TechSpot

Zero Access rootkit

By Blippard
Aug 31, 2012
  1. I have volunteered to fix a friends toshiba laptop 32 bit windows 7 laptop. It was having a critical error windows will restart in one minute, issued my Microsoft Security Essentials. I have run the diagnostic in the windows repair to check the hashes and all and with minor experience, I'm pretty sure the "Zero Access" was the issue. At this point I am just unaware what to change in this text document to fix the hash and system.

    Below is the log from running the diagnostic tool in the repair, I just need to be directed what to modify in it and where to go from there. Thank you in advance.

    Brent

    _______________________________________________________

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 31-08-2012 02
    Ran by SYSTEM at 31-08-2012 19:32:45
    Running from E:\
    Windows 7 Ultimate (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [11487848 2011-12-13] (Realtek Semiconductor)
    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

    ========================== Services (Whitelisted) ========================

    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

    ==================== Drivers (Whitelisted) ===================

    3 EMSCR; C:\Windows\System32\DRIVERS\EMS7SK.sys [60928 2006-02-16] (ENE Technology Inc.)
    3 ESMCR; C:\Windows\System32\DRIVERS\ESM7SK.sys [74624 2006-02-16] (ENE Technology Inc.)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 YMIDUSBW; C:\Windows\System32\drivers\ymidusbw.sys [36040 2011-11-01] (Yamaha Corporation)
    1 wmvnsjuq; \??\C:\Windows\system32\drivers\wmvnsjuq.sys [x]

    ==================== NetSvcs (Whitelisted) =================


    ============ One Month Created Files and Folders ==============

    2012-08-31 16:29 - 2012-08-31 16:29 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fodeeabi.sys
    2012-08-17 14:52 - 2012-08-17 14:52 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\zopljyth.sys
    2012-08-17 14:34 - 2012-08-17 14:34 - 10288512 ____A (Microsoft Corporation) C:\Users\Ryan\Downloads\mseinstall (1).exe
    2012-08-17 14:19 - 2012-08-17 14:31 - 00000000 ____D C:\Users\Ryan\AppData\Local\Microsoft Games
    2012-08-17 14:05 - 2012-08-17 14:06 - 10288512 ____A (Microsoft Corporation) C:\Users\Ryan\Downloads\mseinstall.exe
    2012-08-17 13:48 - 2012-08-17 13:48 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dsoiluvi.sys


    ============ 3 Months Modified Files ========================

    2012-08-31 16:30 - 2012-02-12 17:32 - 00746550 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-31 16:29 - 2012-08-31 16:29 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fodeeabi.sys
    2012-08-31 16:29 - 2009-07-13 20:39 - 00046169 ____A C:\Windows\setupact.log
    2012-08-31 16:28 - 2012-02-13 18:14 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-31 16:28 - 2012-02-13 12:48 - 00004930 ____A C:\Windows\PFRO.log
    2012-08-31 16:28 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-31 16:05 - 2012-02-13 18:14 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-31 15:47 - 2012-07-08 09:08 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-28 16:31 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-17 14:52 - 2012-08-17 14:52 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\zopljyth.sys
    2012-08-17 14:36 - 2012-02-12 18:42 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-17 14:36 - 2012-02-12 17:22 - 01089939 ____A C:\Windows\WindowsUpdate.log
    2012-08-17 14:34 - 2012-08-17 14:34 - 10288512 ____A (Microsoft Corporation) C:\Users\Ryan\Downloads\mseinstall (1).exe
    2012-08-17 14:11 - 2009-07-13 20:34 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-17 14:11 - 2009-07-13 20:34 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-17 14:06 - 2012-08-17 14:05 - 10288512 ____A (Microsoft Corporation) C:\Users\Ryan\Downloads\mseinstall.exe
    2012-08-17 13:48 - 2012-08-17 13:48 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dsoiluvi.sys
    2012-07-13 23:50 - 2012-02-12 18:15 - 00200327 ____A C:\Windows\IE9_main.log
    2012-07-12 01:03 - 2009-07-13 20:33 - 00266808 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-12 00:45 - 2012-07-08 09:08 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-12 00:45 - 2012-02-12 17:41 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-06-28 14:05 - 2012-06-28 14:03 - 62407920 ____A C:\Users\Ryan\Desktop\93 till zipped loop.zip
    2012-06-15 19:45 - 2009-07-13 20:53 - 00032590 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-06-15 13:18 - 2012-03-01 19:59 - 882251145 ____A C:\Users\Ryan\Downloads\Goodfellas[1990][Special.Edition]DvDrip[Eng]FT.mp4
    2012-06-15 13:00 - 2012-06-15 12:55 - 07767669 ____A C:\Users\Ryan\Desktop\um3122x86.zip
    2012-06-15 12:54 - 2012-06-15 12:53 - 07789253 ____A C:\Users\Ryan\Desktop\midi driver.zip
    2012-06-11 18:44 - 2012-07-12 00:47 - 02344448 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-09 03:27 - 2012-06-09 03:27 - 12477629 ____A C:\Users\Ryan\Desktop\Grown Up.zip
    2012-06-08 20:46 - 2012-07-11 09:29 - 12868608 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 21:09 - 2012-07-11 09:31 - 01389568 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 21:09 - 2012-07-11 09:31 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll


    ZeroAccess:
    C:\Windows\Installer\{3192efe1-4149-2078-6c9c-a2c57efd96ea}
    C:\Windows\Installer\{3192efe1-4149-2078-6c9c-a2c57efd96ea}\@
    C:\Windows\Installer\{3192efe1-4149-2078-6c9c-a2c57efd96ea}\L
    C:\Windows\Installer\{3192efe1-4149-2078-6c9c-a2c57efd96ea}\n
    C:\Windows\Installer\{3192efe1-4149-2078-6c9c-a2c57efd96ea}\U
    C:\Windows\Installer\{3192efe1-4149-2078-6c9c-a2c57efd96ea}\L\00000004.@
    C:\Windows\Installer\{3192efe1-4149-2078-6c9c-a2c57efd96ea}\L\1afb2d56
    C:\Windows\Installer\{3192efe1-4149-2078-6c9c-a2c57efd96ea}\L\201d3dde

    ZeroAccess:
    C:\Users\Ryan\AppData\Local\{3192efe1-4149-2078-6c9c-a2c57efd96ea}
    C:\Users\Ryan\AppData\Local\{3192efe1-4149-2078-6c9c-a2c57efd96ea}\@
    C:\Users\Ryan\AppData\Local\{3192efe1-4149-2078-6c9c-a2c57efd96ea}\L
    C:\Users\Ryan\AppData\Local\{3192efe1-4149-2078-6c9c-a2c57efd96ea}\U

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-07-11 00:00:27
    Restore point made on: 2012-07-12 00:46:05
    Restore point made on: 2012-07-13 23:49:48
    Restore point made on: 2012-07-14 15:21:17
    Restore point made on: 2012-07-14 23:38:05
    Restore point made on: 2012-07-16 16:05:59

    ==================== Memory info ===========================

    Percentage of memory in use: 17%
    Total physical RAM: 2038.05 MB
    Available physical RAM: 1676.36 MB
    Total Pagefile: 2038.05 MB
    Available Pagefile: 1675.89 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1970.3 MB

    ==================== Partitions ============================

    1 Drive c: () (Fixed) (Total:74.53 GB) (Free:31.68 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
    3 Drive e: () (Removable) (Total:14.91 GB) (Free:14.82 GB) NTFS
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 74 GB 1024 KB
    Disk 1 Online 14 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 74 GB 31 KB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 74 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    * Partition 1 Primary 14 GB 0 B

    ==================================================================================

    Disk: 1
    There is no partition selected.

    There is no partition selected.
    Please select a partition and try again.

    ==================================================================================

    Last Boot: 2012-07-08 07:58

    ==================== End Of Log =============================
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply.
     
  3. Blippard

    Blippard TS Rookie Topic Starter

    Thank you for your help, I ran the FRST tool again and did as you had said. Here is the text file created following the search:


    Farbar Recovery Scan Tool Version: 31-08-2012 02
    Ran by SYSTEM at 2012-09-01 11:52:02
    Running from E:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2012-08-28 16:31] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

    === End Of Search ===
     
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    FRST Fixlist

    Download the attached file, please. Save it on your flash drive in the same location as FRST. Make sure it maintains its current name fixlist.txt.

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     

    Attached Files:

  5. Blippard

    Blippard TS Rookie Topic Starter

    Downloaded and did the steps you mentioned, below is the log contents. Restarted and as of now the issue seems to have subsided and windows is running normally.


    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 31-08-2012 02
    Ran by SYSTEM at 2012-09-01 13:25:07 Run:1
    Running from E:\

    ==============================================

    wmvnsjuq service deleted successfully.
    C:\Windows\System32\Drivers\fodeeabi.sys moved successfully.
    C:\Windows\System32\Drivers\zopljyth.sys moved successfully.
    C:\Windows\System32\Drivers\dsoiluvi.sys moved successfully.
    C:\Windows\Installer\{3192efe1-4149-2078-6c9c-a2c57efd96ea} moved successfully.
    C:\Users\Ryan\AppData\Local\{3192efe1-4149-2078-6c9c-a2c57efd96ea} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
     
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Good, let's do this:

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
     
  7. Blippard

    Blippard TS Rookie Topic Starter

    Alright, finished the scan with combo fix. Here is the log following the scan. I noticed in the log it says running from C:\...ComboFix.exe, although I made sure I renamed it svchost.exe, assuming it renamed following the scan?

    ComboFix 12-09-01.01 - Ryan 09/02/2012 16:06:42.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.1383 [GMT -5:00]
    Running from: c:\users\Ryan\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\BFlix\BFLIx.dll
    c:\programdata\100
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-02 to 2012-09-02 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-02 21:14 . 2012-09-02 21:17 -------- d-----w- c:\users\Ryan\AppData\Local\temp
    2012-09-02 21:14 . 2012-09-02 21:14 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-02 20:55 . 2012-09-02 21:16 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{192893BA-7648-434D-B4BA-A0C597ED33FB}\offreg.dll
    2012-09-01 03:32 . 2012-09-01 03:32 -------- d-----w- C:\FRST
    2012-08-17 22:37 . 2012-02-09 19:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{078883C1-5625-42DC-991E-F074EF41B433}\gapaengine.dll
    2012-08-17 22:37 . 2012-07-16 07:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{192893BA-7648-434D-B4BA-A0C597ED33FB}\mpengine.dll
    2012-08-17 22:19 . 2012-08-17 22:31 -------- d-----w- c:\users\Ryan\AppData\Local\Microsoft Games
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 08:45 . 2012-07-08 17:08 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-12 08:45 . 2012-02-13 01:41 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-12 02:44 . 2012-07-12 08:47 2344448 ----a-w- c:\windows\system32\win32k.sys
    2012-06-06 05:09 . 2012-07-11 17:31 1389568 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-06 05:09 . 2012-07-11 17:31 1236992 ----a-w- c:\windows\system32\msxml3.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}]
    2012-02-02 23:58 924488 ----a-w- c:\program files\PricePeep\pricepeep.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-12-13 11487848]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-01 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-08 08:45]
    .
    2012-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-02-14 02:14]
    .
    2012-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-02-14 02:14]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.0.1 192.168.1.254
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\System32\rundll32.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\sppsvc.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\system32\vssvc.exe
    .
    **************************************************************************
    .
    Completion time: 2012-09-02 16:24:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-09-02 21:24
    .
    Pre-Run: 34,930,098,176 bytes free
    Post-Run: 35,920,515,072 bytes free
    .
    - - End Of File - - B9552910693A06A9872060E918C8D9EB
     
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    It seems fine, good job!

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
     
  9. Blippard

    Blippard TS Rookie Topic Starter

    Cool, yea still running smooth. Below is the aswcleaner log. Also before we finish up want to go ahead and ask a couple questions, although as of now I can only recall one I wanted to get your opinion on.

    1. For security, should I keep Microsoft Security Essentials, or use another program to prevent this again for the user? I have always used and like AVG as my security program.

    Thank You

    # AdwCleaner v2.000 - Logfile created 09/03/2012 at 20:39:56
    # Updated 30/08/2012 by Xplode
    # Operating system : Windows 7 Ultimate (32 bits)
    # User : Ryan - RYAN-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Ryan\Downloads\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Found : C:\user.js
    Folder Found : C:\Program Files\BabylonToolbar
    Folder Found : C:\Program Files\PricePeep
    Folder Found : C:\ProgramData\Babylon
    Folder Found : C:\ProgramData\InstallMate
    Folder Found : C:\Users\Ryan\AppData\Local\Babylon
    Folder Found : C:\Users\Ryan\AppData\Roaming\Babylon

    ***** [Registry] *****

    Key Found : HKCU\Software\BabylonToolbar
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
    Key Found : HKLM\Software\Babylon
    Key Found : HKLM\Software\BabylonToolbar
    Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{38A066B0-DD5F-4226-AC4F-6A27C1BFB892}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Found : HKLM\SOFTWARE\Classes\AppID\DealScout.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
    Key Found : HKLM\SOFTWARE\Classes\b
    Key Found : HKLM\SOFTWARE\Classes\Babylon.dskBnd
    Key Found : HKLM\SOFTWARE\Classes\Babylon.dskBnd.1
    Key Found : HKLM\SOFTWARE\Classes\bbylnApp.appCore
    Key Found : HKLM\SOFTWARE\Classes\bbylnApp.appCore.1
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{291BCCC1-6890-484A-89D3-318C928DAC1B}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{98889811-442D-49DD-99D7-DC866BE87DBC}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}
    Key Found : HKLM\SOFTWARE\Classes\escort.escortIEPane
    Key Found : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
    Key Found : HKLM\SOFTWARE\Classes\escort.escrtBtn.1
    Key Found : HKLM\SOFTWARE\Classes\esrv.BabylonESrvc
    Key Found : HKLM\SOFTWARE\Classes\esrv.BabylonESrvc.1
    Key Found : HKLM\SOFTWARE\Classes\Interface\{1B97A696-5576-43AC-A73B-E1D2C78F21E8}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}
    Key Found : HKLM\SOFTWARE\Classes\PricePeep.PricePeepBho
    Key Found : HKLM\SOFTWARE\Classes\PricePeep.PricePeepBho.1
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{3BF3DED5-0FC8-4207-AC09-AA7B5AF4E408}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BabylonToolbar
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PricePeep
    Key Found : HKU\S-1-5-21-971830463-3751714735-3064139177-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{98889811-442D-49DD-99D7-DC866BE87DBC}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    [OK] Registry is clean.

    *************************

    AdwCleaner[R1].txt - [6519 octets] - [03/09/2012 20:39:56]

    ########## EOF - C:\AdwCleaner[R1].txt - [6579 octets] ##########
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    For the antivirus program I most recommend is Kaspersky Antivirus. It yields the highest results in antivirus testing groups, and is one of the most trusted. It's antivirus product is well worth its cost. If you would like to know more, please click on the Kaspersky logo in my signature and it will take you to the appropriate product choice page so you can understand all of the different products.

    While I would rather see you interested in Kaspersky Internet Security, the antivirus program will suffice enough. Both programs are well maintained and well above average for any security program. We're truly lucky Kaspersky exists as one of the best, because it beats most other products by miles.

    Remove the Adware:
    • Please close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
    Please post the log.
     
  11. Blippard

    Blippard TS Rookie Topic Starter

    OK cool, thanks for the advice. I will keep that program in mind. Here is the log you requested.


    # AdwCleaner v2.000 - Logfile created 09/04/2012 at 05:30:19
    # Updated 30/08/2012 by Xplode
    # Operating system : Windows 7 Ultimate (32 bits)
    # User : Ryan - RYAN-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Ryan\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\user.js
    Folder Deleted : C:\Program Files\BabylonToolbar
    Folder Deleted : C:\Program Files\PricePeep
    Folder Deleted : C:\ProgramData\Babylon
    Folder Deleted : C:\ProgramData\InstallMate
    Folder Deleted : C:\Users\Ryan\AppData\Local\Babylon
    Folder Deleted : C:\Users\Ryan\AppData\Roaming\Babylon

    ***** [Registry] *****

    Key Deleted : HKCU\Software\BabylonToolbar
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
    Key Deleted : HKLM\Software\Babylon
    Key Deleted : HKLM\Software\BabylonToolbar
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{38A066B0-DD5F-4226-AC4F-6A27C1BFB892}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\DealScout.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
    Key Deleted : HKLM\SOFTWARE\Classes\b
    Key Deleted : HKLM\SOFTWARE\Classes\Babylon.dskBnd
    Key Deleted : HKLM\SOFTWARE\Classes\Babylon.dskBnd.1
    Key Deleted : HKLM\SOFTWARE\Classes\bbylnApp.appCore
    Key Deleted : HKLM\SOFTWARE\Classes\bbylnApp.appCore.1
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{291BCCC1-6890-484A-89D3-318C928DAC1B}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{98889811-442D-49DD-99D7-DC866BE87DBC}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}
    Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane
    Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
    Key Deleted : HKLM\SOFTWARE\Classes\escort.escrtBtn.1
    Key Deleted : HKLM\SOFTWARE\Classes\esrv.BabylonESrvc
    Key Deleted : HKLM\SOFTWARE\Classes\esrv.BabylonESrvc.1
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1B97A696-5576-43AC-A73B-E1D2C78F21E8}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}
    Key Deleted : HKLM\SOFTWARE\Classes\PricePeep.PricePeepBho
    Key Deleted : HKLM\SOFTWARE\Classes\PricePeep.PricePeepBho.1
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3BF3DED5-0FC8-4207-AC09-AA7B5AF4E408}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BabylonToolbar
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PricePeep
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{98889811-442D-49DD-99D7-DC866BE87DBC}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

    *************************

    AdwCleaner[R1].txt - [6648 octets] - [03/09/2012 20:39:56]
    AdwCleaner[R2].txt - [6706 octets] - [04/09/2012 05:30:01]
    AdwCleaner[S1].txt - [6976 octets] - [04/09/2012 05:30:19]

    ########## EOF - C:\AdwCleaner[S1].txt - [7036 octets] ##########
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
     
  13. Blippard

    Blippard TS Rookie Topic Starter

    Absolutely no issues, new or old to report, as of now. It appears back to normal.

    I also must inform you the client I was working on the laptop for needed it back, as his class he has started requires him to bring his personal laptop and it was the only one in his possession. This weekend I can try and get it back and run the last diagnostic tool you requested if you still feel necessary. I apologize for not being able to complete it at this time and I was misinformed on when he would need it back, but as I said he required it at this point at least for a few days.
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Nah, it should be fine. Any more questions, or should I mark this topic solved?
     
  15. Blippard

    Blippard TS Rookie Topic Starter

    No new questions as of now, I would consider it safe to say it is solved. Thank you for all your help it was much appreciated, first time I've removed something of that magnitude.

    Thanks again!!
     
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    You're welcome. Marked as solved.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...