Win64/Patched.A infection on services.exe

Solved
By Vibhor
Nov 4, 2012
  1. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    NO Current Issues.
    ----------------------------------

    All processes killed
    ========== OTL ==========
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1036AD63-AEAC-460B-9060-C96005D4DC86}\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1036AD63-AEAC-460B-9060-C96005D4DC86}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{37483b40-c254-4a72-bda4-22ee90182c1e} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37483b40-c254-4a72-bda4-22ee90182c1e}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
    C:\FRST\Quarantine\{9ce6e964-1aaa-a36a-a94d-b658d72f2dcb}\U folder moved successfully.
    C:\FRST\Quarantine\{9ce6e964-1aaa-a36a-a94d-b658d72f2dcb} folder moved successfully.
    C:\FRST\Quarantine folder moved successfully.
    C:\FRST\Logs folder moved successfully.
    C:\FRST\Hives folder moved successfully.
    C:\FRST folder moved successfully.
    C:\Users\Vibhor\cy0MKJiJqke moved successfully.
    C:\Users\Guest\AppData\Roaming\AVG2012\cfgall folder moved successfully.
    C:\Users\Guest\AppData\Roaming\AVG2012 folder moved successfully.
    C:\Users\Vibhor\AppData\Roaming\AVG\Rescue\PC Tuneup 2011 folder moved successfully.
    C:\Users\Vibhor\AppData\Roaming\AVG\Rescue folder moved successfully.
    C:\Users\Vibhor\AppData\Roaming\AVG\PC Tuneup\User Reports folder moved successfully.
    C:\Users\Vibhor\AppData\Roaming\AVG\PC Tuneup\Logs folder moved successfully.
    C:\Users\Vibhor\AppData\Roaming\AVG\PC Tuneup folder moved successfully.
    C:\Users\Vibhor\AppData\Roaming\AVG folder moved successfully.
    C:\Users\Vibhor\AppData\Roaming\AVG2012\cfgall folder moved successfully.
    C:\Users\Vibhor\AppData\Roaming\AVG2012 folder moved successfully.
    ADS C:\ProgramData\Temp:5D458568 deleted successfully.
    ADS C:\ProgramData\Temp:41099CE9 deleted successfully.
    ADS C:\ProgramData\Temp:0B4227B4 deleted successfully.
    ADS C:\ProgramData\Temp:3E7393FC deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56475 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 8187 bytes
    ->FireFox cache emptied: 68841949 bytes
    ->Google Chrome cache emptied: 4896218 bytes
    ->Flash cache emptied: 58707 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Vibhor
    ->Temp folder emptied: 5252639 bytes
    ->Temporary Internet Files folder emptied: 4899017 bytes
    ->Java cache emptied: 5842411 bytes
    ->FireFox cache emptied: 97118048 bytes
    ->Google Chrome cache emptied: 360430290 bytes
    ->Opera cache emptied: 0 bytes
    ->Flash cache emptied: 14856734 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 9120 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 536.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Guest

    User: Public

    User: Vibhor
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Flash cache emptied: 0 bytes

    User: Public

    User: Vibhor
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 11072012_223200

    Files\Folders moved on Reboot...
    C:\Users\Vibhor\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
  2. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    Results of screen317's Security Check version 0.99.54
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Disabled!
    ESET Smart Security 5.2
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.65.1.1000
    TuneUp Utilities 2012
    TuneUp Utilities Language Pack (en-US)
    JavaFX 2.1.1
    Java(TM) 6 Update 31
    Java(TM) 7 Update 5
    Java version out of Date!
    Adobe Flash Player 11.4.402.265
    Mozilla Firefox (16.0.2)
    Google Chrome 20.0.1132.47
    Google Chrome 20.0.1132.57
    ````````Process Check: objlist.exe by Laurent````````
    ESET NOD32 Antivirus egui.exe
    ESET NOD32 Antivirus ekrn.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 1%
    ````````````````````End of Log``````````````````````
  3. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    Farbar Service Scanner Version: 09-11-2012
    Ran by Vibhor (administrator) on 10-11-2012 at 12:58:34
    Running from "C:\Users\Vibhor\Desktop"
    Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.
    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0
    System Restore:
    ============
    System Restore Disabled Policy:
    ========================
    Action Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================
    Windows Defender:
    ==============
    Other Services:
    ==============
    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    **** End of log ****
  4. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    # AdwCleaner v2.007 - Logfile created 11/10/2012 at 13:03:33
    # Updated 06/11/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : Vibhor - MYNEWASUS
    # Boot Mode : Normal
    # Running from : C:\Users\Vibhor\Desktop\adwcleaner.exe
    # Option [Delete]
    ***** [Services] *****
    ***** [Files / Folders] *****
    File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
    File Deleted : C:\user.js
    Folder Deleted : C:\Program Files (x86)\Conduit
    Folder Deleted : C:\Program Files (x86)\Mozilla Firefox\Extensions\ffxtlbr@babylon.com
    Folder Deleted : C:\Program Files (x86)\NCH_EN
    Folder Deleted : C:\Program Files (x86)\Yontoo
    Folder Deleted : C:\ProgramData\Babylon
    Folder Deleted : C:\ProgramData\InstallMate
    Folder Deleted : C:\ProgramData\Partner
    Folder Deleted : C:\ProgramData\Premium
    Folder Deleted : C:\ProgramData\Tarma Installer
    Folder Deleted : C:\Users\Vibhor\AppData\Local\Conduit
    Folder Deleted : C:\Users\Vibhor\AppData\LocalLow\AskToolbar
    Folder Deleted : C:\Users\Vibhor\AppData\LocalLow\BabylonToolbar
    Folder Deleted : C:\Users\Vibhor\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\Vibhor\AppData\LocalLow\NCH_EN
    Folder Deleted : C:\Users\Vibhor\AppData\Roaming\Babylon
    ***** [Registry] *****
    Key Deleted : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Deleted : HKCU\Software\IM
    Key Deleted : HKCU\Software\ImInstaller
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Deleted : HKCU\Software\Softonic
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2790392
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2801948
    Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
    Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
    Key Deleted : HKLM\Software\Iminent
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\IncredibarToolbar_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\IncredibarToolbar_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Deleted : HKLM\Software\NCH_EN
    Key Deleted : HKLM\Software\Web Assistant
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{99066096-8989-4612-841F-621A01D54AD7}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{CA17D76B-F91D-4659-A7FD-A9F7ED375CDD}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3B2CC1EC-17B9-457D-8B2B-9FD5E15DC9E3}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9A1ED736-7819-476C-8E31-B1196BED3058}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NCH_EN Toolbar
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A36867C6-302D-49FC-9D8E-1EB037B5F1AB}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CA17D76B-F91D-4659-A7FD-A9F7ED375CDD}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\incredibar
    Key Deleted : HKLM\SOFTWARE\Web Assistant
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{37483B40-C254-4A72-BDA4-22EE90182C1E}]
    Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{336D0C35-8A85-403a-B9D2-65C292C39087}]
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v9.0.8112.16421
    Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEtD0B0AzzzyyCyEtA0AtBtN0D0Tzu0CtBtDyDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=878517389 --> hxxp://www.google.com
    -\\ Mozilla Firefox v16.0.2 (en-US)
    Profile name : default
    File : C:\Users\Vibhor\AppData\Roaming\Mozilla\Firefox\Profiles\n9fxrtoa.default\prefs.js
    C:\Users\Vibhor\AppData\Roaming\Mozilla\Firefox\Profiles\n9fxrtoa.default\user.js ... Deleted !
    Deleted : user_pref("backup.old.browser.search.defaultenginename", "Search the web (Babylon)");
    Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
    Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");
    Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);
    Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=113959&tt=28061[...]
    Deleted : user_pref("extensions.funmoods.aflt", "nv1");
    Deleted : user_pref("extensions.funmoods.autoRvrt", false);
    Deleted : user_pref("extensions.funmoods.brwsrsrc", "ietlbr");
    Deleted : user_pref("extensions.funmoods.cntry", "US");
    Deleted : user_pref("extensions.funmoods.cv", "cv5");
    Deleted : user_pref("extensions.funmoods.dfltLng", "");
    Deleted : user_pref("extensions.funmoods.dfltSrch", true);
    Deleted : user_pref("extensions.funmoods.dfltlng", "en");
    Deleted : user_pref("extensions.funmoods.dfltsrch", true);
    Deleted : user_pref("extensions.funmoods.dnsErr", true);
    Deleted : user_pref("extensions.funmoods.envrmnt", "production");
    Deleted : user_pref("extensions.funmoods.excTlbr", false);
    Deleted : user_pref("extensions.funmoods.hdrMd5", "0756A1B8A2BD14C977C70F3603BF6D8C");
    Deleted : user_pref("extensions.funmoods.hmpg", true);
    Deleted : user_pref("extensions.funmoods.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2[...]
    Deleted : user_pref("extensions.funmoods.hrdid", "F46D040BA89643A2");
    Deleted : user_pref("extensions.funmoods.id", "F46D040BA89643A2");
    Deleted : user_pref("extensions.funmoods.instlDay", "15544");
    Deleted : user_pref("extensions.funmoods.instlRef", "nv1");
    Deleted : user_pref("extensions.funmoods.instlday", "15544");
    Deleted : user_pref("extensions.funmoods.instlref", "nv1");
    Deleted : user_pref("extensions.funmoods.isdcmntcmplt", true);
    Deleted : user_pref("extensions.funmoods.keywordurl", "");
    Deleted : user_pref("extensions.funmoods.lastVrsnTs", "1.5.23.2214:2:34");
    Deleted : user_pref("extensions.funmoods.mntrvrsn", "1.3.0");
    Deleted : user_pref("extensions.funmoods.newTab", true);
    Deleted : user_pref("extensions.funmoods.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=nv1&chnl=nv1&cd=2XzuyEt[...]
    Deleted : user_pref("extensions.funmoods.newtab", true);
    Deleted : user_pref("extensions.funmoods.newtaburl", "hxxp://start.funmoods.com/?f=2&a=nv1&chnl=nv1&cd=2XzuyEt[...]
    Deleted : user_pref("extensions.funmoods.prdct", "funmoods");
    Deleted : user_pref("extensions.funmoods.prtnrId", "funmoods");
    Deleted : user_pref("extensions.funmoods.prtnrid", "funmoods");
    Deleted : user_pref("extensions.funmoods.sg", "none");
    Deleted : user_pref("extensions.funmoods.smplGrp", "none");
    Deleted : user_pref("extensions.funmoods.smplgrp", "none");
    Deleted : user_pref("extensions.funmoods.srch", "");
    Deleted : user_pref("extensions.funmoods.srchPrvdr", "Search");
    Deleted : user_pref("extensions.funmoods.srchprvdr", "Search");
    Deleted : user_pref("extensions.funmoods.tlbrId", "base");
    Deleted : user_pref("extensions.funmoods.tlbrSrchUrl", "hxxp://start.funmoods.com/?f=3&a=nv1&chnl=nv1&cd=2Xzuy[...]
    Deleted : user_pref("extensions.funmoods.tlbrid", "base");
    Deleted : user_pref("extensions.funmoods.tlbrsrchurl", "hxxp://start.funmoods.com/?f=3&a=nv1&chnl=nv1&cd=2Xzuy[...]
    Deleted : user_pref("extensions.funmoods.vrsn", "1.5.23.22");
    Deleted : user_pref("extensions.funmoods.vrsnTs", "1.5.23.2214:2:34");
    Deleted : user_pref("extensions.funmoods.vrsni", "1.5.23.22");
    Deleted : user_pref("extensions.funmoods.vrsnts", "1.5.23.2214:2:34");
    Deleted : user_pref("extensions.funmoods_i.newTab", true);
    Deleted : user_pref("extensions.funmoods_i.smplGrp", "none");
    Deleted : user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.2214:2:34");
    Deleted : user_pref("extensions.incredibar.actvtyRptTime", "1347487630871");
    Deleted : user_pref("extensions.incredibar.admin", false);
    Deleted : user_pref("extensions.incredibar.aflt", "orgnl");
    Deleted : user_pref("extensions.incredibar.afterInstallRpt", "sent");
    Deleted : user_pref("extensions.incredibar.cntry", "US");
    Deleted : user_pref("extensions.incredibar.dfltLng", "");
    Deleted : user_pref("extensions.incredibar.dfltSrch", false);
    Deleted : user_pref("extensions.incredibar.dfltlng", "en");
    Deleted : user_pref("extensions.incredibar.dfltsrch", "false");
    Deleted : user_pref("extensions.incredibar_i.aflt", "orgnl");
    Deleted : user_pref("extensions.incredibar_i.dfltLng", "");
    Deleted : user_pref("extensions.incredibar_i.did", "10658");
    Deleted : user_pref("extensions.incredibar_i.excTlbr", false);
    Deleted : user_pref("extensions.incredibar_i.id", "c40a43a2000000000000002637bd3942");
    Deleted : user_pref("extensions.incredibar_i.installerproductid", "26");
    Deleted : user_pref("extensions.incredibar_i.instlDay", "15575");
    Deleted : user_pref("extensions.incredibar_i.instlRef", "");
    Deleted : user_pref("extensions.incredibar_i.ms_url_id", "");
    Deleted : user_pref("extensions.incredibar_i.newTab", false);
    Deleted : user_pref("extensions.incredibar_i.ppd", "");
    Deleted : user_pref("extensions.incredibar_i.prdct", "incredibar");
    Deleted : user_pref("extensions.incredibar_i.productid", "26");
    Deleted : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
    Deleted : user_pref("extensions.incredibar_i.smplGrp", "none");
    Deleted : user_pref("extensions.incredibar_i.tlbrId", "base");
    Deleted : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6R8CUIGnih&loc=IB[...]
    Deleted : user_pref("extensions.incredibar_i.upn2", "6R8CUIGnih");
    Deleted : user_pref("extensions.incredibar_i.upn2n", "92824928163079353");
    Deleted : user_pref("extensions.incredibar_i.vrsn", "1.5.11.14");
    Deleted : user_pref("extensions.incredibar_i.vrsnTs", "1.5.11.1423:33:16");
    Deleted : user_pref("extensions.incredibar_i.vrsni", "1.5.11.14");
    -\\ Google Chrome v23.0.1271.64
    File : C:\Users\Vibhor\AppData\Local\Google\Chrome\User Data\Default\Preferences
    Deleted [l.28] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT2653012&SearchSource=48", "hxxp://www.facebook.com/", "hxxp://search.babylon.com/?affID=113959&tt=280612_7_&babsrc=HP_ss&mntrId=c40a43a2000000000000002637bd3942", "hxxp://www.artlastudents.com/index.cfm/search/detail/entry/1740" ]
    Deleted [l.2716] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT2653012&SearchSource=48", "hxxp://www.facebook.com/", "hxxp://search.babylon.com/?affID=113959&tt=280612_7_&babsrc=HP_ss&mntrId=c40a43a2000000000000002637bd3942", "hxxp://www.artlastudents.com/index.cfm/search/detail/entry/1740" ]
    -\\ Opera v [Unable to get version]
    File : C:\Users\Vibhor\AppData\Roaming\Opera\Opera\operaprefs.ini
    Deleted : Home URL=hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEtD0B0AzzzyyCyE[...]
    *************************
    AdwCleaner[R1].txt - [17408 octets] - [10/11/2012 13:02:31]
    AdwCleaner[S1].txt - [17907 octets] - [10/11/2012 13:03:33]
    ########## EOF - C:\AdwCleaner[S1].txt - [17968 octets] ##########
  5. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    These Are the reports I got, cannot do Fsecure online scan as there's a problem with Java Update. For some reason I can't update my Java.
  6. Broni

    Broni Malware Annihilator Posts: 45,316   +243

    What happens when you try?

    Try F-Secure with different browser.
  7. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    ALso I press new tab in google chrome, it opens h t t p ://mystart.incredibar.com/?loc=CH_NT and says Server is too busy.
  8. Broni

    Broni Malware Annihilator Posts: 45,316   +243

    You didn't answer my question about Java.

    As for Chrome..
    Uninstall it.
    1. Go to Start > All Programs > Google Chrome > Uninstall Google Chrome.
    2. Delete your user profile information, like your browser preferences, bookmarks, and history, by selecting the "Also delete browser data" checkbox.
    3. Select the default browser you'd like to use.
    4. Click OK in the confirmation prompt.
    5. The uninstall process will begin.
    Install fresh copy.
  9. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    Fsecure in a different browser also doesn't work. The applet in the browser window runs till Accept licence, then I see a ltoading circle in that applet. Get notifications about updating Java, currently it's updated to Java 7 update 9. Let me reinstall chrome and I'll be back
  10. Broni

    Broni Malware Annihilator Posts: 45,316   +243

  11. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    OK there was a rogue extension in chrome that I just removed, so mystart issue is gone. I;m checking the link for java yu just sent..hold on...
  12. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    Oh yes that's how I installed later when automatic download didn't work, so I ahve the updates and everything, I tried running Fsecure from three different browsers, should I deactivate my current antivirus program before proceeding??
  13. Broni

    Broni Malware Annihilator Posts: 45,316   +243

    It'll run faster when you disable your AV.
     
  14. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    In sorry I still get inactive java applet that shows loading circle
  15. Broni

    Broni Malware Annihilator Posts: 45,316   +243

    Please run a BitDefender Online Scan

    • Disable your antivirus program.
    • Click Start Scanner button.
    • Click Free scan now button
    • Allow browser plug-in to be installed when prompted.
    • Click I Agree to agree to the EULA.
    • Please refrain from using the computer until the scan is finished.
    • When the scan is finished, click on View report.
    • Notepad will open with scan results.
    • Save the report to your desktop and post its content in your next reply.
  16. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    QuickScan 32-bit v0.9.9.118
    ---------------------------
    Scan date: Mon Nov 12 16:36:13 2012
    Machine ID: C40A43A2



    No infection found.
    -------------------



    Processes
    ---------
    (unsigned) vlc.exe 2696 D:\Program Files (x86)\VideoLAN\VLC\vlc.exe

    (verified) ATK Hotkey 4016 C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
    (verified) ATK Media 4024 C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
    (verified) ATKOSD2 2292 C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
    (verified) Billy The Goat 3108 C:\Program Files (x86)\Autorun Eater\billy.exe
    (verified) Google Chrome 116 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 472 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 652 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 2260 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 2452 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 2684 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 2776 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 3456 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 3808 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 4252 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 4280 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 4384 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 4528 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 4596 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 4616 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 4784 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 5004 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 5332 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 5584 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Google Chrome 6892 C:\Users\Vibhor\AppData\Local\Google\Chrome\Application\chrome.exe
    (verified) Old McDonald 4004 C:\Program Files (x86)\Autorun Eater\oldmcdonald.exe
    (verified) Opera Internet Browser 5044 C:\Program Files (x86)\Opera\opera.exe
    (verified) Opera Internet Browser plugin wrapper 6664 C:\Program Files (x86)\Opera\pluginwrapper\opera_plugin_wrapper.exe
    (verified) Printer Device Monitor 3964 C:\Program Files (x86)\Dell V520 Series\DKADGmon.exe


    Network activity
    ----------------
    Process chrome.exe (472) connected on port 443 (HTTP over SSL) --> 74.125.226.195
    Process chrome.exe (472) connected on port 5222 (XMPP/Jabber) --> 74.125.131.125
    Process chrome.exe (472) connected on port 80 (HTTP) --> 69.171.235.16
    Process chrome.exe (472) connected on port 80 (HTTP) --> 74.125.226.194
    Process chrome.exe (472) connected on port 80 (HTTP) --> 74.125.226.194
    Process chrome.exe (472) connected on port 443 (HTTP over SSL) --> 23.66.230.194
    Process chrome.exe (472) connected on port 443 (HTTP over SSL) --> 69.171.224.34
    Process chrome.exe (472) connected on port 443 (HTTP over SSL) --> 69.171.234.37
    Process chrome.exe (472) connected on port 80 (HTTP) --> 50.22.252.218
    Process chrome.exe (472) connected on port 80 (HTTP) --> 50.22.252.218
    Process chrome.exe (472) connected on port 80 (HTTP) --> 50.22.252.218
    Process chrome.exe (472) connected on port 80 (HTTP) --> 50.22.252.218
    Process chrome.exe (472) connected on port 80 (HTTP) --> 23.66.230.194
    Process chrome.exe (472) connected on port 80 (HTTP) --> 23.66.230.194
    Process chrome.exe (472) connected on port 80 (HTTP) --> 64.94.107.43
    Process chrome.exe (472) connected on port 80 (HTTP) --> 64.94.107.43
    Process chrome.exe (472) connected on port 443 (HTTP over SSL) --> 23.66.230.194
    Process chrome.exe (472) connected on port 443 (HTTP over SSL) --> 23.66.230.194
    Process chrome.exe (472) connected on port 80 (HTTP) --> 37.59.67.149
    Process chrome.exe (472) connected on port 80 (HTTP) --> 37.59.67.149
    Process chrome.exe (472) connected on port 80 (HTTP) --> 37.59.67.149
    Process chrome.exe (472) connected on port 80 (HTTP) --> 72.21.81.253
    Process chrome.exe (472) connected on port 80 (HTTP) --> 72.21.81.253
    Process chrome.exe (472) connected on port 80 (HTTP) --> 72.21.81.253
    Process chrome.exe (472) connected on port 80 (HTTP) --> 66.235.155.28
    Process chrome.exe (472) connected on port 80 (HTTP) --> 66.235.155.28
    Process chrome.exe (472) connected on port 80 (HTTP) --> 66.235.155.28
    Process chrome.exe (472) connected on port 80 (HTTP) --> 66.235.155.28
    Process chrome.exe (472) connected on port 80 (HTTP) --> 64.94.107.57
    Process chrome.exe (472) connected on port 80 (HTTP) --> 64.94.107.57
    Process chrome.exe (472) connected on port 80 (HTTP) --> 74.125.226.194
    Process chrome.exe (472) connected on port 80 (HTTP) --> 74.125.226.194
    Process chrome.exe (472) connected on port 80 (HTTP) --> 74.125.226.194
    Process chrome.exe (472) connected on port 80 (HTTP) --> 74.125.226.194

    Process DKADGmon.exe (3964) listens on ports: 15637


    Autoruns and critical files
    ---------------------------
    (verified) Adobe Reader and Acrobat Manager C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    (verified) ATK Hotkey C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
    (verified) ATK Media C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
    (verified) ATKOSD2 C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
    (verified) Google Update C:\Users\Vibhor\AppData\Local\Google\Update\GoogleUpdate.exe
    (verified) Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
    (verified) Old McDonald C:\Program Files (x86)\Autorun Eater\oldmcdonald.exe
    (verified) Printer Device Monitor C:\Program Files (x86)\Dell V520 Series\DKADGmon.exe
    (verified) Windows® Internet Explorer c:\windows\syswow64\webcheck.dll


    Browser plugins
    ---------------
    (unsigned) Akamai Download Manager ActiveX Control C:\Windows\Downloaded Program Files\DownloadManagerV2.ocx
    (unsigned) Google Earth Plugin C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    (unsigned) NPSWF32_11_4_402_265.dll C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll

    (verified) AcroIEHelperShim Library c:\program files (x86)\common files\adobe\acrobat\activex\acroiehelpershim.dll
    (verified) Adobe Acrobat C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
    (verified) Adobe Acrobat C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
    (verified) Akamai Download Manager ActiveX Control C:\Windows\Downloaded Program Files\Manager.exe
    (verified) Bitdefender QuickScan C:\Users\Vibhor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdnkcidphdcakpkheohlhocaicfamjie\0.9.9.118_0\npqscan.dll
    (verified) Bonjour C:\Program Files (x86)\Bonjour\mdnsNSP.dll
    (verified) Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
    (verified) Coupons Inc., Coupon Printer Manager C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
    (verified) Google Talk Plugin C:\Users\Vibhor\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
    (verified) Google Talk Plugin Video Accelerator C:\Users\Vibhor\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
    (verified) Google Toolbar for Internet Explorer c:\program files (x86)\google\google toolbar\googletoolbar_32.dll
    (verified) Google Update C:\Users\Vibhor\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll
    (verified) Java Deployment Toolkit 7.0.50.255 C:\Windows\SysWOW64\npDeployJava1.dll
    (verified) Java(TM) Platform SE 7 U5 c:\program files (x86)\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
    (verified) Java(TM) Platform SE 7 U5 C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
    (verified) Java(TM) Platform SE 7 U5 c:\program files (x86)\oracle\javafx 2.1 runtime\bin\ssv.dll
    (verified) Microsoft Office 2010 D:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL
    (verified) Microsoft Office 2010 D:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL
    (verified) Microsoft Office 2010 d:\program files (x86)\microsoft office\office14\urlredir.dll
    (verified) Microsoft® CoReXT c:\program files (x86)\common files\microsoft shared\windows live\windowslivelogin.dll
    (verified) Microsoft® CoReXT C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
    (verified) Microsoft® CoReXT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
    (verified) Microsoft® Windows® Operating System C:\Windows\system32\mswsock.dll
    (verified) Microsoft® Windows® Operating System C:\Windows\system32\napinsp.dll
    (verified) Microsoft® Windows® Operating System C:\Windows\system32\pnrpnsp.dll
    (verified) Microsoft® Windows® Operating System C:\Windows\System32\winrnr.dll
    (verified) Microsoft® Windows® Operating System C:\Windows\system32\wshbth.dll
    (verified) Picasa D:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
    (verified) Silverlight Plug-In C:\Program Files (x86)\Microsoft Silverlight\5.1.10516.0\npctrl.dll
    (verified) Uplay PC C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
    (verified) VMware Workstation C:\Program Files (x86)\VMware\VMware Workstation\vsocklib.dll
    (verified) VMware Workstation C:\Program Files (x86)\VMware\VMware Workstation\x64\vsocklib.dll
    (verified) Windows Live Messenger Companion c:\program files (x86)\windows live\companion\companioncore.dll
    (verified) Windows Live™ Photo Gallery C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    (verified) Windows® Internet Explorer c:\windows\syswow64\ieframe.dll
    (verified) Yahoo Application State Plugin C:\Program Files (x86)\Yahoo!\Shared\npYState.dll
    (verified) Zeon Plus C:\Program Files (x86)\Nuance\PDF Reader\bin\nppdf.dll


    Scan
    ----
    MD5: 040295875fdcbbef5a3fc2d8996d9875 c:\altera\11.1\quartus\bin64\jtagserver.exe
    MD5: 9ee35391f0aca2bce865b60053249e42 C:\Program Files (x86)\Dell V520 Series\dkabmonr.dll
    MD5: 8b35f9533c20b815e7ea47e18f3d9f70 C:\Program Files (x86)\Dell V520 Series\dkadg_32iobj.dll
    MD5: b78f4c2c592c87df54e8e0c6aaef3874 C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    MD5: 14f6acdc20fa0d4efa747ca81ed4d028 C:\Program Files (x86)\Opera\gstreamer\gstreamer.dll
    MD5: 1645b21d06d5888de46d4020661cbcd1 C:\Program Files (x86)\Opera\gstreamer\plugins\gstcoreplugins.dll
    MD5: ce95f0178d99b53d3605a2d1c03900fd C:\Program Files (x86)\Opera\gstreamer\plugins\gstwebmdec.dll
    MD5: 5cf07b67aef164bc16e7f412c4134894 C:\Windows\Downloaded Program Files\DownloadManagerV2.ocx
    MD5: 2ed65cf5725fcd0dfd40f87782ae37d5 C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
    MD5: 7ebdfc02b9e698acba658fa4204abce6 D:\Program Files (x86)\VideoLAN\VLC\libvlc.dll
    MD5: c90976c653fecc24f668f57da0a1cb61 D:\Program Files (x86)\VideoLAN\VLC\libvlccore.dll
    MD5: e0d81e1d14a9304a528320272848a550 D:\Program Files (x86)\VideoLAN\VLC\plugins\liba52tofloat32_plugin.dll
    MD5: 2a3a97c74d50526c3d690312f453cca2 D:\Program Files (x86)\VideoLAN\VLC\plugins\liba52tospdif_plugin.dll
    MD5: dc4bcb578c79a8ab30acd1dc9ab14bba D:\Program Files (x86)\VideoLAN\VLC\plugins\libaccess_bd_plugin.dll
    MD5: 520e487bf7d09187cfeaae2eaac7c8de D:\Program Files (x86)\VideoLAN\VLC\plugins\libaes3_plugin.dll
    MD5: 7a6789a0941836c34ce39377d2e07320 D:\Program Files (x86)\VideoLAN\VLC\plugins\libaout_directx_plugin.dll
    MD5: 2dab56d44cacef809b3db232903cb5a0 D:\Program Files (x86)\VideoLAN\VLC\plugins\libaraw_plugin.dll
    MD5: d9c27bee0408d3a737c8f3c1bc2a653e D:\Program Files (x86)\VideoLAN\VLC\plugins\libasf_plugin.dll
    MD5: 3e55f2c6bd59c821d400fb8dd7e3e0f0 D:\Program Files (x86)\VideoLAN\VLC\plugins\libaudio_format_plugin.dll
    MD5: 38822c0f2412a644ad4be5a44fd2be7e D:\Program Files (x86)\VideoLAN\VLC\plugins\libavi_plugin.dll
    MD5: bae2dc24110201649bea1ddb74011414 D:\Program Files (x86)\VideoLAN\VLC\plugins\libcdg_plugin.dll
    MD5: c0be6decdfdd6f1d88e3f57d6ee24ea7 D:\Program Files (x86)\VideoLAN\VLC\plugins\libconverter_fixed_plugin.dll
    MD5: 30f25e25934cd4d022c721b64907b7d7 D:\Program Files (x86)\VideoLAN\VLC\plugins\libcvdsub_plugin.dll
    MD5: b3a3b96f40b23c5d89a702b27e883dcf D:\Program Files (x86)\VideoLAN\VLC\plugins\libdirectx_plugin.dll
    MD5: 4ceaa63cac2d005b403fc97c4a72716c D:\Program Files (x86)\VideoLAN\VLC\plugins\libdolby_surround_decoder_plugin.dll
    MD5: 5b6e83d1c302301ff6003542d527b459 D:\Program Files (x86)\VideoLAN\VLC\plugins\libdshow_plugin.dll
    MD5: f5b10d1ca31823388f52e258d0c6b809 D:\Program Files (x86)\VideoLAN\VLC\plugins\libdts_plugin.dll
    MD5: e29cd13018abdcd9a439f9bbe0130992 D:\Program Files (x86)\VideoLAN\VLC\plugins\libdtstofloat32_plugin.dll
    MD5: 29a90458dd018b9ee91d648acbadb72d D:\Program Files (x86)\VideoLAN\VLC\plugins\libdtstospdif_plugin.dll
    MD5: 13d3d15a7693805341b0e15041989763 D:\Program Files (x86)\VideoLAN\VLC\plugins\libdvdnav_plugin.dll
    MD5: eef5940f0fafb883defd128f0beccb36 D:\Program Files (x86)\VideoLAN\VLC\plugins\libequalizer_plugin.dll
    MD5: f7e213d72dda9a34a1e21cb4e30698a3 D:\Program Files (x86)\VideoLAN\VLC\plugins\libes_plugin.dll
    MD5: 9315cc44135ec5e561e3adf07eb9af5c D:\Program Files (x86)\VideoLAN\VLC\plugins\libfaad_plugin.dll
    MD5: 4b457b8c5fc152793e2f69418bbbf238 D:\Program Files (x86)\VideoLAN\VLC\plugins\libfake_plugin.dll
    MD5: c779bbaa4f0d7c439fc9b510de43236e D:\Program Files (x86)\VideoLAN\VLC\plugins\libfilesystem_plugin.dll
    MD5: f2dd7c0b6ab2db499c998bbbd2101111 D:\Program Files (x86)\VideoLAN\VLC\plugins\libflac_plugin.dll
    MD5: 1f862b40785d49e0aab92f308452b890 D:\Program Files (x86)\VideoLAN\VLC\plugins\libflacsys_plugin.dll
    MD5: 216de7a6961aaeffabaeb254043e0fe1 D:\Program Files (x86)\VideoLAN\VLC\plugins\libfloat32_mixer_plugin.dll
    MD5: 057fb844c46c1bc01c54b54e1a3c70b1 D:\Program Files (x86)\VideoLAN\VLC\plugins\libglobalhotkeys_plugin.dll
    MD5: 19776160e34443800c96f736c7dbd5cf D:\Program Files (x86)\VideoLAN\VLC\plugins\libhotkeys_plugin.dll
    MD5: d505eb615464037b1f2f9751cc5be795 D:\Program Files (x86)\VideoLAN\VLC\plugins\liblibass_plugin.dll
    MD5: b5c7d9d22e301bdee6991795ccca7063 D:\Program Files (x86)\VideoLAN\VLC\plugins\liblpcm_plugin.dll
    MD5: 18bba1fbd2797345ec4f3331cff082c4 D:\Program Files (x86)\VideoLAN\VLC\plugins\liblua_plugin.dll
    MD5: 21ef83da5b4c82a8e24a10380deb90c6 D:\Program Files (x86)\VideoLAN\VLC\plugins\libmediadirs_plugin.dll
    MD5: 2e8f410796a516b4f8a98552113f62a1 D:\Program Files (x86)\VideoLAN\VLC\plugins\libmemcpymmxext_plugin.dll
    MD5: 1518e17c72bf9b2891db1d99dda0fe98 D:\Program Files (x86)\VideoLAN\VLC\plugins\libmono_plugin.dll
    MD5: e274c4ef48f1fd793b122503f4fa83bf D:\Program Files (x86)\VideoLAN\VLC\plugins\libmp4_plugin.dll
    MD5: f3cb1eade374e7d90ba58592e526dfdb D:\Program Files (x86)\VideoLAN\VLC\plugins\libmpeg_audio_plugin.dll
    MD5: cd254749b2200fef3ad407c4bd60c6df D:\Program Files (x86)\VideoLAN\VLC\plugins\libmpgatofixed32_plugin.dll
    MD5: 1f458a879a9138190aa39d463086cd59 D:\Program Files (x86)\VideoLAN\VLC\plugins\libpacketizer_dirac_plugin.dll
    MD5: c373eeb4e4caaa630dbbf1872f0d828b D:\Program Files (x86)\VideoLAN\VLC\plugins\libpacketizer_flac_plugin.dll
    MD5: 46a50127a8a464324d6315f7911bb9d1 D:\Program Files (x86)\VideoLAN\VLC\plugins\libpacketizer_h264_plugin.dll
    MD5: ceda7c0de2615b6390e6f8fe4d5cf884 D:\Program Files (x86)\VideoLAN\VLC\plugins\libpacketizer_mlp_plugin.dll
    MD5: 40f290c673874b21bebd9a165c4a044a D:\Program Files (x86)\VideoLAN\VLC\plugins\libpacketizer_mpeg4audio_plugin.dll
    MD5: e9f58bb141f87f6a6e0732cdd42d757d D:\Program Files (x86)\VideoLAN\VLC\plugins\libpacketizer_mpeg4video_plugin.dll
    MD5: 545324194aeef972267f99014341951b D:\Program Files (x86)\VideoLAN\VLC\plugins\libpacketizer_mpegvideo_plugin.dll
    MD5: 7b89b47b4d26257b65b7961336ef7158 D:\Program Files (x86)\VideoLAN\VLC\plugins\libpacketizer_vc1_plugin.dll
    MD5: 94b1789f011d7bc68fc7b9d7886d95cc D:\Program Files (x86)\VideoLAN\VLC\plugins\libplaylist_plugin.dll
    MD5: ae86f0ec1bc9aa7122baef395cda58e6 D:\Program Files (x86)\VideoLAN\VLC\plugins\libpng_plugin.dll
    MD5: 859f0473d807504b0f6ba025e8598ce6 D:\Program Files (x86)\VideoLAN\VLC\plugins\libpodcast_plugin.dll
    MD5: bd783acd1d32e979d93717cad1a97d7f D:\Program Files (x86)\VideoLAN\VLC\plugins\libqt4_plugin.dll
    MD5: a15359297d604d544e5526f61798b974 D:\Program Files (x86)\VideoLAN\VLC\plugins\librawvideo_plugin.dll
    MD5: 1dd059b9d68c50e99e43092b6ae08fde D:\Program Files (x86)\VideoLAN\VLC\plugins\libsap_plugin.dll
    MD5: 61ff9dcae00071e5111c95cc74fd6c68 D:\Program Files (x86)\VideoLAN\VLC\plugins\libscaletempo_plugin.dll
    MD5: 48d7c1a82ec5f3c1860d21ec70bcd410 D:\Program Files (x86)\VideoLAN\VLC\plugins\libschroedinger_plugin.dll
    MD5: f390ff48545a83101ac42ed6f807abd8 D:\Program Files (x86)\VideoLAN\VLC\plugins\libsimple_channel_mixer_plugin.dll
    MD5: 802919bf078bd5de4417ea671c277e2a D:\Program Files (x86)\VideoLAN\VLC\plugins\libskins2_plugin.dll
    MD5: a079a56e06b3c95e3256b706116701d4 D:\Program Files (x86)\VideoLAN\VLC\plugins\libspdif_mixer_plugin.dll
    MD5: 301670655d8acbc9c35142d685524b4b D:\Program Files (x86)\VideoLAN\VLC\plugins\libspeex_plugin.dll
    MD5: 0bb8bc6f125023ad2a90403d4346da49 D:\Program Files (x86)\VideoLAN\VLC\plugins\libspudec_plugin.dll
    MD5: 0a99e6294a6ed56506147cddf9446934 D:\Program Files (x86)\VideoLAN\VLC\plugins\libstream_filter_rar_plugin.dll
    MD5: 9799270c9d4b3449ac8b5caeff9a1676 D:\Program Files (x86)\VideoLAN\VLC\plugins\libstream_filter_record_plugin.dll
    MD5: cb34a9095ab25606d42b143c29070cbf D:\Program Files (x86)\VideoLAN\VLC\plugins\libsvcdsub_plugin.dll
    MD5: 47aa1206caac48830ce9d94b4603b716 D:\Program Files (x86)\VideoLAN\VLC\plugins\libtaglib_plugin.dll
    MD5: 52ab8a543f75bed2057693cf12a99d06 D:\Program Files (x86)\VideoLAN\VLC\plugins\libtheora_plugin.dll
    MD5: 7d60ca400bb9837827fc56b166f59f47 D:\Program Files (x86)\VideoLAN\VLC\plugins\libtrivial_mixer_plugin.dll
    MD5: ab802dc6f3254e42b0f6bd93c6443b60 D:\Program Files (x86)\VideoLAN\VLC\plugins\libugly_resampler_plugin.dll
    MD5: 957321092bdd216f75c5604c8d649b58 D:\Program Files (x86)\VideoLAN\VLC\plugins\libvorbis_plugin.dll
    MD5: 455bb8423d5b981154bbae0a82e29b1d D:\Program Files (x86)\VideoLAN\VLC\plugins\libwaveout_plugin.dll
    MD5: 6675a2c0af044380814e32b78c3904b1 D:\Program Files (x86)\VideoLAN\VLC\plugins\libxml_plugin.dll
    MD5: 8d2d9e6ff2c810abb6ecc8f6d138deff D:\Program Files (x86)\VideoLAN\VLC\plugins\libzip_plugin.dll
    MD5: b0fd3872f6958aa93d6a7103ac01852c D:\Program Files (x86)\VideoLAN\VLC\vlc.exe


    No file uploaded.

    Scan finished - communication took 1 sec
    Total traffic - 0.00 MB sent, 0.30 KB recvd
    Scanned 447 files and modules - 10 seconds

    ==============================================================================
  17. Broni

    Broni Malware Annihilator Posts: 45,316   +243

    Fine.
    You can uninstall BitDefender now as you don't want to be running two AV programs.

    ===============================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. (Windows XP only) Run defrag at your convenience.

    12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    13. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    14. Please, let me know, how your computer is doing.
  18. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Vibhor
    ->Temp folder emptied: 16109 bytes
    ->Temporary Internet Files folder emptied: 261516660 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 354743724 bytes
    ->Google Chrome cache emptied: 294988056 bytes
    ->Opera cache emptied: 76554248 bytes
    ->Flash cache emptied: 926 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 23918 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 942.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Flash cache emptied: 0 bytes

    User: Public

    User: Vibhor
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Guest

    User: Public

    User: Vibhor
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb

    Unable to start System Restore Service. Error code -2147212542

    OTL by OldTimer - Version 3.2.69.0 log created on 11122012_182834

    Files\Folders moved on Reboot...
    File\Folder C:\Windows\temp\~bd6E8C.tmp not found!

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
    --------------
    Broni: Should still go ahead with next steps as I can see it couldn't start System restore? Also, between Eset Smart Security and BitDefender, which one would you really recommend I should keep? Thanks
  19. Broni

    Broni Malware Annihilator Posts: 45,316   +243

    See if you can reset restore point manually.
    Turn system restore off.
    Restart computer.
    Turn system restore on.
  20. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    I can't. Here's the error message:
    "There was an unexpected error in the property page.
    System Restore encountered an error. Please try to run System Restore again. (0x81000203)
    Please close the property page and try again"
  21. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    1) Alright, I manually restarted 'Microsoft software Shadow Copy Provider' from services.msc. And created a restore point Successfully.
    2) Uninstalled Bit Defender INternet Security 2013. I still have Browser Plugin for online scan, hope that's OK.
    3) Should I start Clean up with OTL?
  22. Broni

    Broni Malware Annihilator Posts: 45,316   +243

    Go ahead.
  23. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    DONE! There's MBR.dat from Malwarebytes Anti Malware scans on my desktop, what should I do with that? Other than that, everything seems to be working fine now.
  24. Broni

    Broni Malware Annihilator Posts: 45,316   +243

    You can delete that file.

    Way to go!! [​IMG]
    Good luck and stay safe :)
    Vibhor likes this.
  25. Vibhor

    Vibhor Newcomer, in training Topic Starter Posts: 35

    Thanks a ton!!! Appreciate what you do here.. Keep up the noble work! Buzz me if you ever need my assistance.. now that's hysterical yu might think, but I have been doing the same work on a personal level for people around me for about 7-8 years now and this time I was caught off guard!

    Thanks again Malware Annihilator ; )


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.