v7.0.1 (en-US)

[ File : C:\Documents and Settings\Larry Crooms\Application Data\Mozilla\Firefox\Profiles\h0pillt2.default\prefs.js ]

Line Deleted : user_pref("browser.search.order.1", "Ask.com");
Line Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Line Deleted : user_pref("extensions.enabledAddons", "{75656794-AB59-4712-BFBC-5D816D56F3BC}:1.1.8,{20a82645-c095-46ed-80e3-08825760534b}:0.0.0,[email protected]:1.0,[email protected]:7.0.1426,[email protected]:3.13.1.100013,{9[...]
Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url(\"I[...]
Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
Line Deleted : user_pref("extensions.wrc.SearchRules.rambler.ru.style", ".WRCN {display:none} .search-results .title + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-repeat}");
Line Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Line Deleted : user_pref("browser.search.defaultenginename", "Ask.com");

-\\ Google Chrome v

[ File : C:\Documents and Settings\Larry Crooms\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [9085 octets] - [30/12/2013 23:32:24]
AdwCleaner[S0].txt - [9102 octets] - [30/12/2013 23:45:00]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9162 octets] ##########
Larry Crooms is offline  
Old 12-30-2013, 10:13 PM   #6
Registered Member
 
Join Date: May 2007
Posts: 60
OS: xp



https://www.virustotal.com/en/file/d...is/1388466636/
Larry Crooms is offline  
Old 12-30-2013, 10:17 PM   #7
Registered Member
 
Join Date: May 2007
Posts: 60
OS: xp



CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
c:\corel\graphics8\custom\canvas\cracks2c.pcx
c:\corel\graphics8\custom\tiles\cracks2m.cpt
c:\program files\adobe\illustrator cs\plug-ins\vector studio's 1.0 for adobe illustrator\crack.exe
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\splat\content\frame\splatcrackleframes\bluecrackle.rfr
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\splat\content\frame\splatcrackleframes\goldcrackle.rfr
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\splat\content\frame\splatcrackleframes\greencrackle.rfr
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\splat\content\frame\splatcrackleframes\redcrackle.rfr
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\xenofex 2\settings\cracks\crumbling
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\xenofex 2\settings\cracks\gouges
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\xenofex 2\settings\cracks\hairline
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\xenofex 2\settings\cracks\long and wide
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\xenofex 2\settings\cracks\pock marked
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\xenofex 2\settings\cracks\shattered
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\xenofex 2\settings\cracks\short and rough
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\xenofex 2\settings\cracks\smooth and shallow
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\xenofex 2\settings\cracks\spidery
c:\program files\adobe\photoshop 6.0\plug-ins\alienskin\xenofex 2\settings\shatter\big cracks
c:\program files\adobe\photoshop cs\plug-ins\alienskin\splat\content\frame\splatcrackleframes\bluecrackle.rfr
c:\program files\adobe\photoshop cs\plug-ins\alienskin\splat\content\frame\splatcrackleframes\goldcrackle.rfr
c:\program files\adobe\photoshop cs\plug-ins\alienskin\splat\content\frame\splatcrackleframes\greencrackle.rfr
c:\program files\adobe\photoshop cs\plug-ins\alienskin\splat\content\frame\splatcrackleframes\redcrackle.rfr
c:\program files\adobe\photoshop cs\plug-ins\alienskin\xenofex 2\settings\cracks\crumbling
c:\program files\adobe\photoshop cs\plug-ins\alienskin\xenofex 2\settings\cracks\gouges
c:\program files\adobe\photoshop cs\plug-ins\alienskin\xenofex 2\settings\cracks\hairline
c:\program files\adobe\photoshop cs\plug-ins\alienskin\xenofex 2\settings\cracks\long and wide
c:\program files\adobe\photoshop cs\plug-ins\alienskin\xenofex 2\settings\cracks\pock marked
c:\program files\adobe\photoshop cs\plug-ins\alienskin\xenofex 2\settings\cracks\shattered
c:\program files\adobe\photoshop cs\plug-ins\alienskin\xenofex 2\settings\cracks\short and rough
c:\program files\adobe\photoshop cs\plug-ins\alienskin\xenofex 2\settings\cracks\smooth and shallow
c:\program files\adobe\photoshop cs\plug-ins\alienskin\xenofex 2\settings\cracks\spidery
c:\program files\adobe\photoshop cs\plug-ins\alienskin\xenofex 2\settings\shatter\big cracks
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 1.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 1.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 2.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 2.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 3.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 3.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 4.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 4.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 5.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 5.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 6.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 6.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 7.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 7.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 8.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\mud cracks 8.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 1.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 1.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 2.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 2.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 3.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 3.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 4.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 4.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 5.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 5.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 6.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 6.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 7.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 7.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 8.iqp
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effect presets\crackle\paint cracks 8.thm
c:\program files\adobe\photoshop cs\plug-ins\auto-fx\dreamsuite\effects\crackle
c:\program files\corel\corel graphics 12\custom data\canvas\cracks2c.pcx
c:\program files\corel\corel graphics 12\custom data\tiles\cracks2m.cpt
scanner sequence 3.ZZ.11.XUAPGZ
----- EOF -----
Larry Crooms is offline  
Old 12-31-2013, 11:04 AM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello Larry Crooms. Are you running a pirated version of Adobe Photoshop?

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-31-2013, 01:09 PM   #9
Registered Member
 
Join Date: May 2007
Posts: 60
OS: xp



Not that I am aware of.
I've had it for several years.
I have a newer version on another machine.
Larry Crooms is offline  
Old 12-31-2013, 02:23 PM   #10
Registered Member
 
Join Date: May 2007
Posts: 60
OS: xp



Avast popups kept flagging the infection and apparently stopped it (or quarantined it). No more popups at this point. However, my Corel12 isn't working normally. It keeps asking for the disc. My cd/dvd hasn't worked for some time, so they are unusable at this time.
Larry Crooms is offline  
Old 12-31-2013, 02:52 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Sorry, looking closer, the crack appears to be for Adobe Illustrator CS:

Quote:
c:\program files\adobe\illustrator cs\plug-ins\vector studio's 1.0 for adobe illustrator\crack.exe
You'll have to uninstall it in order to proceed.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-31-2013, 03:05 PM   #12
Registered Member
 
Join Date: May 2007
Posts: 60
OS: xp



AI removed as requested.
Larry Crooms is offline  
Old 12-31-2013, 03:19 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello Larry Crooms.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-01-2014, 07:30 AM   #14
Registered Member
 
Join Date: May 2007
Posts: 60
OS: xp



I downloaded combofx and ran it last night but no results. I let it run for several hours thinking it was scanning.
I made a second attempt this morning and again it gets to the "blue screen" saying "scanning for infected files…" etc, and a blinking cursor. Still no results.
Antivirus is still turned off.
lc
Larry Crooms is offline  
Old 01-01-2014, 08:28 AM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Larry Crooms.

Run ComboFix again by right-click > Run as administrator.

When it hangs, launch Task Manager by pressing CTRL + ALT + DEL

Do NOT 'End Process' on CF####.3XE

Do 'End Process' on filenames like

- findstr
- peV
- sed
- grep
- or any file that has the extension *.3XE except the one noted above.

End each once only. ComboFix should run. If not, stop and let me know.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-01-2014, 10:12 AM   #16
Registered Member
 
Join Date: May 2007
Posts: 60
OS: xp



CF is still hanging. I stopped one process that had the *.3XE extension, but CF doesn't respond.
Larry Crooms is offline  
Old 01-01-2014, 05:25 PM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Run ComboFix in Safe Mode with Networking:
  • Restart your computer.
  • After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key.
  • In some systems, this may be the F5 key.
  • Instead of Windows loading as normal, a menu should appear.
  • Use the up arrow key to highlight Safe Mode with Networking and press 'Enter'.
  • Login on your usual account.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-01-2014, 07:20 PM   #18
Registered Member
 
Join Date: May 2007
Posts: 60
OS: xp



Sorry, I tried the F8 boot method and it doesn't respond in Safe Mode. Tried the msconfig method to get into Safe Mode and the "boot options" are greyed out, not giving me any other options.
Larry Crooms is offline  
Old 01-02-2014, 02:49 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



What do you mean it doesn't respond in Safe Mode, ComboFix doesn't run in Safe Mode, or you can't get to Safe Mode?

If you can't get to Safe Mode...

Please download SafeBootKeyRepair and Save it to your Desktop.

Double-click on SafeBootKeyRepair.exe to run it. It will take a few minutes for it to finish running, please be patient.

Now try to enter Safe Mode. If you are able to enter Safe Mode, try ComboFix again.

If you still cannot boot into Safe Mode, post the log it produced at C:\SafeBoot_Repair.txt

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-02-2014, 03:53 PM   #20
Registered Member
 
Join Date: May 2007
Posts: 60
OS: xp



After running the SafeBootKeyRepair I booted to Safe Mode and started ComboFix again.
I'm not sure if it is scanning, as all I see is a blinking cursor & three lines of text stating that it may take more than 10 mins for badly infected machines…
Larry Crooms is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Suspecting infection deep in the system
I've had a major problem with my laptop for quite a while now. When I launch certain programs I get the following error -> X.exe - Application Error The application failed to initialize properly (0xc000007b) Click OK to terminate the application. This error comes up if I try to start my...
Starenigma Resolved HJT Threads 17 05-01-2013 05:04 AM
[SOLVED] svchost virus or something worse
So over the past few days I have been doing extensive research on the inner workings of my computer in an attempt to fix a really nasty virus that is effecting, or perhaps simply using the windows process svchost. I thought I had everything under control until today when I changed from Norton...
pumpprodigy Resolved HJT Threads 10 01-22-2012 05:02 PM
Audio-commercial virus
Hey folks, I have attached the requested logs, however for the ark.txt file I had to run it with only the "Sections" and "C Drive" checked. My computer froze on a black screen once while running the full scan and I had to reboot my computer via removing the laptop battery, and shut down the "gmer"...
fks Resolved HJT Threads 18 09-03-2011 09:23 AM
Same Virus Twice... PC slower with Error Messages - AntiVirus or Virus caused this?
I have Vista 32 bit, and my PC was working fine until I downloaded the same virus twice. I was unsure what had caused it the first time as I was downloading numerous things, but I only realised what it was after trying to re-download one of the programmes a second time after the first virus....
StoneWall_ Inactive Malware Help Topics 2 09-02-2011 07:07 PM
xp security 2011/ malware removal tool
hello fellow tech heads i've had a day from hell trying to remove the above trojan. none of the things found on the net worked for me like booting into safe mode as the virus was still active and stopping things. blocking task manager so i took things into my own hands and downloaded rkill which...
dragon-lilly Resolved HJT Threads 31 05-26-2011 04:18 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 10:46 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts