Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Google Redirect Virus HELP Please!


(!)

gimmextra's Avatar
gimmextra gimmextra is offline
Member with 54 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
04-Apr-2012, 10:27 AM #1
Google Redirect Virus HELP Please!
Recently i have gotten the google redirect virus. Yesterday i had the gimmeanswers one and i ran things like malwarebytes,tddskiller, and fixtdds and got rid of anything they detected or it might have not detected anything. I can't remember specifically. It seemed to be gone but now, this morning i wake up to google redirecting me to Happili. So far those are the only two sites i have been redirected to. May you please help me get rid of these viruses? I'm currently using a 64bit os so i can't run gmer.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:04:25 AM, on 4/4/2012
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\ASUS\AASP\1.00.82\aaCenter.exe
C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Users\Eugene\Local Settings\Apps\F.lux\flux.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Eugene\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: ::1 localhost127.0.0.1 practivate.adobe.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll (file missing)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [F.lux] "C:\Users\Eugene\Local Settings\Apps\F.lux\flux.exe" /noshow
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2913236317-814230174-4002188810-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe" (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: IHA_MessageCenter - Unknown owner - C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files (x86)\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9328 bytes

___________________________________________________________________________ ____________
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_24
Run by Eugene at 11:14:02 on 2012-04-04
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.5843 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Program Files (x86)\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\ASUS\AASP\1.00.82\aaCenter.exe
C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Users\Eugene\Local Settings\Apps\F.lux\flux.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\regedit.exe
C:\Windows\system32\taskmgr.exe
C:\Users\Eugene\Desktop\HijackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
uRun: [F.lux] "C:\Users\Eugene\Local Settings\Apps\F.lux\flux.exe" /noshow
uRun: [AdobeBridge]
uRun: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe"
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6BEFA00E-8A4C-4393-BA36-E7F11AC1A886} : DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{8FB02647-45FD-4B43-B5F5-5B9831FA5700} : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Yontoo Layers: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
BHO-X64: Yontoo Layers - No File
TB-X64: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
IE-X64: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Eugene\AppData\Roaming\Mozilla\Firefox\Profiles\tryg8wpz.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Users\Eugene\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 SBRE;SBRE;\??\C:\Windows\system32\drivers\SBREdrv.sys --> C:\Windows\system32\drivers\SBREdrv.sys [?]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-8-2 192776]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-2-28 2343816]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-4-2 652360]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-7-2 2214504]
R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-9-17 2358656]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 IHA_MessageCenter;IHA_MessageCenter;"C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" --> C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [?]
S3 Arctosa;Arctosa Keyboard;C:\Windows\system32\drivers\Arctosa.sys --> C:\Windows\system32\drivers\Arctosa.sys [?]
S3 Gun;Gun;C:\Game\SoftnyxGame\GunboundIS\Gun64.sys [2011-9-20 45176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 30963576]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys --> C:\Windows\system32\drivers\npf.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0 400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-12-2 93184]
.
=============== Created Last 30 ================
.
2012-04-03 03:37:43 -------- d-----w- C:\Users\Eugene\AppData\Local\PackageAware
2012-04-03 00:42:42 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-02 23:48:48 57976 ----a-r- C:\Windows\System32\drivers\SBREDrv.sys
2012-04-02 23:48:44 -------- d-----w- C:\ProgramData\STOPzilla!
2012-04-02 23:48:44 -------- d-----w- C:\Program Files (x86)\STOPzilla!
2012-04-02 23:48:44 -------- d-----w- C:\Program Files (x86)\Common Files\iS3
2012-04-02 23:02:17 -------- d-----w- C:\Users\Eugene\AppData\Roaming\Malwarebytes
2012-04-02 23:02:12 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-04-02 23:02:12 -------- d-----w- C:\ProgramData\Malwarebytes
2012-04-02 23:02:12 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-31 21:05:56 -------- d-----w- C:\Users\Eugene\AppData\Local\{5804B2D4-7B75-11E1-826D-B8AC6F996F26}
2012-03-31 20:50:42 -------- d-----w- C:\Users\Eugene\AppData\Local\TrinityEntertainmentNetwo
2012-03-29 20:59:36 23376 ----a-r- C:\Windows\SysWow64\SZIO5.dll
2012-03-29 20:59:24 546640 ----a-r- C:\Windows\SysWow64\SZComp5.dll
2012-03-29 20:59:18 481104 ----a-r- C:\Windows\SysWow64\SZBase5.dll
2012-03-25 02:05:57 592824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-25 02:05:57 44472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
2012-03-12 22:15:45 29696 ----a-w- C:\Windows\System32\drivers\tunnel.sys
2012-03-12 22:15:45 224256 ----a-w- C:\Windows\System32\iphlpsvc.dll
2012-03-11 18:01:08 -------- d-----w- C:\Nexon
2012-03-10 21:49:41 -------- d-----w- C:\Perfect World Entertainment
2012-03-10 21:48:20 -------- d-----w- C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
2012-03-10 21:48:04 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2012-03-10 21:46:59 2582888 ----a-w- C:\Windows\System32\D3DCompiler_42.dll
2012-03-10 13:40:19 -------- d-----w- C:\Program Files (x86)\NirSoft
2012-03-10 04:14:51 -------- d-----w- C:\Users\Eugene\AppData\Local\LogMeIn Hamachi
2012-03-10 04:14:09 -------- d-----w- C:\Program Files (x86)\LogMeIn Hamachi
.
==================== Find3M ====================
.
2012-03-16 00:41:51 298016 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2012-03-16 00:41:51 298016 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-03-16 00:41:10 281408 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2012-03-10 22:17:05 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2012-02-23 18:09:44 29008 ----a-r- C:\Windows\SysWow64\IS3XDat5.dll
2012-02-23 18:09:42 390992 ----a-r- C:\Windows\SysWow64\IS3UI5.dll
2012-02-23 18:09:42 231248 ----a-r- C:\Windows\SysWow64\IS3Win325.dll
2012-02-23 18:09:40 100176 ----a-r- C:\Windows\SysWow64\IS3Svc5.dll
2012-02-23 18:09:34 132944 ----a-r- C:\Windows\SysWow64\IS3HTUI5.dll
2012-02-23 18:09:34 104272 ----a-r- C:\Windows\SysWow64\IS3Inet5.dll
2012-02-23 18:09:32 67408 ----a-r- C:\Windows\SysWow64\IS3Hks5.dll
2012-02-23 18:09:32 456528 ----a-r- C:\Windows\SysWow64\IS3DBA5.dll
2012-02-23 18:09:30 808784 ----a-r- C:\Windows\SysWow64\IS3Base5.dll
2012-02-18 02:30:13 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-19 14:22:08 45936 ----a-r- C:\Windows\System32\SBBD.EXE
.
============= FINISH: 11:14:32.61 ===============
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
gimmextra's Avatar
gimmextra gimmextra is offline
Member with 54 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
05-Apr-2012, 09:18 AM #2
can someone help with this? If the virus is still in my system i don't want it to taking personal information.
gimmextra's Avatar
gimmextra gimmextra is offline
Member with 54 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
06-Apr-2012, 11:34 AM #3
bump
gimmextra's Avatar
gimmextra gimmextra is offline
Member with 54 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
08-Apr-2012, 12:37 PM #4
.....
Deejay100six's Avatar
Deejay100six   (Dave) Deejay100six is offline Deejay100six has a Profile Picture
Computer Specs
Member with 496 posts.
 
Join Date: Sep 2011
Location: Doncaster, England
Experience: Intermediate
09-Apr-2012, 03:54 PM #5
Hi and welcome to TSG.

I am reviewing your logs and will respond with a reply as soon as I can.

Please note that all my replies are reviewed by a qualified Analyst before I post. This ensures that you will continue to receive quality expert assistance.

Thank you for your patience.
gimmextra's Avatar
gimmextra gimmextra is offline
Member with 54 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
09-Apr-2012, 06:33 PM #6
alright thank you
Deejay100six's Avatar
Deejay100six   (Dave) Deejay100six is offline Deejay100six has a Profile Picture
Computer Specs
Member with 496 posts.
 
Join Date: Sep 2011
Location: Doncaster, England
Experience: Intermediate
09-Apr-2012, 07:06 PM #7
You're welcome.

The business of researching logs is very time consuming, as I'm sure you can imagine. Also, after I create a fix, I have to wait for it to be reviewed by my teachers. They are not online 24hrs a day so it could be anything up to 24hrs before I have a response.

Thankyou for you patience.
Deejay100six's Avatar
Deejay100six   (Dave) Deejay100six is offline Deejay100six has a Profile Picture
Computer Specs
Member with 496 posts.
 
Join Date: Sep 2011
Location: Doncaster, England
Experience: Intermediate
10-Apr-2012, 01:40 PM #8
Hi, my name is Dave and I will be helping you to clean any malware which may be present on your system.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


  • Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.
  • If there is anything you don't understand, please ask BEFORE proceeding with the fixes.
  • Please ensure that you follow the instructions in the order I have them listed.
  • Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into your thread. If the logs are too big to post in one reply, please feel free to use more posts. Do NOT add them as attachments unless specifically instructed.
  • If I don't hear from you within 3 days from this initial or any subsequent post, I will have to unsubscribe from this thread, which means I will not recieve notifications of any further replies and will move on to assist someone else.


------------------------------------------------------------------------------------------------------

I would urge you to remove StopZilla and refrain from visiting their website. Read more here.

You can uninstall it via Control Panel >> Programs and Features >> Uninstall a Program.

------------------------------------------------------------------------------------------------------

I see you have P2P software (µTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Programs and Features >> Uninstall a Program.

Note; If you choose not to uninstall, please refrain from using such programs until after your system has been declared clean.

------------------------------------------------------------------------------------------------------

Combofix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please read all the information carefully!

You MUST disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.

Please include the log C:\ComboFix.txt in your next reply for further review.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
gimmextra's Avatar
gimmextra gimmextra is offline
Member with 54 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
10-Apr-2012, 04:28 PM #9
Thank you for your reply. I have already removed stopzilla beforehand as i found it quite useless and annoying. As for the P2P software, when i do use it, i usually double check to make sure whatever files being shared is generally safe from previous comments but i will be more careful from now on. Here is the combofix log you wanted:

ComboFix 12-04-10.02 - Eugene 04/10/2012 15:43:39.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6383 [GMT -4:00]
Running from: c:\users\Eugene\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Eugene\AppData\Roaming\Love
c:\users\Eugene\AppData\Roaming\Love\mari0\mappacks\custom_mappack_1\settin gs.txt
c:\users\Eugene\AppData\Roaming\Love\mari0\options.txt
c:\users\Eugene\AppData\Roaming\Love\not_tetris_2\highscoresA.txt
c:\users\Eugene\AppData\Roaming\Love\not_tetris_2\highscoresB.txt
c:\users\Eugene\AppData\Roaming\Love\not_tetris_2\options.txt
c:\users\Eugene\AppData\Roaming\Love\ortho_robot\save.txt
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
c:\windows\SysWOW64\bitsadmin.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-03-10 to 2012-04-10 )))))))))))))))))))))))))))))))
.
.
2012-04-10 20:55 . 2012-04-10 20:57 -------- d-----w- c:\users\Eugene\AppData\Local\temp
2012-04-10 20:55 . 2012-04-10 20:55 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-04-10 20:55 . 2012-04-10 20:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-07 19:31 . 2012-04-07 19:31 -------- d-----w- c:\program files (x86)\Hide Wizard
2012-04-07 19:29 . 2012-04-07 19:38 -------- d-----w- c:\program files (x86)\AC Tool
2012-04-06 15:15 . 2012-04-06 15:15 8767136 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-06 14:57 . 2012-04-06 15:15 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-04 19:41 . 2012-04-08 00:04 -------- d--h--w- c:\users\Eugene\AppData\Roaming\ijjigame
2012-04-04 19:39 . 2012-04-08 00:15 -------- d-----w- c:\program files (x86)\REACTOR
2012-04-04 15:30 . 2012-03-20 07:51 8669240 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FB8E177A-2E86-4597-8A90-7D4ED40AF6C9}\mpengine.dll
2012-04-03 03:37 . 2012-04-03 03:37 -------- d-----w- c:\users\Eugene\AppData\Local\PackageAware
2012-04-03 00:42 . 2012-04-03 00:42 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-02 23:48 . 2012-01-12 13:28 57976 ----a-r- c:\windows\system32\drivers\SBREDrv.sys
2012-04-02 23:48 . 2012-04-10 18:14 -------- d-----w- c:\programdata\STOPzilla!
2012-04-02 23:48 . 2012-04-02 23:48 -------- d-----w- c:\program files (x86)\Common Files\iS3
2012-04-02 23:02 . 2012-04-02 23:02 -------- d-----w- c:\users\Eugene\AppData\Roaming\Malwarebytes
2012-04-02 23:02 . 2012-04-02 23:02 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-02 23:02 . 2012-04-02 23:02 -------- d-----w- c:\programdata\Malwarebytes
2012-04-02 23:02 . 2011-12-10 19:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-31 21:05 . 2012-03-31 21:05 -------- d-----w- c:\users\Eugene\AppData\Local\{5804B2D4-7B75-11E1-826D-B8AC6F996F26}
2012-03-31 20:50 . 2012-03-31 20:50 -------- d-----w- c:\users\Eugene\AppData\Local\TrinityEntertainmentNetwo
2012-03-29 20:59 . 2012-03-29 20:59 23376 ----a-r- c:\windows\SysWow64\SZIO5.dll
2012-03-29 20:59 . 2012-03-29 20:59 546640 ----a-r- c:\windows\SysWow64\SZComp5.dll
2012-03-29 20:59 . 2012-03-29 20:59 481104 ----a-r- c:\windows\SysWow64\SZBase5.dll
2012-03-25 02:05 . 2012-03-25 02:05 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-25 02:05 . 2012-03-25 02:05 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-03-12 22:15 . 2010-02-18 14:21 224256 ----a-w- c:\windows\system32\iphlpsvc.dll
2012-03-12 22:15 . 2010-02-18 12:15 29696 ----a-w- c:\windows\system32\drivers\tunnel.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-06 15:15 . 2011-05-15 13:33 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-16 00:41 . 2011-07-03 00:22 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-03-16 00:41 . 2011-07-03 00:20 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-03-16 00:41 . 2011-07-03 00:20 281408 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-03-10 22:17 . 2011-07-03 00:19 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-02-23 18:09 . 2012-02-23 18:09 29008 ----a-r- c:\windows\SysWow64\IS3XDat5.dll
2012-02-23 18:09 . 2012-02-23 18:09 390992 ----a-r- c:\windows\SysWow64\IS3UI5.dll
2012-02-23 18:09 . 2012-02-23 18:09 231248 ----a-r- c:\windows\SysWow64\IS3Win325.dll
2012-02-23 18:09 . 2012-02-23 18:09 100176 ----a-r- c:\windows\SysWow64\IS3Svc5.dll
2012-02-23 18:09 . 2012-02-23 18:09 132944 ----a-r- c:\windows\SysWow64\IS3HTUI5.dll
2012-02-23 18:09 . 2012-02-23 18:09 104272 ----a-r- c:\windows\SysWow64\IS3Inet5.dll
2012-02-23 18:09 . 2012-02-23 18:09 67408 ----a-r- c:\windows\SysWow64\IS3Hks5.dll
2012-02-23 18:09 . 2012-02-23 18:09 456528 ----a-r- c:\windows\SysWow64\IS3DBA5.dll
2012-02-23 18:09 . 2012-02-23 18:09 808784 ----a-r- c:\windows\SysWow64\IS3Base5.dll
2012-02-23 14:18 . 2010-12-01 08:38 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-19 14:22 . 2012-01-19 14:22 45936 ----a-r- c:\windows\system32\SBBD.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files (x86)\RocketDock\RocketDock.exe" [2007-09-02 495616]
"F.lux"="c:\users\Eugene\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2011-08-20 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSISer ver]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 253600]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 15:15]
.
2012-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913236317-814230174-4002188810-1000Core.job
- c:\users\Eugene\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 08:35]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913236317-814230174-4002188810-1000UA.job
- c:\users\Eugene\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 08:35]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-02-03 6975520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Eugene\AppData\Roaming\Mozilla\Firefox\Profiles\tryg8wpz.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
SafeBoot-24601906.sys
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_blr.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\X6va005]
"ImagePath"="\??\c:\users\Eugene\AppData\Local\Temp\0056E37.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:7e,3b,03,06,95,ba,b5,99,27,30,93,d3,bc,b4,f9,d3,23,5f,31,1c,f 5,
14,6e,10,08,e4,e6,3e,d7,cc,ab,23,21,8e,13,38,ed,3c,dc,f6,96,46,1e,f3,ef,ab, \
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_ 2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX .exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:7e,3b,03,06,95,ba,b5,99,27,30,93,d3,bc,b4,f9,d3,23,5f,31,1c,f 5,
14,6e,10,08,e4,e6,3e,d7,cc,ab,23,21,8e,13,38,ed,3c,dc,f6,96,46,1e,f3,ef,ab, \
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00, 59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00, \
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\AASP\1.00.82\aaCenter.exe
c:\program files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
.
**************************************************************************
.
Completion time: 2012-04-10 17:05:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-10 21:05
.
Pre-Run: 150,982,234,112 bytes free
Post-Run: 149,854,498,816 bytes free
.
- - End Of File - - 5580ACA0C5B23B65D354AABFA27BEB1D
gimmextra's Avatar
gimmextra gimmextra is offline
Member with 54 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
11-Apr-2012, 05:58 PM #10
the redirects had stopped for awhile but they seem to have appeared again directing me to happili,infomash,etc. Just an update
Deejay100six's Avatar
Deejay100six   (Dave) Deejay100six is offline Deejay100six has a Profile Picture
Computer Specs
Member with 496 posts.
 
Join Date: Sep 2011
Location: Doncaster, England
Experience: Intermediate
12-Apr-2012, 10:24 AM #11
Hi,

Apologies for the delay. Our teachers are a bit thin on the ground at the moment.

LogMeIn and TeamViewer 7 - This kind of software is designed to enable a remote connection to your PC from another. Some of our tools will remove these programs as a matter of course because they are often installed without the users knowledge by malware. If you installed these programs intentionally and would prefer to keep them, make a note of any settings and as they are free downloads, you can reinstall them after we are done. If you didn't install them intentionally and wish me to remove them, please let me know.

---------------------------------------------------------------------------------------------

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Code:
DDS::
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;

Folder::
c:\programdata\STOPzilla!
c:\program files (x86)\Common Files\iS3
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

Very Important! --> If you receive a prompt saying there is an updated version of ComboFix available, please allow it to update.

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

----------------------------------------------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the contents of the following codebox into the main textfield:

    Code:
    :filefind
    bitsadmin.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
gimmextra's Avatar
gimmextra gimmextra is offline
Member with 54 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
12-Apr-2012, 12:47 PM #12
I did download logmein and teamviewer myself but i uninstalled them just incase. Here is the Combofix and systemlook logs:


ComboFix 12-04-10.02 - Eugene 04/12/2012 12:07:21.2.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6258 [GMT -4:00]
Running from: c:\users\Eugene\Desktop\ComboFix.exe
Command switches used :: c:\users\Eugene\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Common Files\iS3
c:\program files (x86)\Common Files\iS3\Anti-Spyware\DeskMetrics.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\detoured.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\Drivers\amd64\SBBD.EXE
c:\program files (x86)\Common Files\iS3\Anti-Spyware\Drivers\amd64\SBREDrv.sys
c:\program files (x86)\Common Files\iS3\Anti-Spyware\Drivers\i386\SBBD.EXE
c:\program files (x86)\Common Files\iS3\Anti-Spyware\Drivers\i386\SBREDrv.sys
c:\program files (x86)\Common Files\iS3\Anti-Spyware\FSSC.dat
c:\program files (x86)\Common Files\iS3\Anti-Spyware\fullupd.rsf
c:\program files (x86)\Common Files\iS3\Anti-Spyware\IncompatiblePrograms.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\Incompats.dat
c:\program files (x86)\Common Files\iS3\Anti-Spyware\iS3lsp.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\iS3SiteBlocker.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\iS3SploitChecker.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\IS3Updater.exe
c:\program files (x86)\Common Files\iS3\Anti-Spyware\sbrc.exe
c:\program files (x86)\Common Files\iS3\Anti-Spyware\sbre.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\sbte.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SpursDownload.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZBrCom.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZCfgSvc.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZClientCom.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZClLic.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZEngine.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZEXIT.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZExtrSS.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZHistory.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZJustice.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZPAHost.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZQrntn.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZScanner.exe
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZSchSvc.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZScnSvc.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZSnsrSv.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZSvcHost.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZTargetUpdate.Exe
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZTrgSS.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\SZUniTrg.dll
c:\program files (x86)\Common Files\iS3\Anti-Spyware\vipre.dll
c:\programdata\STOPzilla!
c:\programdata\STOPzilla!\modules_scanned.db
c:\programdata\STOPzilla!\modules_scanned.db.bak
c:\programdata\STOPzilla!\sb.dat
c:\programdata\STOPzilla!\sc.dat
c:\programdata\STOPzilla!\sztrgwc.db
c:\programdata\STOPzilla!\Target.Log
c:\programdata\STOPzilla!\targets.db
c:\programdata\STOPzilla!\userdata.db
c:\programdata\STOPzilla!\VIPRE\CSC39-EN-11739-F.sbr.sgn
c:\programdata\STOPzilla!\zilla5.log
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
c:\windows\SysWOW64\bitsadmin.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_szserver
-------\Service_szserver
.
.
((((((((((((((((((((((((( Files Created from 2012-03-12 to 2012-04-12 )))))))))))))))))))))))))))))))
.
.
2012-04-12 17:25 . 2012-04-12 17:37 -------- d-----w- c:\users\Eugene\AppData\Local\temp
2012-04-12 17:25 . 2012-04-12 17:25 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-04-12 17:25 . 2012-04-12 17:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-11 20:02 . 2012-03-20 07:51 8669240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BDA4F617-34BA-4715-AA44-20D6ADD9297D}\mpengine.dll
2012-04-07 19:29 . 2012-04-07 19:38 -------- d-----w- c:\program files (x86)\AC Tool
2012-04-06 15:15 . 2012-04-06 15:15 8767136 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-06 14:57 . 2012-04-06 15:15 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-04 19:41 . 2012-04-08 00:04 -------- d--h--w- c:\users\Eugene\AppData\Roaming\ijjigame
2012-04-04 19:39 . 2012-04-08 00:15 -------- d-----w- c:\program files (x86)\REACTOR
2012-04-03 03:37 . 2012-04-03 03:37 -------- d-----w- c:\users\Eugene\AppData\Local\PackageAware
2012-04-03 00:42 . 2012-04-03 00:42 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-02 23:48 . 2012-01-12 13:28 57976 ----a-r- c:\windows\system32\drivers\SBREDrv.sys
2012-04-02 23:02 . 2012-04-02 23:02 -------- d-----w- c:\users\Eugene\AppData\Roaming\Malwarebytes
2012-04-02 23:02 . 2012-04-12 13:57 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-02 23:02 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 23:02 . 2012-04-02 23:02 -------- d-----w- c:\programdata\Malwarebytes
2012-03-31 21:05 . 2012-03-31 21:05 -------- d-----w- c:\users\Eugene\AppData\Local\{5804B2D4-7B75-11E1-826D-B8AC6F996F26}
2012-03-31 20:50 . 2012-03-31 20:50 -------- d-----w- c:\users\Eugene\AppData\Local\TrinityEntertainmentNetwo
2012-03-29 20:59 . 2012-03-29 20:59 23376 ----a-r- c:\windows\SysWow64\SZIO5.dll
2012-03-29 20:59 . 2012-03-29 20:59 546640 ----a-r- c:\windows\SysWow64\SZComp5.dll
2012-03-29 20:59 . 2012-03-29 20:59 481104 ----a-r- c:\windows\SysWow64\SZBase5.dll
2012-03-25 02:05 . 2012-03-25 02:05 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-25 02:05 . 2012-03-25 02:05 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-06 15:15 . 2011-05-15 13:33 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-16 00:41 . 2011-07-03 00:22 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-03-16 00:41 . 2011-07-03 00:20 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-03-16 00:41 . 2011-07-03 00:20 281408 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-03-10 22:17 . 2011-07-03 00:19 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-02-23 18:09 . 2012-02-23 18:09 29008 ----a-r- c:\windows\SysWow64\IS3XDat5.dll
2012-02-23 18:09 . 2012-02-23 18:09 390992 ----a-r- c:\windows\SysWow64\IS3UI5.dll
2012-02-23 18:09 . 2012-02-23 18:09 231248 ----a-r- c:\windows\SysWow64\IS3Win325.dll
2012-02-23 18:09 . 2012-02-23 18:09 100176 ----a-r- c:\windows\SysWow64\IS3Svc5.dll
2012-02-23 18:09 . 2012-02-23 18:09 132944 ----a-r- c:\windows\SysWow64\IS3HTUI5.dll
2012-02-23 18:09 . 2012-02-23 18:09 104272 ----a-r- c:\windows\SysWow64\IS3Inet5.dll
2012-02-23 18:09 . 2012-02-23 18:09 67408 ----a-r- c:\windows\SysWow64\IS3Hks5.dll
2012-02-23 18:09 . 2012-02-23 18:09 456528 ----a-r- c:\windows\SysWow64\IS3DBA5.dll
2012-02-23 18:09 . 2012-02-23 18:09 808784 ----a-r- c:\windows\SysWow64\IS3Base5.dll
2012-02-23 14:18 . 2010-12-01 08:38 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-19 14:22 . 2012-01-19 14:22 45936 ----a-r- c:\windows\system32\SBBD.EXE
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-10_20.57.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 03:20 . 2012-04-12 14:10 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2008-01-21 03:20 . 2012-04-08 22:39 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2008-01-21 03:20 . 2012-04-08 22:39 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-04-12 14:10 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-04-08 22:39 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2008-01-21 03:20 . 2012-04-12 14:10 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2008-01-21 02:23 . 2012-04-12 14:00 63298 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2010-12-01 08:08 . 2012-04-12 17:35 13046 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2913236317-814230174-4002188810-1000_UserData.bin
+ 2010-12-01 08:03 . 2012-04-12 17:34 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2010-12-01 08:03 . 2012-04-10 17:28 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2010-12-01 08:03 . 2012-04-10 17:28 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2010-12-01 08:03 . 2012-04-12 17:34 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2010-12-01 08:03 . 2012-04-10 17:28 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2010-12-01 08:03 . 2012-04-12 17:34 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
- 2010-12-03 02:29 . 2012-04-10 17:24 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
+ 2010-12-03 02:29 . 2012-04-12 17:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
+ 2010-12-03 02:29 . 2012-04-12 17:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
- 2010-12-03 02:29 . 2012-04-10 17:24 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
- 2011-01-11 20:59 . 2012-03-14 03:26 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 42848 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe
- 2011-01-11 20:59 . 2012-03-14 03:26 42848 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
- 2011-01-11 20:59 . 2012-03-14 03:26 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
- 2010-12-01 08:08 . 2010-12-15 04:33 25214 c:\windows\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\MSWorks.exe
+ 2010-12-01 08:08 . 2012-04-12 05:17 25214 c:\windows\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\MSWorks.exe
+ 2012-04-12 17:17 . 2012-04-12 17:17 2000 c:\windows\SoftwareDistribution\EventCache\{A04A895E-CA20-4406-8B31-37EBE583C2EA}.bin
+ 2012-04-12 17:33 . 2012-04-12 17:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-10 20:57 . 2012-04-10 20:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-12 17:33 . 2012-04-12 17:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-10 20:57 . 2012-04-10 20:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 15:45 . 2012-04-12 17:35 101284 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 12:46 . 2012-04-12 14:11 607168 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2012-04-10 17:30 607168 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-04-12 14:11 104808 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-04-10 17:30 104808 c:\windows\system32\perfc009.dat
- 2011-01-11 20:59 . 2012-03-14 03:26 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2011-01-11 20:59 . 2012-03-14 03:26 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe
- 2011-01-11 20:59 . 2012-03-14 03:26 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2011-01-11 20:59 . 2012-03-14 03:26 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 469856 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
- 2011-01-11 20:59 . 2012-03-14 03:26 469856 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
- 2011-01-11 20:59 . 2012-03-14 03:26 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
+ 2010-12-01 08:08 . 2012-04-12 05:17 693600 c:\windows\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\WksWP.exe
- 2010-12-01 08:08 . 2010-12-15 04:33 693600 c:\windows\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\WksWP.exe
- 2010-12-01 08:08 . 2010-12-15 04:33 947552 c:\windows\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\wksss.exe
+ 2010-12-01 08:08 . 2012-04-12 05:17 947552 c:\windows\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\wksss.exe
- 2010-12-01 08:08 . 2010-12-15 04:33 709984 c:\windows\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\WksCal.exe
+ 2010-12-01 08:08 . 2012-04-12 05:17 709984 c:\windows\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\WksCal.exe
+ 2012-02-22 19:17 . 2012-02-22 19:17 2221568 c:\windows\Installer\298ccb4.msp
+ 2012-04-01 20:27 . 2012-04-01 20:27 3463168 c:\windows\Installer\298cca4.msp
- 2011-01-11 20:59 . 2012-03-14 03:26 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2011-01-11 20:59 . 2012-03-14 03:26 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2011-01-11 20:59 . 2012-03-14 03:26 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2011-01-11 20:59 . 2012-04-12 05:17 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2011-01-11 20:59 . 2012-03-14 03:26 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2010-12-01 08:08 . 2010-12-15 04:33 1099104 c:\windows\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\WksSb.exe
+ 2010-12-01 08:08 . 2012-04-12 05:17 1099104 c:\windows\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\WksSb.exe
- 2010-12-01 08:08 . 2010-12-15 04:33 1242464 c:\windows\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\wksdb.exe
+ 2010-12-01 08:08 . 2012-04-12 05:17 1242464 c:\windows\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\wksdb.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files (x86)\RocketDock\RocketDock.exe" [2007-09-02 495616]
"F.lux"="c:\users\Eugene\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2011-08-20 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSISer ver]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 253600]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 15:15]
.
2012-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913236317-814230174-4002188810-1000Core.job
- c:\users\Eugene\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 08:35]
.
2012-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913236317-814230174-4002188810-1000UA.job
- c:\users\Eugene\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 08:35]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-02-03 6975520]
"combofix"="c:\combofix\CF25518.3XE" [2008-01-21 363008]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Eugene\AppData\Roaming\Mozilla\Firefox\Profiles\tryg8wpz.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\X6va005]
"ImagePath"="\??\c:\users\Eugene\AppData\Local\Temp\0056E37.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:7e,3b,03,06,95,ba,b5,99,27,30,93,d3,bc,b4,f9,d3,23,5f,31,1c,f 5,
14,6e,10,08,e4,e6,3e,d7,cc,ab,23,21,8e,13,38,ed,3c,dc,f6,96,46,1e,f3,ef,ab, \
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_ 2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX .exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:7e,3b,03,06,95,ba,b5,99,27,30,93,d3,bc,b4,f9,d3,23,5f,31,1c,f 5,
14,6e,10,08,e4,e6,3e,d7,cc,ab,23,21,8e,13,38,ed,3c,dc,f6,96,46,1e,f3,ef,ab, \
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00, 59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00, \
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\AASP\1.00.82\aaCenter.exe
c:\program files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
.
**************************************************************************
.
Completion time: 2012-04-12 13:41:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-12 17:41
.
Pre-Run: 147,960,127,488 bytes free
Post-Run: 147,662,082,048 bytes free
.
- - End Of File - - 9999BF389559C06FF660D20C068C8987

___________________________________________________________________________ _________


SystemLook 30.07.11 by jpshortstuff
Log created at 13:43 on 12/04/2012 by Eugene
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "bitsadmin.exe"
C:\Windows\System32\bitsadmin.exe --a---- 192000 bytes [02:48 21/01/2008] [02:48 21/01/2008] E2954DDABA3FA4D53AEC2F51AFB488C0
C:\Windows\SysWOW64\bitsadmin.exe --a---- 192000 bytes [02:48 21/01/2008] [02:48 21/01/2008] E2954DDABA3FA4D53AEC2F51AFB488C0
C:\Windows\winsxs\amd64_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.0.6001.18000_none_a9302c85c4c97d34\bitsadmin.e xe --a---- 240128 bytes [02:50 21/01/2008] [02:50 21/01/2008] DDAC8EA4B885EE17B6ACE0B2167721AC
C:\Windows\winsxs\x86_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.0.6001.18000_none_4d1191020c6c0bfe\bitsadmin.e xe --a---- 192000 bytes [02:48 21/01/2008] [02:48 21/01/2008] E2954DDABA3FA4D53AEC2F51AFB488C0

-= EOF =-
gimmextra's Avatar
gimmextra gimmextra is offline
Member with 54 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
12-Apr-2012, 01:04 PM #13
i found that both times after the combofix the redirect virus would reappear upon my first google searches then hide itself again.
Deejay100six's Avatar
Deejay100six   (Dave) Deejay100six is offline Deejay100six has a Profile Picture
Computer Specs
Member with 496 posts.
 
Join Date: Sep 2011
Location: Doncaster, England
Experience: Intermediate
14-Apr-2012, 11:28 AM #14
Hi,

Sorry, it looks like I gave you links for 32 bit SystemLook. Please delete your copy and run the scan again, this time with the x64 version.

----------------------------------------------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the contents of the following codebox into the main textfield:

    Code:
    :filefind
    bitsadmin.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
gimmextra's Avatar
gimmextra gimmextra is offline
Member with 54 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
14-Apr-2012, 11:44 AM #15
SystemLook 30.07.11 by jpshortstuff
Log created at 12:40 on 14/04/2012 by Eugene
Administrator - Elevation successful

========== filefind ==========

Searching for "bitsadmin.exe"
C:\Windows\System32\bitsadmin.exe --a---- 240128 bytes [02:50 21/01/2008] [02:50 21/01/2008] DDAC8EA4B885EE17B6ACE0B2167721AC
C:\Windows\SysWOW64\bitsadmin.exe --a---- 192000 bytes [02:48 21/01/2008] [02:48 21/01/2008] E2954DDABA3FA4D53AEC2F51AFB488C0
C:\Windows\winsxs\amd64_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.0.6001.18000_none_a9302c85c4c97d34\bitsadmin.e xe --a---- 240128 bytes [02:50 21/01/2008] [02:50 21/01/2008] DDAC8EA4B885EE17B6ACE0B2167721AC
C:\Windows\winsxs\x86_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.0.6001.18000_none_4d1191020c6c0bfe\bitsadmin.e xe --a---- 192000 bytes [02:48 21/01/2008] [02:48 21/01/2008] E2954DDABA3FA4D53AEC2F51AFB488C0

-= EOF =-
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
gimmeanswers, google, happili, redirect, virus

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑