Help with browser redirect/corner ad problem...

Solved
By hyrojim
Oct 16, 2012
Topic Status:
Not open for further replies.
  1. Hello, my name's Hiram. I wouldn't consider myself very tech savvy, but I have a general knowledge of my computer and I've tried everything from Malware Bytes to Avast to AVG to try and get rid of this virus or trojan horse or whatever it is that keeps redirecting my internet brower to ad sites and plaguing my brower with corner pop-up ads. Nothing's worked for months. I've even tried following the advice provided for others online to no avail. If anyone could help with this problem, I'd greatly appreciate it.

    The only thing I know about this malware is that it has something to do with these hosts I found in my registry:

    176.9.75.3 www.google-analytics.com.
    176.9.75.3 ad-emea.doubleclick.net.
    176.9.75.3 www.statcounter.com.
    108.163.215.51 www.google-analytics.com.
    108.163.215.51 ad-emea.doubleclick.net.
    108.163.215.51 www.statcounter.com.

    Thanks in advance!
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Please review the 5-Step removal instructions and post the logs back here for my review.

    Also, include this scan:

    Download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  3. hyrojim

    hyrojim Newcomer, in training Topic Starter

    Thanks for your help! Here's the logfile:

    # AdwCleaner v2.005 - Logfile created 10/17/2012 at 11:36:28
    # Updated 14/10/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : Hiram Jimenez - HIRAMJIMENEZ-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Hiram Jimenez\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Deleted on reboot : C:\Program Files (x86)\Common Files\AVG Secure Search
    Folder Deleted : C:\ProgramData\AVG Secure Search

    ***** [Registry] *****


    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    [OK] Registry is clean.

    -\\ Mozilla Firefox v16.0.1 (en-US)

    Profile name : default
    File : C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\prefs.js

    Deleted : user_pref("avg.install.installDirPath", "C:\\ProgramData\\AVG Secure Search\\12.2.5.32");
    Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
    Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
    Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");
    Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
    Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
    Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=109935");
    Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "207174920000000000000026f294e50b");
    Deleted : user_pref("extensions.BabylonToolbar_i.id", "207174920000000000000026f294e50b");
    Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15495");
    Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
    Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);
    Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=109935&babsrc=N[...]
    Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
    Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
    Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
    Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
    Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9");
    Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
    Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1715:41:17");
    Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
    Deleted : user_pref("keyword.URL", "hxxps://isearch.avg.com/search?cid=%7B43fcb009-d94c-4351-a245-37b71fc80c9d[...]

    -\\ Google Chrome v [Unable to get version]

    File : C:\Users\Hiram Jimenez\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[S1].txt - [6767 octets] - [17/10/2012 11:21:00]
    AdwCleaner[S2].txt - [2791 octets] - [17/10/2012 11:36:28]

    ########## EOF - C:\AdwCleaner[S2].txt - [2851 octets] ##########

    Not sure if this is normal or not after running the program, but I'm still experiencing the same issues with the browser.
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Great. :D

    Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Copy the code below in the quotebox, and then under the Custom Scans/Fixes box paste it in:

    • Click the Run Scan button. The scan will not take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time.

    Note: in the event that OTL fails to run, please use alternate download links to try again:

    http://oldtimer.geekstogo.com/OTL.com
    http://oldtimer.geekstogo.com/OTL.scr
  5. hyrojim

    hyrojim Newcomer, in training Topic Starter

    Thanks for your reply. I downloaded the OTL program and ran it, but I'm not sure I did it right. It took about 25 minutes to scan and the log is enormous. So enormous that I tried posting it on here and it won't fit into one post. In fact, it would take more than 15 separate posts to upload all of it. I also tried attaching the log to this post as a file and as fate would have it, it's way too large. The browser problem continues, although it seemed to be resolved for a few minutes. I'm still getting pop-ups and being redirected. I really appreciate all your help, by the way.
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Go to www.mediafire.com and upload it there, then put the download link in a new post, please.
  7. hyrojim

    hyrojim Newcomer, in training Topic Starter

  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)
  9. hyrojim

    hyrojim Newcomer, in training Topic Starter

    Alright, I ran the fix using the text you gave me. Here is the log:

    All processes killed
    ========== OTL ==========
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77575283-B7E3-4BC2-A4EB-C3DA570826B8}\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77575283-B7E3-4BC2-A4EB-C3DA570826B8}\ not found.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77575283-B7E3-4BC2-A4EB-C3DA570826B8}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77575283-B7E3-4BC2-A4EB-C3DA570826B8}\ not found.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77575283-B7E3-4BC2-A4EB-C3DA570826B8}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77575283-B7E3-4BC2-A4EB-C3DA570826B8}\ not found.
    Prefs.js: {C06C05A0-7EDF-11E1-826D-B8AC6F996F26}:2.0 removed from extensions.enabledAddons
    Registry value HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{C06C05A0-7EDF-11E1-826D-B8AC6F996F26} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C06C05A0-7EDF-11E1-826D-B8AC6F996F26}\ not found.
    C:\Users\Hiram Jimenez\AppData\Local\{C06C05A0-7EDF-11E1-826D-B8AC6F996F26}\chrome\content folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Local\{C06C05A0-7EDF-11E1-826D-B8AC6F996F26}\chrome folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Local\{C06C05A0-7EDF-11E1-826D-B8AC6F996F26} folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-xandonee-28-lib folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-xandonee-28-data folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-api-utils-lib\windows folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-api-utils-lib\utils folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-api-utils-lib\traits folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-api-utils-lib\tabs folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-api-utils-lib\events folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-api-utils-lib\dom folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-api-utils-lib\content folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-api-utils-lib folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-api-utils-data folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-addon-kit-lib folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources\jid0-yxzrusj0woioau89tngazlcis18-at-jetpack-addon-kit-data folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\resources folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack\components folder moved successfully.
    C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\searchplugins\fcmdSrchvsl.xml moved successfully.
    Unable to save new HOSTS file
    Unable to save new HOSTS file
    Unable to save new HOSTS file
    Unable to save new HOSTS file
    Unable to save new HOSTS file
    Unable to save new HOSTS file
    C:\ProgramData\-4XK4vdXRphaHuFr moved successfully.
    C:\ProgramData\-4XK4vdXRphaHuF moved successfully.
    C:\ProgramData\4XK4vdXRphaHuF moved successfully.
    C:\ProgramData\-AP3LNvavuV07l7r moved successfully.
    C:\ProgramData\-AP3LNvavuV07l7 moved successfully.
    C:\ProgramData\AP3LNvavuV07l7 moved successfully.
    C:\Users\Hiram Jimenez\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
    C:\Windows\SysWOW64\dischandler.exe moved successfully.
    C:\Users\Hiram Jimenez\AppData\Local\150up75ea60r56535551kbvoid4g512fon8qa34200y moved successfully.
    C:\ProgramData\150up75ea60r56535551kbvoid4g512fon8qa34200y moved successfully.
    C:\Users\Hiram Jimenez\AppData\Local\.theoutclubdownloadmanager.xml moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56466 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Hiram Jimenez
    ->Temp folder emptied: 19675343 bytes
    ->Temporary Internet Files folder emptied: 4110089 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 724508329 bytes
    ->Google Chrome cache emptied: 57706023 bytes
    ->Flash cache emptied: 59336 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 30707115 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 36028437 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 832.00 mb

    File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.
    Error: Unble to create default HOSTS file!

    OTL by OldTimer - Version 3.2.69.0 log created on 10182012_143629

    Files\Folders moved on Reboot...
    C:\Users\Hiram Jimenez\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
    File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...


    As for the computer, it's still redirecting the browser and I'm still seeing corner ads. I hope it's okay that I'm testing the browser afterwards.
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Sure.

    Run AdwCleaner once more and post a new log, please.

    Also, this:

    TDSSKiller Scan

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  11. hyrojim

    hyrojim Newcomer, in training Topic Starter

    Okay, here's the log for the re-run on AdwCleaner:

    # AdwCleaner v2.005 - Logfile created 10/20/2012 at 03:25:44
    # Updated 14/10/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : Hiram Jimenez - HIRAMJIMENEZ-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Hiram Jimenez\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****


    ***** [Registry] *****


    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    [OK] Registry is clean.

    -\\ Mozilla Firefox v16.0.1 (en-US)

    Profile name : default
    File : C:\Users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\prefs.js

    [OK] File is clean.

    -\\ Google Chrome v [Unable to get version]

    File : C:\Users\Hiram Jimenez\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[S1].txt - [6767 octets] - [17/10/2012 11:21:00]
    AdwCleaner[S2].txt - [2920 octets] - [17/10/2012 11:36:28]
    AdwCleaner[S3].txt - [1006 octets] - [20/10/2012 03:25:44]

    ########## EOF - C:\AdwCleaner[S3].txt - [1066 octets] ##########


    And here's the link to the log for the run on TDSSKiller:

    http://www.mediafire.com/view/?yu4sq1d1jkl4b17
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Open OTL, press Quick Scan and post log, please. :)
  13. hyrojim

    hyrojim Newcomer, in training Topic Starter

     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)


    Download the HostsXpert
    • Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
    • Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager
      from its new home
    • Click "Make Hosts Writable?" in the upper right corner (If available).
    • Click Restore Microsoft's Hosts file and then click OK.
    • Click the X to exit the program.
    • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
  15. hyrojim

    hyrojim Newcomer, in training Topic Starter

    Okay, I ran the OTL again with the custom fix you gave me and the program did freeze up at one point, then it attempted to restart my computer, but it froze at the same spot it did last time. It was just a black screen instead of powering off. I had to cut the power to the computer just to be able to restart it. Here's the log for that run:

    All processes killed
    ========== OTL ==========
    Unable to save new HOSTS file
    Unable to save new HOSTS file
    Unable to save new HOSTS file
    Unable to save new HOSTS file
    Unable to save new HOSTS file
    Unable to save new HOSTS file
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Hiram Jimenez
    ->Temp folder emptied: 93913 bytes
    ->Temporary Internet Files folder emptied: 6897187 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 491348434 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 13026 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3674 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 475.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 10222012_122701

    Files\Folders moved on Reboot...
    C:\Users\Hiram Jimenez\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    C:\Users\Hiram Jimenez\AppData\Local\Temp\FXSTIFFDebugLogFile.txt moved successfully.
    File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...


    I also downloaded and extracted the HostsXpert program to C:\HostsXpert and ran it the way you told me to. The "Make hosts writable" button was highlighted red and I clicked it, but it did nothing. I also tried to "Restore Microsoft's hosts file" but it gave me the following error: "ERROR: CANNOT CREATE FILE C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS". Thanks again for all your help with this ridiculous problem.
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  17. hyrojim

    hyrojim Newcomer, in training Topic Starter

    I ran downloaded ComboFix and ran it how you told me to. It automatically rebooted the computer. Everything seemed to go according to plan, but the problem continues to plague my browser. I even tried re-downloading ComboFix under a different names ("iexplore" and "winlogon") as you suggested and both runs were successful (though the computer wasn't rebooted like it was the first time), but none of them fixed the problem. I tried running ComboFix in safe mode but I couldn't figure out how to kill Avast and AVG as neither one showed up on the task bar or in the task manager (I tried other methods, but nothing worked), so I decided not to run ComboFix in safe mode since there was a risk of damage. Here's the log:

    ComboFix 12-10-24.02 - Hiram Jimenez 10/24/2012 15:36:31.8.1 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1918.774 [GMT -4:00]
    Running from: c:\users\Hiram Jimenez\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-09-24 to 2012-10-24 )))))))))))))))))))))))))))))))
    .
    .
    2012-10-24 19:44 . 2012-10-24 19:44 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-10-22 16:51 . 2012-10-22 16:52 -------- d-----w- C:\HostsXpert
    2012-10-18 18:36 . 2012-10-18 18:36 -------- d-----w- C:\_OTL
    2012-09-26 23:52 . 2012-09-26 23:52 -------- d-----w- c:\windows\SysWow64\citywitch_3102805 dir
    2012-09-26 23:52 . 2012-09-26 23:52 520192 ----a-w- c:\windows\SysWow64\citywitch_3102805.scr
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-09 04:58 . 2012-04-05 18:17 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-10-09 04:58 . 2011-05-18 17:30 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-08-30 17:15 . 2012-08-30 17:15 31080 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
    2012-08-24 19:43 . 2012-08-24 19:43 384352 ----a-w- c:\windows\system32\drivers\avgtdia.sys
    2012-08-21 17:01 . 2012-09-17 14:53 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-08-21 17:01 . 2012-02-28 23:46 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
    2012-08-21 17:01 . 2012-02-28 23:46 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
    2012-08-21 09:13 . 2011-05-18 17:22 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-08-21 09:13 . 2011-05-18 17:22 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-08-21 09:13 . 2011-05-18 17:22 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-08-21 09:13 . 2012-03-28 15:50 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-08-21 09:13 . 2011-05-18 17:22 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-08-21 09:13 . 2011-05-18 17:22 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-08-21 09:12 . 2011-05-18 17:22 41224 ----a-w- c:\windows\avastSS.scr
    2012-08-21 09:12 . 2011-05-18 17:22 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-08-21 09:12 . 2011-05-18 17:22 285328 ----a-w- c:\windows\system32\aswBoot.exe
    2010-11-11 19:34 . 2011-06-23 22:20 201728 ----a-w- c:\program files (x86)\hjsplit.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
    "NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-29 600936]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    NETGEAR WN111v2 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WN111v2\WN111v2.exe [2009-10-10 1728512]
    PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-6-3 430080]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-08-13 5167736]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 136176]
    R2 vToolbarUpdater12.2.6;vToolbarUpdater12.2.6;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [x]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-09 250808]
    R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-02-16 99384]
    R3 DNIMp50a64;DNIMp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\DNIMp50a64.sys [x]
    R3 DNISp50a64;DNISp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\DNISp50a64.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 136176]
    R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-02 33736]
    R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-10-13 115168]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50a64.sys [2006-11-29 43328]
    R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-02-16 203320]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-19 1255736]
    R4 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files (x86)\NETGEAR\WN111v2\jswpsapi.exe [2008-02-29 942080]
    S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
    S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-07-26 291680]
    S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
    S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-08-24 384352]
    S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2012-08-30 31080]
    S1 JSWPSLWF;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwfx.sys [2008-10-01 26624]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
    S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
    S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-09-15 88576]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
    S3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [2006-11-29 41280]
    S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WN111v2w7x.sys [2010-04-28 783360]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-10-24 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 04:58]
    .
    2012-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 06:50]
    .
    2012-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 06:50]
    .
    2012-10-05 c:\windows\Tasks\HPCeeScheduleForHiram Jimenez.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]
    .
    2012-09-30 c:\windows\Tasks\PCDRScheduledMaintenance.job
    - c:\program files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-29 16333856]
    "PC-Doctor for Windows localizer"="c:\program files\PC-Doctor for Windows\localizer.exe" [2009-09-17 95728]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page =
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.hotmail.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    AddRemove-beachvacation_3140129 - c:\windows\system32\beachvacation_3140129.scr
    AddRemove-citywitch_3102805 - c:\windows\system32\citywitch_3102805.scr
    AddRemove-dayattthebeach_3136691 - c:\windows\system32\dayattthebeach_3136691.scr
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-10-24 15:47:15
    ComboFix-quarantined-files.txt 2012-10-24 19:47
    ComboFix2.txt 2012-10-24 19:25
    ComboFix3.txt 2012-10-24 15:26
    ComboFix4.txt 2012-10-11 15:44
    ComboFix5.txt 2012-10-24 19:35
    .
    Pre-Run: 203,035,983,872 bytes free
    Post-Run: 202,741,956,608 bytes free
    .
    - - End Of File - - A250BEB2B5BAD96FA62E785C1273C7B5
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download and run AVG removal tool: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

    I was not aware you had run ComboFix repeatedly before you sought help here. Since ComboFix can be a dangerous tool without supervision of expert, it shouldn't be used any other time.

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe
      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
  19. hyrojim

    hyrojim Newcomer, in training Topic Starter

    Oh man... I think that worked! I haven't seen any corner ads or been redirected since that last fix.

    And P.S. yeah, sorry about the many ComboFix runs... I should've asked for help sooner, I was just going by what I was reading had worked for others online. Here's the log for the last run:

    ComboFix 12-10-25.01 - Hiram Jimenez 10/25/2012 12:01:06.9.1 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1918.1100 [GMT -4:00]
    Running from: c:\users\Hiram Jimenez\Desktop\ComboFix.exe
    Command switches used :: c:\users\Hiram Jimenez\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\SYSTEM32\DRIVERS\ETC\HOSTS"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\SYSTEM32\DRIVERS\ETC\HOSTS
    c:\windows\SysWow64\citywitch_3102805 dir
    c:\windows\SysWow64\citywitch_3102805 dir\3102805_8.swf
    c:\windows\SysWow64\citywitch_3102805 dir\expire.scf
    c:\windows\SysWow64\citywitch_3102805 dir\ping.txt
    c:\windows\SysWow64\citywitch_3102805 dir\saver.dat
    c:\windows\SysWow64\citywitch_3102805 dir\saver1.dll
    c:\windows\SysWow64\citywitch_3102805 dir\saver2.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-09-25 to 2012-10-25 )))))))))))))))))))))))))))))))
    .
    .
    2012-10-25 16:10 . 2012-10-25 16:10 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-10-22 16:51 . 2012-10-22 16:52 -------- d-----w- C:\HostsXpert
    2012-10-18 18:36 . 2012-10-18 18:36 -------- d-----w- C:\_OTL
    2012-09-26 23:52 . 2012-09-26 23:52 520192 ----a-w- c:\windows\SysWow64\citywitch_3102805.scr
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-09 04:58 . 2012-04-05 18:17 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-10-09 04:58 . 2011-05-18 17:30 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-08-30 17:15 . 2012-08-30 17:15 31080 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
    2012-08-24 19:43 . 2012-08-24 19:43 384352 ----a-w- c:\windows\system32\drivers\avgtdia.sys
    2012-08-21 17:01 . 2012-09-17 14:53 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-08-21 17:01 . 2012-02-28 23:46 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
    2012-08-21 17:01 . 2012-02-28 23:46 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
    2012-08-21 09:13 . 2011-05-18 17:22 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-08-21 09:13 . 2011-05-18 17:22 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-08-21 09:13 . 2011-05-18 17:22 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-08-21 09:13 . 2012-03-28 15:50 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-08-21 09:13 . 2011-05-18 17:22 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-08-21 09:13 . 2011-05-18 17:22 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-08-21 09:12 . 2011-05-18 17:22 41224 ----a-w- c:\windows\avastSS.scr
    2012-08-21 09:12 . 2011-05-18 17:22 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-08-21 09:12 . 2011-05-18 17:22 285328 ----a-w- c:\windows\system32\aswBoot.exe
    2010-11-11 19:34 . 2011-06-23 22:20 201728 ----a-w- c:\program files (x86)\hjsplit.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
    "NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-29 600936]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    NETGEAR WN111v2 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WN111v2\WN111v2.exe [2009-10-10 1728512]
    PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-6-3 430080]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    3;1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield [x]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-08-13 5167736]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 136176]
    R2 vToolbarUpdater12.2.6;vToolbarUpdater12.2.6;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [x]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-09 250808]
    R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-02-16 99384]
    R3 DNIMp50a64;DNIMp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\DNIMp50a64.sys [x]
    R3 DNISp50a64;DNISp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\DNISp50a64.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 136176]
    R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-02 33736]
    R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-10-13 115168]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50a64.sys [2006-11-29 43328]
    R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-02-16 203320]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-19 1255736]
    R4 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files (x86)\NETGEAR\WN111v2\jswpsapi.exe [2008-02-29 942080]
    S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
    S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-07-26 291680]
    S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-08-24 384352]
    S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2012-08-30 31080]
    S1 JSWPSLWF;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwfx.sys [2008-10-01 26624]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
    S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
    S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-09-15 88576]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
    S3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [2006-11-29 41280]
    S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WN111v2w7x.sys [2010-04-28 783360]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-10-25 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 04:58]
    .
    2012-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 06:50]
    .
    2012-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-21 06:50]
    .
    2012-10-25 c:\windows\Tasks\HPCeeScheduleForHiram Jimenez.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]
    .
    2012-09-30 c:\windows\Tasks\PCDRScheduledMaintenance.job
    - c:\program files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-29 16333856]
    "PC-Doctor for Windows localizer"="c:\program files\PC-Doctor for Windows\localizer.exe" [2009-09-17 95728]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page =
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\users\Hiram Jimenez\AppData\Roaming\Mozilla\Firefox\Profiles\0i3sw5nv.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.hotmail.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    AddRemove-beachvacation_3140129 - c:\windows\system32\beachvacation_3140129.scr
    AddRemove-citywitch_3102805 - c:\windows\system32\citywitch_3102805.scr
    AddRemove-dayattthebeach_3136691 - c:\windows\system32\dayattthebeach_3136691.scr
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-10-25 12:13:58
    ComboFix-quarantined-files.txt 2012-10-25 16:13
    ComboFix2.txt 2012-10-24 19:47
    ComboFix3.txt 2012-10-24 19:25
    ComboFix4.txt 2012-10-24 15:26
    ComboFix5.txt 2012-10-25 15:59
    .
    Pre-Run: 202,782,834,688 bytes free
    Post-Run: 202,724,352,000 bytes free
    .
    - - End Of File - - 887630CCAB9A26C245B0ED1D1AA8E373

    THANK YOU SO MUCH. I think I love you. Thanks for hanging in there with me as long as you did.
  20. hyrojim

    hyrojim Newcomer, in training Topic Starter

    FYI, I made a donation to your Paypal. I really appreciate your help.
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Thanks for that! :D

    Did you remove AVG? It's only good to run one antivirus program.

    Kaspersky GetSystemInfo Scan

    Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

    Note: please close all other applications running on your system.

    Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

    Click the Settings button.[​IMG]

    [​IMG]

    Set the slider to Maximum.

    [​IMG]

    IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.


    [​IMG]

    On the General tab, make sure all of the boxes are checked.


    [​IMG]

    On the Misc tab, make sure all the checkboxes are checked.

    Then, click OK on the windows that you launched.


    [​IMG]
    Click Create Report to run it.

    [​IMG]
    It will begin scanning.

    It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

    It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

    It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.
  22. hyrojim

    hyrojim Newcomer, in training Topic Starter

  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    OTL Fix

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)


    If it all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete
    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    NOTE: If you already have this installed, you don't have to reinstall it.

    Please download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    • Double-click the CCleaner shortcut on the desktop to start the program.
    • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
    • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
    • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

      Caution: Only use the Registry feature if you are very familiar with the registry.
      Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

      Security Check

      Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
      • Save it to your Desktop.
      • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
      • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  24. hyrojim

    hyrojim Newcomer, in training Topic Starter

    Awesome. Thanks, man. I was going to post the log for the OTL run but I ran the OTC right after and now I can't find it (I don't know if it got rid of it or not, I tried the address you gave me and the explorer didn't recognize it). And I did have CCleaner on my system, but it needed an update. I updated that and ran the cleaner. Thanks again! Here is the log for the Security Check:

    Results of screen317's Security Check version 0.99.53
    Windows 7 Service Pack 1 x64 (UAC is disabled!)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    avast! Antivirus
    AVG Anti-Virus Free Edition 2012
    Antivirus up to date! (On Access scanning disabled!)
    `````````Anti-malware/Other Utilities Check:`````````
    Ad-Aware
    Malwarebytes Anti-Malware version 1.62.0.1300
    Java(TM) 6 Update 26
    Java version out of Date!
    Adobe Flash Player 11.4.402.287
    Adobe Reader X (10.1.4)
    Mozilla Firefox (16.0.2)
    Google Chrome 21.0.1180.89
    Google Chrome 22.0.1229.79
    Google Chrome 22.0.1229.92
    Google Chrome 22.0.1229.94
    ````````Process Check: objlist.exe by Laurent````````
    Ad-Aware AAWService.exe is disabled!
    Ad-Aware AAWTray.exe is disabled!
    AVG avgwdsvc.exe
    AVG avgtray.exe
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast AvastUI.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Java Update!

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems

    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.


    Any other questions before I mark this topic solved?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.