TechSpot

Anoehr btr.scour redirect victim

Solved
By 5555624
Sep 13, 2012
Topic Status:
Not open for further replies.
  1. I've been struggling at trying to remove this since last night.

    A fulls can with Microsoft Security Essentials fixed a few minor problems, but not this one.

    My MalwareBytes log:

    Malwarebytes Anti-Malware 1.65.0.1400
    www.malwarebytes.org

    Database version: v2012.09.13.02

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    jds :: JDS-PC [administrator]

    9/13/2012 3:16:28 AM
    mbam-log-2012-09-13 (03-16-28).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 199036
    Time elapsed: 1 minute(s),

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    GMER didn't return anything

    My DDS logs - DDS.txt:

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
    Run by jds at 3:14:19 on 2012-09-13
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8104.6026 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\jmesoft\Service.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\Iomega Storage Manager\pCloudd.exe
    C:\Program Files\Iomega\Quikprotect\QpMonitor.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files (x86)\Iomega Storage Manager\IomegaStorageManager.exe
    C:\Windows\jmesoft\hotkey.exe
    C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe
    C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe
    C:\Windows\jmesoft\JME_LOAD.exe
    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
    C:\Program Files\Iomega\Quikprotect\QuikProtect.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\system32\notepad.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LEND&bmod=LEND
    uStart Page = hxxp://www.lenovo.com/
    mWinlogon: Userinit=userinit.exe
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
    mRun: [jmekey] C:\windows\jmesoft\hotkey.exe
    mRun: [jmesoft] C:\Windows\jmesoft\ServiceLoader.exe
    mRun: [Lenovo Eye Distance System] C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe 1
    mRun: [Lenovo Dynamic Brightness System] C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe 1
    mRun: [SetDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe
    mRun: [CLMLServer] "C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe"
    mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
    mRun: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    StartupFolder: C:\Users\jds\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\IOMEGA~1.LNK - C:\Program Files (x86)\Iomega Storage Manager\IomegaStorageManager.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
    IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{16EF3924-C9CE-4718-A79A-7BC8C255985F} : DhcpNameServer = 192.168.1.1 192.168.1.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
    mRun-x64: [jmekey] C:\windows\jmesoft\hotkey.exe
    mRun-x64: [jmesoft] C:\Windows\jmesoft\ServiceLoader.exe
    mRun-x64: [Lenovo Eye Distance System] C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe 1
    mRun-x64: [Lenovo Dynamic Brightness System] C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe 1
    mRun-x64: [SetDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe
    mRun-x64: [CLMLServer] "C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe"
    mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
    mRun-x64: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\jds\AppData\Roaming\Mozilla\Firefox\Profiles\rmg7te84.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbayBeta&f=f#GoTo240|http://chinacelebs.venusblogger.com...86/q-who-is-the-hot-girl-playing-poker-in-the
    FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll
    FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R0 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;C:\Windows\System32\drivers\ddcdrv.sys [2012-5-3 15712]
    R2 JME Keyboard;JME Keyboard Driver;C:\Windows\jmesoft\Service.exe [2012-5-3 32768]
    R2 PCloudd;PCloudd;C:\Program Files (x86)\Iomega Storage Manager\pCloudd.exe [2012-5-10 213504]
    R2 QPCopyEngine;QPCopyEngine;C:\Program Files\Iomega\Quikprotect\QpMonitor.exe [2012-5-9 458240]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-5-3 2655768]
    R3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]
    R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
    R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
    R3 QsFsFltr;QsFsFltr;C:\Windows\system32\DRIVERS\QsFsFltr.sys --> C:\Windows\system32\DRIVERS\QsFsFltr.sys [?]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
    R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-5-3 136176]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe --> c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [?]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-5-3 136176]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
    S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-6-18 113120]
    S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
    S3 usbUDisc;usbUDisc;C:\Windows\system32\DRIVERS\USBDrv_AMD64.sys --> C:\Windows\system32\DRIVERS\USBDrv_AMD64.sys [?]
    S3 vNICdrv;Iomega Virtual Miniport;C:\Windows\system32\DRIVERS\vNICdrv.sys --> C:\Windows\system32\DRIVERS\vNICdrv.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S3 wsvd;wsvd;C:\Windows\system32\DRIVERS\wsvd.sys --> C:\Windows\system32\DRIVERS\wsvd.sys [?]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    SUnknown bbepoawh;bbepoawh; [x]
    .
    =============== Created Last 30 ================
    .
    2012-09-13 06:46:44 -------- d-----w- C:\Users\jds\AppData\Roaming\Malwarebytes
    2012-09-13 06:46:30 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-09-13 06:46:29 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-09-13 06:46:29 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-09-13 06:43:04 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{333E86DC-40CF-4695-BBFE-FBC1AA91470D}\offreg.dll
    2012-09-12 23:26:02 -------- d-----w- C:\Users\jds\AppData\Local\NPE
    2012-09-12 23:26:02 -------- d-----w- C:\ProgramData\Norton
    2012-09-12 22:20:22 9310152 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{333E86DC-40CF-4695-BBFE-FBC1AA91470D}\mpengine.dll
    2012-09-12 22:01:21 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
    2012-09-12 22:01:21 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys
    2012-09-12 22:01:20 574464 ----a-w- C:\Windows\System32\d3d10level9.dll
    2012-09-12 22:01:20 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
    2012-09-12 22:01:19 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
    2012-09-12 22:01:19 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
    2012-09-12 22:01:19 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2012-09-12 21:57:31 9310152 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-09-12 20:29:09 -------- d-----w- C:\Program Files\Enigma Software Group
    2012-09-12 19:00:26 -------- d-----w- C:\Program Files (x86)\PC Tools
    2012-09-12 18:46:32 -------- d-----w- C:\ProgramData\PC Tools
    2012-09-12 18:46:31 -------- d-----w- C:\Users\jds\AppData\Roaming\TestApp
    2012-09-12 18:40:04 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
    2012-09-12 18:39:54 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
    2012-08-31 11:26:32 -------- d-----w- C:\Users\jds\AppData\Roaming\DCO XMPP Desktop Client
    2012-08-31 11:26:28 -------- d-----w- C:\Program Files (x86)\DCO XMPP Desktop Client
    2012-08-31 11:07:35 -------- d-----w- C:\Users\jds\AppData\Local\Evernote
    2012-08-31 10:59:05 -------- d-----w- C:\Program Files (x86)\Evernote
    2012-08-25 20:13:29 -------- d-----w- C:\Windows\EffectResources
    2012-08-25 20:13:27 -------- d-----w- C:\Program Files (x86)\Vimicro
    2012-08-25 20:00:03 -------- d-----w- C:\Program Files (x86)\Replay Converter 4
    2012-08-25 19:58:40 -------- d-----w- C:\Program Files (x86)\VPL
    2012-08-25 19:57:48 -------- d-----w- C:\Program Files (x86)\Replay Media Splitter
    2012-08-25 19:56:41 -------- d-----w- C:\Program Files (x86)\Replay Telecorder for Skype
    2012-08-25 19:55:52 -------- d-----w- C:\Program Files (x86)\Replay Music 5
    2012-08-25 19:53:38 -------- d-----w- C:\Program Files (x86)\Replay Video Capture 6
    2012-08-25 19:50:41 -------- d-----w- C:\Program Files (x86)\Applian Technologies
    2012-08-25 19:50:12 -------- d-----w- C:\Users\jds\AppData\Roaming\Replay Media Catcher 4
    2012-08-25 19:50:12 -------- d-----w- C:\ProgramData\Applian
    2012-08-25 19:49:15 -------- d-----w- C:\Program Files (x86)\Applian Director
    2012-08-25 16:48:57 -------- d-----w- C:\Program Files (x86)\Skype
    2012-08-18 19:33:06 -------- d-----w- C:\Users\jds\AppData\Roaming\.purple
    2012-08-17 12:34:28 -------- d-----w- C:\Program Files (x86)\Pidgin
    2012-08-15 07:37:28 503808 ----a-w- C:\Windows\System32\srcore.dll
    2012-08-15 07:37:28 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
    2012-08-15 07:37:25 751104 ----a-w- C:\Windows\System32\win32spl.dll
    2012-08-15 07:37:25 67072 ----a-w- C:\Windows\splwow64.exe
    2012-08-15 07:37:25 559104 ----a-w- C:\Windows\System32\spoolsv.exe
    2012-08-15 07:37:25 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
    2012-08-15 07:37:24 59392 ----a-w- C:\Windows\System32\browcli.dll
    2012-08-15 07:37:24 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
    2012-08-15 07:37:24 3148800 ----a-w- C:\Windows\System32\win32k.sys
    2012-08-15 07:37:24 136704 ----a-w- C:\Windows\System32\browser.dll
    2012-08-15 07:37:23 956928 ----a-w- C:\Windows\System32\localspl.dll
    .
    ==================== Find3M ====================
    .
    2012-08-15 20:52:01 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-08-15 20:52:01 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-08-05 23:24:47 17280 ----a-w- C:\Windows\System32\drivers\USBDrv_AMD64.sys
    2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll
    2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-06-17 13:03:59 245760 ----a-w- C:\Windows\SysWow64\uxtheme.dll
    2012-06-17 13:03:52 2755072 ----a-w- C:\Windows\SysWow64\themeui.dll
    2012-06-16 23:23:19 33019 ----a-w- C:\Windows\SysWow64\CoreAAC-uninstall.exe
    .
    ============= FINISH: 3:14:36.65 ===============

    If anyone has any ideas, I'd appreciate it. I'm beginning to think that wiping the system is the only solution.

    Thanks,
    JD
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  3. 5555624

    5555624 TS Rookie Topic Starter

    Thanks, DMJ.

    Running TDSSKiller produced a huge log, which is zipped up and attached.

    It seemed to find only three "medium" problems:


    08:09:40.0211 4220 Detected object count: 3
    08:09:40.0211 4220 Actual detected object count: 3
    08:10:26.0030 4220 JME Keyboard ( UnsignedFile.Multi.Generic ) - skipped by user
    08:10:26.0030 4220 JME Keyboard ( UnsignedFile.Multi.Generic ) - User select action: Skip
    08:10:26.0032 4220 PCloudd ( UnsignedFile.Multi.Generic ) - skipped by user
    08:10:26.0032 4220 PCloudd ( UnsignedFile.Multi.Generic ) - User select action: Skip
    08:10:26.0034 4220 QPCopyEngine ( UnsignedFile.Multi.Generic ) - skipped by user
    08:10:26.0034 4220 QPCopyEngine ( UnsignedFile.Multi.Generic ) - User select action: Skip
    08:10:47.0184 4904 Deinitialize success


    What should I do next?

    JD

    Attached Files:

  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Greetings. Good job on that.

    aswMBR

    Please download aswMBR from here

    • Save aswMBR.exe to your Desktop
    • Double click aswMBR.exe to run it
    • Click the Scan button to start the scan as illustrated below

    [​IMG]

    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

    • Once the scan finishes click Save log to save the log to your Desktop
      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review


    AdwCleaner Scan
    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  5. 5555624

    5555624 TS Rookie Topic Starter

    Thanks, DMJ.

    The contents of aswMBR.txt:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-09-14 12:56:35
    -----------------------------
    12:56:35.271 OS Version: Windows x64 6.1.7601 Service Pack 1
    12:56:35.271 Number of processors: 4 586 0x2A07
    12:56:35.272 ComputerName: JDS-PC UserName: jds
    12:56:37.767 Initialize success
    12:56:53.961 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    12:56:53.964 Disk 0 Vendor: Hitachi_HDS723020BLA642___________LENOVO MN6OA5R0 Size: 1907729MB BusType: 11
    12:56:53.970 Disk 0 MBR read successfully
    12:56:53.973 Disk 0 MBR scan
    12:56:53.975 Disk 0 Windows 7 default MBR code
    12:56:53.978 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    12:56:53.983 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 1881953 MB offset 206848
    12:56:54.018 Disk 0 Partition 3 00 12 Compaq diag NTFS 25675 MB offset 3854446592
    12:56:54.063 Disk 0 scanning C:\Windows\system32\drivers
    12:56:57.034 Service scanning
    12:57:04.202 Modules scanning
    12:57:04.213 Disk 0 trace - called modules:
    12:57:04.227 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
    12:57:04.232 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007dc6060]
    12:57:04.571 3 CLASSPNP.SYS[fffff8800197b43f] -> nt!IofCallDriver -> [0xfffffa80076f09b0]
    12:57:04.587 5 ACPI.sys[fffff88000f297a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80076ef060]
    12:57:04.600 Scan finished successfully
    12:57:29.712 Disk 0 MBR has been saved successfully to "C:\Workarea\MBR.dat"
    12:57:29.752 The log file has been saved successfully to "C:\Workarea\aswMBR.txt"

    The contents of AdwCleaner[R1].txt:

    # AdwCleaner v2.001 - Logfile created 09/14/2012 at 12:57:49
    # Updated 09/09/2012 by Xplode
    # Operating system : Windows 7 Professional Service Pack 1 (64 bits)
    # User : jds - JDS-PC
    # Boot Mode : Normal
    # Running from : C:\Users\jds\Downloads\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Found : C:\ProgramData\Partner
    Folder Found : C:\Users\jds\AppData\Roaming\OpenCandy

    ***** [Registry] *****

    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    [OK] Registry is clean.

    -\\ Mozilla Firefox v13.0.1 (en-US)

    Profile name : default
    File : C:\Users\jds\AppData\Roaming\Mozilla\Firefox\Profiles\rmg7te84.default\prefs.js

    [OK] File is clean.

    -\\ Google Chrome v [Unable to get version]

    File : C:\Users\jds\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    -\\ Opera v12.0.1467.0

    File : C:\Users\jds\AppData\Roaming\Opera\Opera\operaprefs.ini

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [1144 octets] - [14/09/2012 12:57:49]

    ########## EOF - C:\AdwCleaner[R1].txt - [1204 octets] ##########


    Let me know the next step.

    Thanks, again.

    JD
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  7. 5555624

    5555624 TS Rookie Topic Starter

    Thanks, DMJ.

    I followed your instructions and here is "C:\Combo-Fix.txt":

    ComboFix 12-09-15.02 - jds 09/15/2012 16:38:48.1.4 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8104.5324 [GMT -4:00]
    Running from: c:\users\jds\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-15 to 2012-09-15 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-15 20:41 . 2012-09-15 20:41 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-15 06:53 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E9E29FAB-85AA-408A-9638-33E64684F43F}\mpengine.dll
    2012-09-14 06:53 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-09-13 18:06 . 2012-09-13 18:06 -------- d-----w- c:\users\jds\AppData\Roaming\dvdcss
    2012-09-13 06:46 . 2012-09-13 06:46 -------- d-----w- c:\users\jds\AppData\Roaming\Malwarebytes
    2012-09-13 06:46 . 2012-09-13 06:46 -------- d-----w- c:\programdata\Malwarebytes
    2012-09-13 06:46 . 2012-09-13 06:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-09-13 06:46 . 2012-09-07 21:04 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-12 23:26 . 2012-09-12 23:35 -------- d-----w- c:\users\jds\AppData\Local\NPE
    2012-09-12 23:26 . 2012-09-12 23:26 -------- d-----w- c:\programdata\Norton
    2012-09-12 22:01 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
    2012-09-12 22:01 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
    2012-09-12 22:01 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll
    2012-09-12 22:01 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll
    2012-09-12 22:01 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-09-12 22:01 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys
    2012-09-12 22:01 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
    2012-09-12 20:29 . 2012-09-12 20:29 -------- d-----w- c:\program files\Enigma Software Group
    2012-09-12 19:00 . 2012-09-12 21:36 -------- d-----w- c:\program files (x86)\PC Tools
    2012-09-12 18:46 . 2012-09-12 21:35 -------- d-----w- c:\programdata\PC Tools
    2012-09-12 18:46 . 2012-09-12 18:46 -------- d-----w- c:\users\jds\AppData\Roaming\TestApp
    2012-09-12 18:40 . 2012-09-12 21:42 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-09-12 18:39 . 2012-09-12 21:56 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
    2012-08-31 11:26 . 2012-08-31 11:28 -------- d-----w- c:\users\jds\AppData\Roaming\DCO XMPP Desktop Client
    2012-08-31 11:26 . 2012-08-31 11:26 -------- d-----w- c:\program files (x86)\DCO XMPP Desktop Client
    2012-08-31 11:07 . 2012-09-12 23:30 -------- d-----w- c:\users\jds\AppData\Local\Evernote
    2012-08-31 10:59 . 2012-08-31 10:59 -------- d-----w- c:\program files (x86)\Evernote
    2012-08-27 21:25 . 2012-08-27 21:25 -------- d-----w- c:\program files (x86)\FileZilla FTP Client
    2012-08-27 21:18 . 2012-08-27 21:35 -------- d-----w- c:\users\jds\AppData\Roaming\FileZilla
    2012-08-25 20:13 . 2012-08-25 20:13 -------- d-----w- c:\windows\EffectResources
    2012-08-25 20:13 . 2012-08-25 20:13 -------- d-----w- c:\program files (x86)\Vimicro
    2012-08-25 20:00 . 2012-08-25 20:33 -------- d-----w- c:\program files (x86)\Replay Converter 4
    2012-08-25 19:58 . 2012-08-25 20:33 -------- d-----w- c:\program files (x86)\VPL
    2012-08-25 19:57 . 2012-08-25 20:33 -------- d-----w- c:\program files (x86)\Replay Media Splitter
    2012-08-25 19:56 . 2012-08-25 20:33 -------- d-----w- c:\program files (x86)\Replay Telecorder for Skype
    2012-08-25 19:55 . 2012-08-25 20:33 -------- d-----w- c:\program files (x86)\Replay Music 5
    2012-08-25 19:53 . 2012-08-25 20:33 -------- d-----w- c:\program files (x86)\Replay Video Capture 6
    2012-08-25 19:50 . 2012-08-25 19:50 -------- d-----w- c:\program files (x86)\Applian Technologies
    2012-08-25 19:50 . 2012-08-25 19:50 -------- d-----w- c:\users\jds\AppData\Roaming\Replay Media Catcher 4
    2012-08-25 19:50 . 2012-08-25 19:50 -------- d-----w- c:\programdata\Applian
    2012-08-25 19:49 . 2012-08-25 20:33 -------- d-----w- c:\program files (x86)\Applian Director
    2012-08-25 16:49 . 2012-08-25 20:33 -------- d-----w- c:\users\jds\AppData\Roaming\Skype
    2012-08-25 16:48 . 2012-08-25 20:33 -------- d-----w- c:\program files (x86)\Skype
    2012-08-25 16:48 . 2012-08-25 20:33 -------- d-----w- c:\programdata\Skype
    2012-08-18 19:33 . 2012-08-27 22:27 -------- d-----w- c:\users\jds\AppData\Roaming\.purple
    2012-08-17 12:34 . 2012-08-17 12:35 -------- d-----w- c:\program files (x86)\Pidgin
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-12 22:05 . 2012-06-16 17:10 64462936 ----a-w- c:\windows\system32\MRT.exe
    2012-08-15 20:52 . 2012-06-16 18:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-08-15 20:52 . 2012-06-16 18:16 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-05 23:24 . 2012-08-05 23:24 17280 ----a-w- c:\windows\system32\drivers\USBDrv_AMD64.sys
    2012-07-18 18:15 . 2012-08-15 07:37 3148800 ----a-w- c:\windows\system32\win32k.sys
    2012-07-04 22:16 . 2012-08-15 07:37 73216 ----a-w- c:\windows\system32\netapi32.dll
    2012-07-04 22:13 . 2012-08-15 07:37 59392 ----a-w- c:\windows\system32\browcli.dll
    2012-07-04 22:13 . 2012-08-15 07:37 136704 ----a-w- c:\windows\system32\browser.dll
    2012-07-04 21:14 . 2012-08-15 07:37 41984 ----a-w- c:\windows\SysWow64\browcli.dll
    2012-06-29 04:55 . 2012-08-15 20:07 17809920 ----a-w- c:\windows\system32\mshtml.dll
    2012-06-29 04:09 . 2012-08-15 20:07 10925568 ----a-w- c:\windows\system32\ieframe.dll
    2012-06-29 03:56 . 2012-08-15 20:07 2312704 ----a-w- c:\windows\system32\jscript9.dll
    2012-06-29 03:49 . 2012-08-15 20:07 1346048 ----a-w- c:\windows\system32\urlmon.dll
    2012-06-29 03:49 . 2012-08-15 20:07 1392128 ----a-w- c:\windows\system32\wininet.dll
    2012-06-29 03:48 . 2012-08-15 20:07 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-06-29 03:47 . 2012-08-15 20:07 237056 ----a-w- c:\windows\system32\url.dll
    2012-06-29 03:45 . 2012-08-15 20:07 85504 ----a-w- c:\windows\system32\jsproxy.dll
    2012-06-29 03:44 . 2012-08-15 20:07 816640 ----a-w- c:\windows\system32\jscript.dll
    2012-06-29 03:43 . 2012-08-15 20:07 173056 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-06-29 03:42 . 2012-08-15 20:07 2144768 ----a-w- c:\windows\system32\iertutil.dll
    2012-06-29 03:40 . 2012-08-15 20:07 96768 ----a-w- c:\windows\system32\mshtmled.dll
    2012-06-29 03:39 . 2012-08-15 20:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-29 03:35 . 2012-08-15 20:07 248320 ----a-w- c:\windows\system32\ieui.dll
    2012-06-29 00:16 . 2012-08-15 20:07 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
    2012-06-29 00:09 . 2012-08-15 20:07 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
    2012-06-29 00:08 . 2012-08-15 20:07 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2012-06-29 00:04 . 2012-08-15 20:07 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2012-06-29 00:00 . 2012-08-15 20:07 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2012-06-23 16:39 . 2012-07-04 11:05 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-06-23 16:39 . 2012-07-04 11:05 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{860F3BE7-FD7F-4862-BD4D-F001CFED377D}\gapaengine.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "jmekey"="c:\windows\jmesoft\hotkey.exe" [2011-06-08 118784]
    "jmesoft"="c:\windows\jmesoft\ServiceLoader.exe" [2011-03-16 28672]
    "Lenovo Eye Distance System"="c:\program files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe" [2010-09-09 265216]
    "Lenovo Dynamic Brightness System"="c:\program files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe" [2010-10-08 285696]
    "SetDefaultSCR"="c:\program files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe" [2009-12-31 102400]
    "CLMLServer"="c:\program files (x86)\Lenovo\Power2Go\CLMLSvc.exe" [2009-12-04 103720]
    "UpdateP2GoShortCut"="c:\program files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "UpdatePRCShortCut"="c:\program files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" [2009-05-13 222504]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    .
    c:\users\jds\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-8-14 1014624]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Iomega Storage Manager.lnk - c:\program files (x86)\Iomega Storage Manager\IomegaStorageManager.exe [2012-5-11 2295376]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-03 136176]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~2\mcafee\SITEAD~1\mcsacore.exe [x]
    R2 QPCopyEngine;QPCopyEngine;c:\program files\Iomega\Quikprotect\QpMonitor.exe [2012-05-09 458240]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-10-05 2655768]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-03 136176]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-18 113120]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 QsFsFltr;QsFsFltr;c:\windows\system32\DRIVERS\QsFsFltr.sys [2012-01-11 22584]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 usbUDisc;usbUDisc;c:\windows\system32\DRIVERS\USBDrv_AMD64.sys [2012-08-05 17280]
    R3 vNICdrv;Iomega Virtual Miniport;c:\windows\system32\DRIVERS\vNICdrv.sys [2012-05-11 20048]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-16 1255736]
    R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 121840]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;c:\windows\system32\drivers\DDCDrv.sys [2008-04-08 20832]
    S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2012-06-05 224088]
    S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2012-06-05 130904]
    S2 JME Keyboard;JME Keyboard Driver;c:\windows\jmesoft\Service.exe [2011-03-16 32768]
    S2 PCloudd;PCloudd;c:\program files (x86)\Iomega Storage Manager\pCloudd.exe [2012-05-11 213504]
    S3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2010-09-21 313520]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440]
    S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-09-21 56344]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-07-20 247400]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2012-06-05 147288]
    S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2012-06-05 166232]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-03 23:06]
    .
    2012-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-03 23:06]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-30 167960]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-30 392216]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-30 415768]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-10-26 11543656]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    "QuiKProtect"="c:\program files\Iomega\Quikprotect\StartQuikProtect.exe" [2012-05-09 49152]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.lenovo.com/
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
    FF - ProfilePath - c:\users\jds\AppData\Roaming\Mozilla\Firefox\Profiles\rmg7te84.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbayBeta&f=f#GoTo240|http://chinacelebs.venusblogger.com...86/q-who-is-the-hot-girl-playing-poker-in-the
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
    @="c:\\windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker2"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    .
    **************************************************************************
    .
    Completion time: 2012-09-15 16:44:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-09-15 20:44
    ComboFix2.txt 2012-09-12 21:49
    .
    Pre-Run: 1,826,871,054,336 bytes free
    Post-Run: 1,826,722,512,896 bytes free
    .
    - - End Of File - - 8F725C4C8C2DC1A532057193FAF6E9D9


    While rebooting did resolve the "illegal operation attempted on registry key that has been marked for deletion" error and allowed programs to run, it did not restore my network connection.

    Let me know the next step.

    Thanks, again.

    JD
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    We'll try a Broni fix here...

    Open it go Tools>Internet options>Advanced tab and click on "Reset" button.
    Restart IE.

    Also....

    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (Vista and Windows 7 users: while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"


    Turn the computer off.

    On your router, you'll find a pinhole marked "Reset".
    Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
    NOTE. Simple router disconnecting from a power source will NOT do.

    Restart computer and check for redirections.

    NOTE. You may need to re-check your router security settings, as described HERE

    Run computer for couple of days and report back.
  9. 5555624

    5555624 TS Rookie Topic Starter

    (I am not sure why this did not get posted on Sunday....)

    Once again, thank you.

    I skipped resetting IE, since I really don't use it. (Other than accessing my router, I haven't used it in months.)

    Opening the command window and running the commands, there were two glitches:

    ipconfig /registerdns
    This operaton requries elevation.


    and

    net stop "dns client"
    System error 5 has occurred.

    Access is denied.

    (Obviously, net start "dns client" did not work, either, since the process was already started.)

    I reset the router. (Your link for router security settings was not there.)

    In Firefox, the redirect still "existed," except it just hangs and goes nowhere. When clicking on the results of a Google search, as before, some work and some go to

    http://bts.scour.com/index.html?2

    but the browser just displayed a blank browser window. (Before, only some links were redirected, but the bts.scour.com results came up.)

    Resetting Firefox to the default settings seems to have cleared this problem -- no results go to the bts.scour.com site.

    Both Opera and IE -- I tried it in IE -- work fine and have no problems. (I had seen the redirect in Opera, which is what led me here, since it was obviously not just a Firefox problem.)

    It appears that this has worked. I'll let you know if the problem reappears.

    Thank you. I appreciate all the help.

    JD

    Update: Tuesday, 18 September -- The problem has yet to reappear. Thanks!
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi! If there are no more issues, then we shall finish up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advanced System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  11. 5555624

    5555624 TS Rookie Topic Starter

    Hi.

    In "cleaning up" after all of this, I'd already created a new Restore Point. (I also have the system automatically create one at midnight every day.) I had also gotten rid of the old ones. I had manually removed the various tools, except Malwarebytes, putting the downloaded versions in a separate directory, along with the log files. I'd gotten rid of cookies, temporary files,

    The contents of checkup.txt:

    Results of screen317's Security Check version 0.99.51
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.65.0.1400
    JavaFX 2.1.1
    Java(TM) 7 Update 5
    Java version out of Date!
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Flash Player 11.3.300.271 Flash Player out of Date!
    Mozilla Firefox 13.0.1 Firefox out of Date!
    Google Chrome 21.0.1180.83
    Google Chrome 21.0.1180.89
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````


    I know Firefox and Flash Player are out of date. I had planned to update Firefox last weekend, but had this problem and have held off. (Although I use Flashblock, I was going to get Flash updated, too.)

    I'll have to look into Java. Running "Java(TM) Update," I get "You already have hte latest Java(TM) Platform on this system."

    Thanks, again.

    JD
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    As long as you get those updated, it'll protect your computer from getting viruses and malware in the future. Don't wait too long.

    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Any other questions before I mark this topic solved?
  13. 5555624

    5555624 TS Rookie Topic Starter

    Oops, sorry for the delay. No, go ahead and mark it solved.
    Thanks, again.
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That's fine. Marked as such.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.