TechSpot

Win7 search problems

Inactive
By inekam
Feb 19, 2012
  1. I have a win 7 laptop with all the updates. I am having issue with using the internet. I am able to get to any website other then a search engine. If i use an ip i can get to google but not if i enter the name. Malwarebites found problems and removed them. All new scans come back clean but the issue is still there.

    ________________________________________________

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-02-19 16:14:17
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\0000006d ST912082 rev.7.24
    Running: GMER.exe; Driver: C:\Users\Vova\AppData\Local\Temp\kxldypow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:384] 85BBA39F
    Thread System [4:668] 865B30F4

    ---- EOF - GMER 1.0.15 ----
    ____________________________________________________________


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421
    Run by Vova at 16:14:37 on 2012-02-19
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1983.1296 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Airlink101\Airlink101 WLAN Monitor\RtlService.exe
    C:\Program Files\Secunia\PSI\PSIA.exe
    C:\Program Files\Airlink101\Airlink101 WLAN Monitor\RtWlan.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Secunia\PSI\psi_tray.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Secunia\PSI\sua.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uWindow Title = Internet Explorer, optimized for Bing and MSN
    uStart Page = hxxp://www.msn.com
    uDefault_Page_URL = hxxp://www.msn.com
    uInternet Settings,ProxyOverride = *.local
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA"&"inst=NwA3AC0AMQA2ADEANAA0ADAAMgAzADUALQBGAFAAOQArADYALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQAxADAAQgArADEA"&"prod=90"&"ver=9.0.872
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: citibank.com\online
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{15C2F28A-AE97-4600-A149-B9678E645DC8} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{5263007E-444C-4B22-AF67-5770A13662C9} : DhcpNameServer = 216.144.187.37 207.44.96.129 204.186.0.201
    TCP: Interfaces\{5263007E-444C-4B22-AF67-5770A13662C9}\249676D41676E6F6C69616D27657563747 : DhcpNameServer = 216.144.187.37 207.44.96.129 204.186.0.201
    TCP: Interfaces\{5263007E-444C-4B22-AF67-5770A13662C9}\C4167737F6E62373 : DhcpNameServer = 10.0.0.1
    TCP: Interfaces\{741ED365-3B74-4C1F-96C3-0DA644DAF69A}\14E495 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{741ED365-3B74-4C1F-96C3-0DA644DAF69A}\249676D41676E6F6C69616 : DhcpNameServer = 216.144.187.37 207.44.96.129 204.186.0.201
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\vova\appdata\roaming\mozilla\firefox\profiles\mbeqrgpf.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2856425&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
    FF - prefs.js: browser.startup.homepage - google.com
    FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?AF=100486&babsrc=adbartrp&mntrId=1c4c8b0800000000000000212f38acb7&q=
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
    FF - component: c:\users\vova\appdata\roaming\mozilla\firefox\profiles\mbeqrgpf.default\extensions\{060a0a36-13dc-407d-b055-5a9accd8e083}\components\RadioWMPCoreGecko10.dll
    FF - component: c:\users\vova\appdata\roaming\mozilla\firefox\profiles\mbeqrgpf.default\extensions\{060a0a36-13dc-407d-b055-5a9accd8e083}\components\RadioWMPCoreGecko11.dll
    FF - component: c:\users\vova\appdata\roaming\mozilla\firefox\profiles\mbeqrgpf.default\extensions\{060a0a36-13dc-407d-b055-5a9accd8e083}\components\RadioWMPCoreGecko19.dll
    FF - component: c:\users\vova\appdata\roaming\mozilla\firefox\profiles\mbeqrgpf.default\extensions\{060a0a36-13dc-407d-b055-5a9accd8e083}\components\RadioWMPCoreGecko5.dll
    FF - component: c:\users\vova\appdata\roaming\mozilla\firefox\profiles\mbeqrgpf.default\extensions\{060a0a36-13dc-407d-b055-5a9accd8e083}\components\RadioWMPCoreGecko6.dll
    FF - component: c:\users\vova\appdata\roaming\mozilla\firefox\profiles\mbeqrgpf.default\extensions\{060a0a36-13dc-407d-b055-5a9accd8e083}\components\RadioWMPCoreGecko7.dll
    FF - component: c:\users\vova\appdata\roaming\mozilla\firefox\profiles\mbeqrgpf.default\extensions\{060a0a36-13dc-407d-b055-5a9accd8e083}\components\RadioWMPCoreGecko8.dll
    FF - component: c:\users\vova\appdata\roaming\mozilla\firefox\profiles\mbeqrgpf.default\extensions\{060a0a36-13dc-407d-b055-5a9accd8e083}\components\RadioWMPCoreGecko9.dll
    FF - component: c:\users\vova\appdata\roaming\mozilla\firefox\profiles\mbeqrgpf.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
    FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.BabylonToolbar_i.id - 1c4c8b0800000000000000212f38acb7
    FF - user.js: extensions.BabylonToolbar_i.hardId - 1c4c8b0800000000000000212f38acb7
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15378
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:18:42
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100486
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
    R1 MpKsl457ad428;MpKsl457ad428;c:\programdata\microsoft\microsoft antimalware\definition updates\{fb10df12-e505-45be-9983-ca05835b0e17}\MpKsl457ad428.sys [2012-2-19 29904]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
    R2 RtlService;RtlService;c:\program files\airlink101\airlink101 wlan monitor\RtlService.exe [2011-7-30 36864]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-7-24 1153368]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
    R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2006-12-18 73472]
    R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2006-12-18 43904]
    R3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8192cu.sys [2011-7-30 630304]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
    S2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-7-24 15872]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-24 52224]
    .
    =============== Created Last 30 ================
    .
    2012-02-19 20:57:16 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{fb10df12-e505-45be-9983-ca05835b0e17}\MpKsl457ad428.sys
    2012-02-19 20:07:42 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1358c11a-42c0-4847-ac09-4cae6faa59bc}\gapaengine.dll
    2012-02-19 20:07:34 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{fb10df12-e505-45be-9983-ca05835b0e17}\mpengine.dll
    2012-02-19 20:05:15 -------- d-----w- c:\program files\Microsoft Security Client
    2012-02-19 20:00:44 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2012-02-19 20:00:44 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2012-02-19 20:00:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2012-02-19 20:00:43 97240 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2012-02-19 20:00:43 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2012-02-19 20:00:43 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
    2012-02-19 20:00:43 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
    2012-02-19 20:00:43 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
    2012-02-19 20:00:43 45016 ----a-w- c:\program files\mozilla firefox\mozutils.dll
    2012-02-19 20:00:43 437208 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2012-02-19 20:00:43 1911768 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2012-02-19 20:00:43 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2012-02-19 19:57:47 -------- d-----w- c:\windows\system32\appmgmt
    2012-02-19 19:56:37 -------- d-----w- c:\windows\Profiles
    2012-02-19 19:46:15 -------- d-----w- c:\users\vova\appdata\local\Secunia PSI
    2012-02-19 16:40:44 -------- d-----w- c:\users\vova\appdata\roaming\SUPERAntiSpyware.com
    2012-02-19 16:40:30 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-02-19 16:40:30 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-02-19 16:40:19 -------- d-----w- c:\program files\Secunia
    2012-02-19 16:40:07 -------- d-----w- c:\users\vova\appdata\roaming\Malwarebytes
    2012-02-19 16:39:57 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-19 16:39:56 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-19 16:39:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-19 15:41:45 -------- d-sh--w- c:\users\vova\appdata\roaming\AV Security Essentials
    2012-02-19 15:41:44 -------- d-sh--w- c:\programdata\AVDUSQOBSSE
    2012-02-19 15:41:31 -------- d-sh--w- c:\programdata\fca178
    2012-02-17 11:03:07 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{a4a67422-bd9d-403c-b652-abd9b41b5358}\mpengine.dll
    2012-02-15 05:29:32 478720 ----a-w- c:\windows\system32\timedate.cpl
    2012-02-15 05:29:27 690688 ----a-w- c:\windows\system32\msvcrt.dll
    2012-02-15 05:29:22 442880 ----a-w- c:\windows\system32\ntshrui.dll
    2012-02-15 05:28:18 2343424 ----a-w- c:\windows\system32\win32k.sys
    2012-02-08 23:18:54 -------- d-----w- c:\users\vova\appdata\local\Google
    2012-02-08 23:18:36 -------- d-----w- c:\users\vova\appdata\local\Babylon
    2012-02-08 23:18:32 98304 ----a-w- c:\windows\system32\redmonnt.dll
    2012-02-08 23:18:30 -------- d-----w- c:\users\vova\appdata\roaming\Babylon
    2012-02-08 23:18:30 -------- d-----w- c:\programdata\Babylon
    2012-02-08 23:18:29 -------- d-----w- c:\program files\FoxTabPDFConverter
    .
    ==================== Find3M ====================
    .
    2012-02-19 20:47:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-27 05:21:24 237072 ------w- c:\windows\system32\MpSigStub.exe
    2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll
    2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll
    2011-12-14 02:56:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    .
    ============= FINISH: 16:15:26.34 ===============

    ________________________________________________________________


    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.19.02

    Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    Vova :: VOVA-PC [administrator]

    2/19/2012 11:58:34 AM
    mbam-log-2012-02-19 (11-58-34).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 168929
    Time elapsed: 3 minute(s), 18 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 1
    HKCR\SOFTWARE\Microsoft\Internet Explorer\SearchScopes|URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=8042&q={searchTerms}) Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\ProgramData\fca178\AVfca_8042.exe (Trojan.FakeAlert.FS) -> Quarantined and deleted successfully.
    C:\Users\Vova\Downloads\PDFCreatorSetup.exe (Adware.Agent) -> Quarantined and deleted successfully.

    (end)
    _________________________________________________________________


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/1/2010 8:19:57 PM
    System Uptime: 2/19/2012 3:52:45 PM (1 hours ago)
    .
    Motherboard: Quanta | | 30B7
    Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-50 | Socket S1 | 1600/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 105 GiB total, 24.055 GiB free.
    D: is FIXED (NTFS) - 7 GiB total, 0.618 GiB free.
    E: is CDROM ()
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30B7103C&REV_01\4&3A3249AB&0&2A80
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30B7103C&REV_01\4&3A3249AB&0&2A80
    Service:
    .
    Class GUID:
    Description: Coprocessor
    Device ID: PCI\VEN_10DE&DEV_0271&SUBSYS_30B7103C&REV_A3\3&13C0B0C5&0&53
    Manufacturer:
    Name: Coprocessor
    PNP Device ID: PCI\VEN_10DE&DEV_0271&SUBSYS_30B7103C&REV_A3\3&13C0B0C5&0&53
    Service:
    .
    Class GUID:
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_30B7103C&REV_0A\4&3A3249AB&0&2B80
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_30B7103C&REV_0A\4&3A3249AB&0&2B80
    Service:
    .
    ==== System Restore Points ===================
    .
    RP160: 2/19/2012 12:55:44 AM - Scheduled Checkpoint
    RP162: 2/19/2012 11:01:22 AM - Before uninstalling CCleaner
    RP165: 2/19/2012 2:57:06 PM - Removed Chanalyzer 3.4
    RP166: 2/19/2012 3:06:06 PM - Windows Update
    RP168: 2/19/2012 3:54:41 PM - CA Internet Security Suite
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    µTorrent
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Airlink101 WLAN Monitor
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Bing Bar
    Bonjour
    Broadcom 802.11 Wireless LAN Adapter
    CCleaner
    Conexant HD Audio
    FoxTab PDF Creator
    HDAUDIO Soft Data Fax Modem with SmartCP
    HP Product Detection
    inSSIDer
    iTunes
    K-Lite Codec Pack 5.7.0 (Standard)
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Office ??????????? 2007
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel 2007 Help Îáíîâëåíèå (KB963678)
    Microsoft Office Excel MUI (Russian) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Outlook 2007 Help Îáíîâëåíèå (KB963677)
    Microsoft Office Outlook MUI (Russian) 2007
    Microsoft Office Powerpoint 2007 Help Îáíîâëåíèå (KB963669)
    Microsoft Office PowerPoint MUI (Russian) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Russian) 2007
    Microsoft Office Proof (Ukrainian) 2007
    Microsoft Office Proofing (Russian) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (Russian) 2007
    Microsoft Office Standard 2007
    Microsoft Office Word 2007 Help Îáíîâëåíèå (KB963665)
    Microsoft Office Word MUI (Russian) 2007
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox 10.0.2 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NVIDIA Drivers
    OGA Notifier 2.0.0048.0
    QuickTime
    Secunia PSI (2.0.0.4003)
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype™ 4.2
    Spybot - Search & Destroy
    SUPERAntiSpyware
    Synaptics Pointing Device Driver
    System Requirements Lab
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2597998) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Windows Live ID Sign-in Assistant
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2/19/2012 12:37:47 PM, Error: Microsoft-Windows-SharedAccess_NAT [30009] - The DHCP allocator encountered a network error while attempting to reply on IP address 0.0.0.0 to a request from a client. The data is the error code.
    2/19/2012 12:04:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    2/19/2012 12:04:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    2/19/2012 12:04:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2/19/2012 12:04:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    2/19/2012 12:04:12 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache KmxAgent SASDIFSV SASKUTIL spldr Wanarpv6
    2/19/2012 11:35:53 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache KmxAgent spldr Wanarpv6
    2/19/2012 10:46:59 AM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{15C2F28A-AE97-4600-A149-B9678E645DC8} because another computer on the network has the same name. The server could not start.
    2/19/2012 10:46:59 AM, Error: NetBT [4321] - The name "VOVA-PC :20" could not be registered on the interface with IP address 192.168.1.2. The computer with the IP address 192.168.1.3 did not allow the name to be claimed by this computer.
    2/19/2012 10:46:54 AM, Error: NetBT [4321] - The name "VOVA-PC :0" could not be registered on the interface with IP address 192.168.1.2. The computer with the IP address 192.168.1.3 did not allow the name to be claimed by this computer.
    2/19/2012 10:43:30 AM, Error: Service Control Manager [7000] - The 8042 service failed to start due to the following error: The system cannot find the file specified.
    2/18/2012 4:48:17 PM, Error: volsnap [35] - The shadow copies of volume C: were aborted because the shadow copy storage failed to grow.
    .
    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help with the search problem.

    First, I see you have 2 antivirus programs:
    Microsoft Security Essentials
    RP168: 2/19/2012 3:54:41 PM - CA Internet Security Suite (restore point)
    Decide which one you want to keep and remove the other.
    Please reboot the system after doing that.
    ==================================
    Do you have a language other than English on the system? Although there are Office products in a multitude of different languages installed, what are these:
    ============================================
    I'd like to clarify this please:
    1. What browser are you using?
    2. Does it have a search box in it? If so, if you type in a search word, what happens? Do you get a message? What is it?
    3. If you click on one of your Favorites or Bookmarks, what happens? Does it open the web page?
    4. If you type a URL in the Address Bar, what happens?
    5. You have access to the internet, correct?
    6. You know the difference between an IP and a URL, correct?
    Note: In the above, I am referring to two different locations: the Search box and the Address Bar.
    =============================================
    I'd like you to run Combofix- but it won't run with CA Security Suite. You will need to temporarily uninstall CA if this is the AV you kept. If it is not, please skip down to the Combofix download.

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AV program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Do not put another AV on the system if you removed the CA Suite and kept MSE Although you will need t disable the AV temporarily for the scan, you should still have one 1 current AV on the system.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ========================================
    You have a rogue security program on the system. To be on the safe side, Do not remove the temporary internet files or use a cleaning tool like CCleaner.[/b]
    ========================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    If I haven't replied back to you within 48 hours, you can send a PM with your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
    Threads are closed after 5 days if there is no reply.

    Please leave the 2 logs and answers to my questions in your next reply.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

  4. inekam

    inekam TS Rookie Topic Starter Posts: 18

    Hi Bobbye, thank you for trying to help me out.

    The other thread that you mentioned was not mine.

    I have uninstalled CA Internet Security Suite before installing MSE so that maybe the restore point from the uninstall.

    This system has russian language set so the office maybe displaying the encoding wrong because of that.

    To clarify the problems i am seeing. If i try to open a website like cnn, or techspot i am able to do it with out an issue. If i try to open bing or google i get page cannot be displayed. If i do nslookup on google and then enter the ip i am able to browse to the google website then.

    1. What browser are you using?

    I have both IE9 and FireFox10.2

    2. Does it have a search box in it? If so, if you type in a search word, what happens? Do you get a message? What is it?

    In firefox if i use a search box using google/yahoo/bing i get page cannot be displayed.
    If i use amazon as the search provider i am able to search with out an issue.

    3. If you click on one of your Favorites or Bookmarks, what happens? Does it open the web page?

    Yes that works with out a problem

    4. If you type a URL in the Address Bar, what happens?

    Depending on the url. Techspot works but google doesn't

    5. You have access to the internet, correct?

    :) Yes i do

    6. You know the difference between an IP and a URL, correct?

    IP is a layer 3 globally unique address used to identify a pc on the internet. URL is a translation of an ip to an easily remembered name using DNS


    ComboFix 12-02-19.02 - Vova 02/20/2012 13:24:22.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1983.1002 [GMT -5:00]
    Running from: c:\users\Vova\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.tmp
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\cid.exe
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\cid.tmp
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.sys
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\delfile.sys
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\energy.exe
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\energy.tmp
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\fan.dll
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\fan.drv
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\kernel32.dll
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\PE.exe
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
    c:\users\Vova\AppData\Roaming\Microsoft\Windows\Recent\std.sys
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-20 to 2012-02-20 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-20 18:32 . 2012-02-20 18:32 -------- d-----w- c:\users\Vova\AppData\Local\temp
    2012-02-20 18:32 . 2012-02-20 18:32 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-19 20:57 . 2012-02-19 20:57 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FB10DF12-E505-45BE-9983-CA05835B0E17}\MpKsl457ad428.sys
    2012-02-19 20:07 . 2012-02-19 20:07 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1358C11A-42C0-4847-AC09-4CAE6FAA59BC}\gapaengine.dll
    2012-02-19 20:07 . 2012-01-06 01:19 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FB10DF12-E505-45BE-9983-CA05835B0E17}\mpengine.dll
    2012-02-19 20:05 . 2012-02-19 20:05 -------- d-----w- c:\program files\Microsoft Security Client
    2012-02-19 20:00 . 2012-02-19 20:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2012-02-19 20:00 . 2012-02-19 20:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2012-02-19 20:00 . 2012-02-19 20:00 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2012-02-19 20:00 . 2012-02-19 20:00 97240 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2012-02-19 20:00 . 2012-02-19 20:00 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2012-02-19 20:00 . 2012-02-19 20:00 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2012-02-19 20:00 . 2012-02-19 20:00 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2012-02-19 20:00 . 2012-02-19 20:00 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2012-02-19 20:00 . 2012-02-19 20:00 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    2012-02-19 20:00 . 2012-02-19 20:00 437208 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2012-02-19 20:00 . 2012-02-19 20:00 1911768 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2012-02-19 20:00 . 2012-02-19 20:00 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2012-02-19 19:56 . 2012-02-19 19:56 -------- d-----w- c:\windows\Profiles
    2012-02-19 19:46 . 2012-02-19 19:46 -------- d-----w- c:\users\Vova\AppData\Local\Secunia PSI
    2012-02-19 16:40 . 2012-02-19 16:40 -------- d-----w- c:\users\Vova\AppData\Roaming\SUPERAntiSpyware.com
    2012-02-19 16:40 . 2012-02-19 17:03 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-02-19 16:40 . 2012-02-19 16:40 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-02-19 16:40 . 2012-02-19 16:40 -------- d-----w- c:\program files\Secunia
    2012-02-19 16:40 . 2012-02-19 16:40 -------- d-----w- c:\users\Vova\AppData\Roaming\Malwarebytes
    2012-02-19 16:39 . 2012-02-19 16:39 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-19 16:39 . 2012-02-19 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-19 16:39 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-19 15:41 . 2012-02-19 15:43 -------- d-sh--w- c:\users\Vova\AppData\Roaming\AV Security Essentials
    2012-02-19 15:41 . 2012-02-19 15:41 -------- d-sh--w- c:\programdata\AVDUSQOBSSE
    2012-02-19 15:41 . 2012-02-19 15:41 -------- d-sh--w- c:\programdata\fca178
    2012-02-17 11:03 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A4A67422-BD9D-403C-B652-ABD9B41B5358}\mpengine.dll
    2012-02-15 05:29 . 2011-12-30 05:27 478720 ----a-w- c:\windows\system32\timedate.cpl
    2012-02-15 05:29 . 2011-12-16 07:52 690688 ----a-w- c:\windows\system32\msvcrt.dll
    2012-02-15 05:29 . 2012-01-04 08:58 442880 ----a-w- c:\windows\system32\ntshrui.dll
    2012-02-15 05:28 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
    2012-02-08 23:18 . 2012-02-08 23:18 -------- d-----w- c:\users\Vova\AppData\Local\Google
    2012-02-08 23:18 . 2012-02-08 23:18 237 ----a-w- C:\user.js
    2012-02-08 23:18 . 2012-02-08 23:18 -------- d-----w- c:\users\Vova\AppData\Local\Babylon
    2012-02-08 23:18 . 2007-08-21 18:32 98304 ----a-w- c:\windows\system32\redmonnt.dll
    2012-02-08 23:18 . 2012-02-08 23:18 -------- d-----w- c:\users\Vova\AppData\Roaming\Babylon
    2012-02-08 23:18 . 2012-02-08 23:18 -------- d-----w- c:\programdata\Babylon
    2012-02-08 23:18 . 2012-02-08 23:18 -------- d-----w- c:\program files\FoxTabPDFConverter
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-19 20:47 . 2011-07-24 20:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-27 05:21 . 2010-03-02 01:41 237072 ------w- c:\windows\system32\MpSigStub.exe
    2011-11-26 18:22 . 2011-11-26 18:22 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin
    2012-02-19 20:00 . 2012-02-19 20:00 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-06 13605408]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-06 92704]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA&inst=NwA3AC0AMQA2ADEANAA0ADAAMgAzADUALQBGAFAAOQArADYALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQAxADAAQgArADEA&prod=90&ver=9.0.872" [?]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2011-11-02 04:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-12-08 06:36 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2012-02-19 16:41 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    .
    R2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
    R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [2009-11-04 17408]
    R3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28u.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    S1 MpKsl457ad428;MpKsl457ad428;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FB10DF12-E505-45BE-9983-CA05835B0E17}\MpKsl457ad428.sys [2012-02-19 29904]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
    S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    S2 RtlService;RtlService;c:\program files\Airlink101\Airlink101 WLAN Monitor\RtlService.exe [2010-04-16 36864]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-10-14 994360]
    S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2011-10-14 399416]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
    S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
    S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2006-12-19 73472]
    S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2006-12-19 43904]
    S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys [2010-11-03 630304]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - KXLDYPOW
    *NewlyCreated* - MPKSL457AD428
    *Deregistered* - kxldypow
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.msn.com
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: citibank.com\online
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Vova\AppData\Roaming\Mozilla\Firefox\Profiles\mbeqrgpf.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2856425&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
    FF - prefs.js: browser.startup.homepage - google.com
    FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?AF=100486&babsrc=adbartrp&mntrId=1c4c8b0800000000000000212f38acb7&q=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: extensions.BabylonToolbar_i.id - 1c4c8b0800000000000000212f38acb7
    FF - user.js: extensions.BabylonToolbar_i.hardId - 1c4c8b0800000000000000212f38acb7
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15378
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:18
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100486
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    MSConfigStartUp-AV Security Essentials - c:\programdata\fca178\AVfca_8042.exe
    MSConfigStartUp-cctray - c:\program files\CA\CA Internet Security Suite\casc.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-02-20 13:36:13
    ComboFix-quarantined-files.txt 2012-02-20 18:36
    .
    Pre-Run: 25,397,395,456 bytes free
    Post-Run: 24,980,172,800 bytes free
    .
    - - End Of File - - 3509B94080BDFE4699D539CC2342CC79


    Eset Online Virus Scan:

    C:\Program Files\FoxTabPDFConverter\Uninstall\Uninstall.exe a variant of Win32/InstallCore.G application


    thank for your help
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, now we have a handle on it!

    Home Malware Cleaner is a rogue anti-spyware program from the Rogue.VirusDoctor
    • It is promoted through web sites that show advertisements that pretend to be online anti-malware scanners.
    • These scanners create numerous files that will be detected by the program as malware (See deletions in Combofix)
    • The scam is that you are told you have to pay for their program to remove these "threats" when in fact there are fake security warnings that should be ignored
    • This infection changes your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software.
    • Regardless of the web browser you use, we need to fix the proxy so that we can download the utilities we need to remove this infection.
    ==========================
    1. Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
    2. Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "LAN Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click OK to close the Local Area Network (LAN) Settings window.
      o Click OK to close the Internet Options window.
    3. To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after running RKill as the malware programs will start again.
    ====================================
    4. Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheck Word Wrap before copying the log to paste in your next reply.
    ===============================
    5. Replace Hosts files and Permissions
    The malware also changes your Windows HOSTS file. We will need to replace the default version for your operating system. (Note:if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file.)

    The malware, in order to protect itself,may change the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:

    Step 1: Restoring Permissions
    • Please download Hostsperm.bat and save it to your desktop.
    • Double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run.
    • Once it starts you will see a small black window that opens, then goes away. This is normal.
    You should now be able to access your HOSTS file.

    Step 2: Show Hidden Files and Folders:
    • Click on the Start button and select Computer
    • Select Folder Options> View tab
    • Check Show hidden files and folders
    • uncheckHide protected operating system files(Recommended)> Confirm Yes
    • Then, uncheck the box next to Hide extensions for known filetypes
    • Click Apply then click OK

    Step 3: Delete the hosts file
    • Using Windows Explorer> navigate to Computer> Local Drive> Windows> System 32> Drivers
    • Navigate to C:\Windows\System32\drivers\etc and do a right click> Delete and delete the hosts file.
    • Once it is deleted, go to next Step.

    Step 4: Replacing the Hosts file for your operating system:

    Note: If the contents of the HOSTS file opens in your browser when you click on a link, then right-click on the ink and select Save Target As for in Internet Explorer, or Save Link As if in Firefox, to download the file.
    -------------------------
    Now reboot your computer into Normal Mode.
    ==============================================
    I will check the Combofix log for any additional removals.
  6. inekam

    inekam TS Rookie Topic Starter Posts: 18

    Ok still having issues. I am able to browse to google now but the searches get redirected.

    I have followed all your instructions

    none of the browsers had the proxy set. I have also installed chrome and its the same issue.

    _____________________________________________
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 02/22/2012 at 18:42:10.
    Operating System: Windows 7 Ultimate

    Processes terminated by Rkill or while it was running:

    Rkill completed on 02/22/2012 at 18:42:13.
    _____________________________________________

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.22.05

    Windows 7 Service Pack 1 x86 FAT32 (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    Vova :: VOVA-PC [administrator]

    2/22/2012 6:44:20 PM
    mbam-log-2012-02-22 (19-44-43).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 262555
    Time elapsed: 30 minute(s), 53 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FoxTab PDF Creator (Adware.Agent) -> No action taken.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Program Files\FoxTabPDFConverter\Uninstall\Uninstall.exe (Adware.Agent) -> No action taken.

    (end)
    _____________________________________________

    i checked the host file before and it was fine. I ran the batch file just in case and replaced it with the one you provided.

    I have also re ran malwarebites and superantispyware and both came up clean

    So after all this its now redirecting during google searches.
    any other ideas or suggestions? Is it work to try to use system restore to a earlier date?

    thanks
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Mbam is not' clean': it has 2 entries in it that show Not action Taken.'
    Registry Keys Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FoxTab PDF Creator (Adware.Agent) -> No action taken.

    Files Detected: 1
    C:\Program Files\FoxTabPDFConverter\Uninstall\Uninstall.exe (Adware.Agent) -> No action taken.
    This means that you did not check the line:
    [*] Be sure that everything is checked, and click Remove Selected.

    Run Mbam again please and check the line to remove any entries found.

    ===========================================
    "Is it work to try to use system restore to a earlier date?"
    Do you mean is doing a System Restore a lot of 'work', then no, it isn't- it's easy.
    Do you mean it is worth doing a System Restore, then No you should not. It will undo what we have done so far to clean the malware.
    ---------------------------------
    Please give me an example of 'this page won't display'>> type it in exactly how you have typed it into the Address Bar (not search bar, but Address Bar)
  8. inekam

    inekam TS Rookie Topic Starter Posts: 18

    i am sorry i was not clear in my reply. After mbam found the issues it has removed it. I rebooted the system and ran MBAM full system scan again. The second scan came back clean. Same for Super Anti Spyware.

    about system restore. I was asking if its worth it. thanks

    I will reply with the examples tonight.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I think I found the search problem:

    We know that Babylon is a language translation software. Babylon 7 and later versions install a search toolbar, which in some cases are considered a convenience, but it also comes with adware and is considered a 'potentially unwanted application' (PUA) Since you main problem is with the searches, I'd like you to remove Babylon and it's toolbar from the system as follows:
    To remove Babylon:
    1. Close the Babylon program. Right click on the Babylon icon by the clock> Choose Exit
    2. Select "Yes" to confirm
    3. Click "Start"> "Control Panel"> Double-click "Add or Remove Programs
    4. Select "Babylon Toolbar"> click "Remove/Uninstall"> Confirm "Yes" when prompted.
    5. Select "Conduit Engine"> click "Remove/Uninstall"> Confirm "Yes" when prompted.
    6. Restart your computer for the changes to take affect.
    7. Now use Windows Explorer to access Computer> Local Drive> Programs.
    8. Find the Babylon/Babylon Toolbar program folder and do a right click> Delete to remove.
    -------------------------------------------------
    To reset Babylon Toolbar keyword in Firefox
    1. Open FireFox and instead of a url, type about:config in the Address Bar.
    2. Firefox will give you a warning, but go in anyway.
      [*. Locate the keyword.url line. It should look like the image below.
      [​IMG]
    3. . Right click on keyword.url, then select Reset
    --------------------------------------
    Removing Babylon Toolbar Extensions (16)
    • Open Firefox> Tools> Addons> Click on Extensions
    • Remove all Babylon Toolbar extensions.(sign on to Administrative account)
    You can use the Babylon.com site if you need it for translations, but the other entries are preventing you from using the other search engines.
    ----------------------------------
    Reset Browser search selected Engine:
    1. Open FireFox and instead of a url, type about:config in the Address Bar.
    2. Firefox will give you a warning, but go in anyway.
    3. Locate the browser. search. selectedEngine line
    4. Do the right click and choose Reset if available. If not, type in Google
    ---------------------------------
    One more:
    Clear Firefox Cache
    1. Open Firefox> Click on Tools> Options
    2. Select the Advanced panel.
    3. Click on the Network tab
    4. In the Offline Storage section, click Clear Now.
    [​IMG]
    ===============================================
    First, set up a Directory for HijackThis as follows:
    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
    Exit Explorer
    You now have a folder C:\HijackThis
    -----------------------------------------
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ============================================
    Let's see if this handles the search engine problem. The redirect may be related, so we'll handle that if needed.
  10. inekam

    inekam TS Rookie Topic Starter Posts: 18

    Ok i have followed the instructions I have removed the browser bar. I have done the firefox about:config. in the IE options the bar was not there. I have scanned the mbam and its still clean.
    Attached is the hijackthis log


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:17:02 PM, on 2/23/2012
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16421)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Secunia\PSI\psi_tray.exe
    F:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
    O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA"&"inst=NwA3AC0AMQA2ADEANAA0ADAAMgAzADUALQBGAFAAOQArADYALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQAxADAAQgArADEA"&"prod=90"&"ver=9.0.872
    O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
    O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: RtlService - Realtek - C:\Program Files\Airlink101\Airlink101 WLAN Monitor\RtlService.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
    O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 5084 bytes
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Has the search capability improved? Has there been any change? Better? Worse?
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.