1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need help restoring Firewall after downloading MyPoints tool bar

Discussion in 'Virus & Other Malware Removal' started by fsumm, Aug 4, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. fsumm

    fsumm Thread Starter

    Joined:
    Aug 4, 2012
    Messages:
    23
    Results of ESET scan:

    C:\Documents and Settings\All Users\Application Data\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
    C:\Documents and Settings\Fran\Application Data\Sun\Java\Deployment\cache\6.0\57\1b72f2f9-45448cdc Java/Exploit.CVE-2012-1723.AB trojan
    C:\Documents and Settings\Fran\My Documents\Downloads\7zip_Setup.exe a variant of Win32/Adware.iBryte.C application
    C:\Documents and Settings\Fran\My Documents\Downloads\setup(1).exe a variant of Win32/Kryptik.AHQA trojan
    C:\Documents and Settings\Fran\My Documents\Downloads\setup(2).exe a variant of Win32/Kryptik.AHQA trojan
    C:\Documents and Settings\Fran\My Documents\Downloads\setup.exe a variant of Win32/Kryptik.AHQA trojan
    C:\Documents and Settings\Fran\My Documents\Downloads\signup-form.exe a variant of Win32/OpenInstall application
    C:\Qoobox\Quarantine\C\Documents and Settings\Fran\lapqeteazore.exe.vir a variant of Win32/Kryptik.AJIK trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Fran\_lapqeteazore_.exe.zip a variant of Win32/Kryptik.AJIK trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Fran\Local Settings\Application Data\{79c5b42a-6f80-130f-a7b1-deaf4a560f7e}\n.vir Win32/Sirefef.EV trojan
    C:\Qoobox\Quarantine\C\WINDOWS\Installer\{79c5b42a-6f80-130f-a7b1-deaf4a560f7e}\n.vir Win32/Sirefef.EV trojan
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\40f4961a9b556c6e.sys.vir Win32/TrojanDownloader.Necurs.A trojan
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_40f4961a9b556c6e_.sys.zip Win32/TrojanDownloader.Necurs.A trojan
    C:\System Volume Information\_restore{66715DF3-A820-4045-B3DC-0E1217986A03}\RP5\A0000323.exe a variant of Win32/Kryptik.AJIK trojan
    C:\System Volume Information\_restore{66715DF3-A820-4045-B3DC-0E1217986A03}\RP5\A0000324.sys Win32/TrojanDownloader.Necurs.A trojan
     
  2. jimbo100

    jimbo100 Malware Trainee

    Joined:
    Jul 1, 2011
    Messages:
    185
    Hi. Sorry for the delay. We need to use Combofix to remove a few files.

    Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      File::
      C:\Documents and Settings\All Users\Application Data\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll
      C:\Documents and Settings\Fran\My Documents\Downloads\7zip_Setup.exe 
      C:\Documents and Settings\Fran\My Documents\Downloads\setup(1).exe
      C:\Documents and Settings\Fran\My Documents\Downloads\setup(2).exe
      C:\Documents and Settings\Fran\My Documents\Downloads\setup.exe
      C:\Documents and Settings\Fran\My Documents\Downloads\signup-form.exe
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you at C:\ComboFix.txt.
    • Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
     
  3. fsumm

    fsumm Thread Starter

    Joined:
    Aug 4, 2012
    Messages:
    23
    ComboFix 12-08-20.02 - Fran 08/20/2012 11:23:25.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.575 [GMT -6:00]
    Running from: c:\documents and settings\Fran\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Fran\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    FILE ::
    "c:\documents and settings\All Users\Application Data\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll"
    "c:\documents and settings\Fran\My Documents\Downloads\7zip_Setup.exe"
    "c:\documents and settings\Fran\My Documents\Downloads\setup(1).exe"
    "c:\documents and settings\Fran\My Documents\Downloads\setup(2).exe"
    "c:\documents and settings\Fran\My Documents\Downloads\setup.exe"
    "c:\documents and settings\Fran\My Documents\Downloads\signup-form.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Fran\My Documents\Downloads\7zip_Setup.exe
    c:\documents and settings\Fran\My Documents\Downloads\setup(1).exe
    c:\documents and settings\Fran\My Documents\Downloads\setup(2).exe
    c:\documents and settings\Fran\My Documents\Downloads\setup.exe
    c:\documents and settings\Fran\My Documents\Downloads\signup-form.exe
    c:\windows\system32\FlashPlayerInstaller.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-20 to 2012-08-20 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-20 16:43 . 2012-07-16 08:41 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B158B2DC-372A-4CB5-8D8E-7F343FEF7924}\mpengine.dll
    2012-08-17 00:14 . 2012-08-17 00:14 -------- d-----w- c:\program files\ESET
    2012-08-17 00:04 . 2012-07-16 08:41 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-08-03 14:25 . 2012-08-03 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
    2012-08-03 14:25 . 2012-08-03 14:25 -------- d-----w- c:\program files\Security Task Manager
    2012-08-01 18:15 . 2012-08-01 18:15 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-08-01 17:30 . 2012-08-01 17:30 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-01 15:41 . 2012-08-01 17:14 -------- d-----w- c:\windows\system32\MpEngineStore
    2012-08-01 14:54 . 2012-08-01 14:54 -------- d-----w- c:\documents and settings\Fran\Application Data\ElevatedDiagnostics
    2012-08-01 14:25 . 2012-08-01 14:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-17 01:42 . 2011-12-15 17:27 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-17 01:42 . 2011-12-01 17:07 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-13 13:19 . 2004-08-10 11:00 1866112 ----a-w- c:\windows\system32\win32k.sys
    2012-06-05 15:50 . 2008-04-14 00:12 1372672 ------w- c:\windows\system32\msxml6.dll
    2012-06-05 15:50 . 2004-08-10 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 23:35 . 2011-11-30 15:58 210968 ----a-w- c:\windows\system32\wuweb.dll
    2012-06-04 04:32 . 2004-08-10 11:00 152576 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 21:19 . 2009-08-07 02:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
    2012-06-02 21:19 . 2011-11-30 15:58 329240 ----a-w- c:\windows\system32\wucltui.dll
    2012-06-02 21:19 . 2011-11-30 15:58 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
    2012-06-02 21:19 . 2009-08-07 02:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 21:19 . 2011-11-30 15:58 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 21:19 . 2011-11-30 15:58 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 21:19 . 2009-08-07 02:24 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 21:19 . 2009-08-07 02:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
    2012-06-02 21:19 . 2004-08-10 11:00 97304 ----a-w- c:\windows\system32\cdm.dll
    2012-06-02 21:19 . 2009-08-07 02:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2012-06-02 21:19 . 2011-11-30 15:58 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 21:19 . 2011-11-30 15:58 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 21:18 . 2011-12-01 15:27 214256 ----a-w- c:\windows\system32\muweb.dll
    2012-06-02 21:18 . 2011-12-01 15:27 275696 ----a-w- c:\windows\system32\mucltui.dll
    2012-06-02 21:18 . 2011-12-01 15:27 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
    2012-05-31 18:25 . 2011-12-01 15:00 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-31 13:22 . 2004-08-10 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2012-07-18 14:07 . 2011-12-01 17:17 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-08-06_16.28.30 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-08-20 16:32 . 2012-08-20 16:32 16384 c:\windows\Temp\Perflib_Perfdata_80c.dat
    + 2012-08-17 01:42 . 2012-08-17 01:42 686792 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_Plugin.exe
    + 2012-08-17 00:42 . 2012-08-17 00:42 686792 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
    + 2012-08-17 00:42 . 2012-08-17 00:42 466632 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.dll
    + 2011-12-15 17:28 . 2012-08-17 01:42 250056 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    - 2011-12-15 17:28 . 2012-08-03 15:42 250056 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    + 2011-06-06 19:55 . 2011-06-06 19:55 686464 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JP2KLib.dll
    + 2011-06-06 18:55 . 2011-06-06 18:55 937920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\adobearm.exe
    + 2012-08-17 01:42 . 2012-08-17 01:42 9465032 c:\windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll
    + 2011-06-06 19:55 . 2011-06-06 19:55 5509512 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AGM.dll
    + 2012-07-28 01:47 . 2012-07-28 01:47 13123584 c:\windows\Installer\1697d.msp
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-07 1519304]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2012-06-07 03:33 1519304 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-07 1519304]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-07 1519304]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-06-07 1564872]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
    AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2011-12-1 106551]
    SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2005-12-22 5513216]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/30/2012 11:50 PM 793048]
    R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [12/1/2011 9:51 AM 472644]
    S1 mkhbclcj;mkhbclcj;\??\c:\windows\system32\drivers\mkhbclcj.sys --> c:\windows\system32\drivers\mkhbclcj.sys [?]
    S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]
    S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 4:40 AM 118784]
    S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [7/5/2012 6:41 PM 3048136]
    S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/7/2012 7:12 PM 160944]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [12/15/2011 11:28 AM 250056]
    S3 CFcatchme;CFcatchme;\??\c:\docume~1\Fran\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\Fran\LOCALS~1\Temp\CFcatchme.sys [?]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 11:09 PM 267568]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/26/2012 2:31 PM 113120]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - RSVP
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-20 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-15 01:42]
    .
    2012-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
    .
    2012-08-20 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 23:03]
    .
    2012-08-17 c:\windows\Tasks\RMSchedule.job
    - c:\program files\PC Tools\PC Tools Registry Mechanic\RegMech.exe [2012-01-31 21:06]
    .
    2012-08-17 c:\windows\Tasks\RMSmartUpdate.job
    - c:\program files\PC Tools\PC Tools Registry Mechanic\Update.exe [2012-01-31 21:06]
    .
    2012-08-20 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2012-06-07 03:33]
    .
    2012-08-20 c:\windows\Tasks\User_Feed_Synchronization-{D788EB22-BD64-424F-B03D-4A6C0C682E5D}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://mail.yahoo.com/
    uInternet Connection Wizard,ShellNext = hxxp://espn.go.com/motion/detect.html
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.5.1
    FF - ProfilePath - c:\documents and settings\Fran\Application Data\Mozilla\Firefox\Profiles\y5ng535c.default\
    FF - prefs.js: browser.search.selectedEngine - Web Search
    FF - prefs.js: keyword.URL - hxxps://www.mypoints.com/emp/u/mysearch.vm?st=mypWeb&fctb.dns=1&q=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: extensions.autoDisableScopes - 14
    FF - user.js: security.csp.enable - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-20 11:28
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2012-08-20 11:37:14
    ComboFix-quarantined-files.txt 2012-08-20 17:37
    ComboFix2.txt 2012-08-06 16:38
    .
    Pre-Run: 125,989,220,352 bytes free
    Post-Run: 125,997,400,064 bytes free
    .
    - - End Of File - - 6F2F4E0DB7473244724C183D0A30B55E
     
  4. fsumm

    fsumm Thread Starter

    Joined:
    Aug 4, 2012
    Messages:
    23
    I just want to make sure you got this last reply from me. I've been told by MyPoints.com how to remove the toolbar and I'm wondering if I should just try that as I'm desparate to get my PC back? I appreciate all you are doing but I'm under the gun I'm afraid. Thanks!
     
  5. fsumm

    fsumm Thread Starter

    Joined:
    Aug 4, 2012
    Messages:
    23
    Jimbo,

    While digging on TechGuy.com for your direct contact info, I can see I didn't get your entire message last Sunday. Apparantly you also asked " Also please tell me if you are still being redirected after performing the above and the browser you are using"

    I am not aware that I have reported being redirected - have I said that before or are you gathering I am cos of the info I have sent? I am using Firefox.

    Today I've rerun the scan you asked for last Sunday and it's pasted below. PLEASE REPLY ASAP as I'm desparate to get this reolved. Thanks!!!

    ComboFix 12-08-25.04 - Fran 08/25/2012 13:24:46.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.666 [GMT -6:00]
    Running from: c:\documents and settings\Fran\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Fran\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    * Created a new restore point
    .
    FILE ::
    "c:\documents and settings\All Users\Application Data\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll"
    "c:\documents and settings\Fran\My Documents\Downloads\7zip_Setup.exe"
    "c:\documents and settings\Fran\My Documents\Downloads\setup(1).exe"
    "c:\documents and settings\Fran\My Documents\Downloads\setup(2).exe"
    "c:\documents and settings\Fran\My Documents\Downloads\setup.exe"
    "c:\documents and settings\Fran\My Documents\Downloads\signup-form.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-25 to 2012-08-25 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-25 19:10 . 2012-08-25 19:10 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF59A015-2A5A-4733-A407-540727046009}\MpKsld765d6ee.sys
    2012-08-23 15:58 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF59A015-2A5A-4733-A407-540727046009}\mpengine.dll
    2012-08-21 20:52 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-08-17 00:14 . 2012-08-17 00:14 -------- d-----w- c:\program files\ESET
    2012-08-03 14:25 . 2012-08-03 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
    2012-08-03 14:25 . 2012-08-03 14:25 -------- d-----w- c:\program files\Security Task Manager
    2012-08-01 18:15 . 2012-08-01 18:15 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-08-01 17:30 . 2012-08-01 17:30 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-01 15:41 . 2012-08-01 17:14 -------- d-----w- c:\windows\system32\MpEngineStore
    2012-08-01 14:54 . 2012-08-01 14:54 -------- d-----w- c:\documents and settings\Fran\Application Data\ElevatedDiagnostics
    2012-08-01 14:25 . 2012-08-01 14:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-17 01:42 . 2011-12-15 17:27 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-17 01:42 . 2011-12-01 17:07 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-13 13:19 . 2004-08-10 11:00 1866112 ----a-w- c:\windows\system32\win32k.sys
    2012-06-05 15:50 . 2008-04-14 00:12 1372672 ------w- c:\windows\system32\msxml6.dll
    2012-06-05 15:50 . 2004-08-10 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 23:35 . 2011-11-30 15:58 210968 ----a-w- c:\windows\system32\wuweb.dll
    2012-06-04 04:32 . 2004-08-10 11:00 152576 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 21:19 . 2009-08-07 02:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
    2012-06-02 21:19 . 2011-11-30 15:58 329240 ----a-w- c:\windows\system32\wucltui.dll
    2012-06-02 21:19 . 2011-11-30 15:58 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
    2012-06-02 21:19 . 2009-08-07 02:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 21:19 . 2011-11-30 15:58 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 21:19 . 2011-11-30 15:58 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 21:19 . 2009-08-07 02:24 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 21:19 . 2009-08-07 02:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
    2012-06-02 21:19 . 2004-08-10 11:00 97304 ----a-w- c:\windows\system32\cdm.dll
    2012-06-02 21:19 . 2009-08-07 02:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2012-06-02 21:19 . 2011-11-30 15:58 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 21:19 . 2011-11-30 15:58 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 21:18 . 2011-12-01 15:27 214256 ----a-w- c:\windows\system32\muweb.dll
    2012-06-02 21:18 . 2011-12-01 15:27 275696 ----a-w- c:\windows\system32\mucltui.dll
    2012-06-02 21:18 . 2011-12-01 15:27 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
    2012-05-31 13:22 . 2004-08-10 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2012-07-18 14:07 . 2011-12-01 17:17 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-08-06_16.28.30 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-08-25 18:24 . 2012-08-25 18:24 16384 c:\windows\Temp\Perflib_Perfdata_5f8.dat
    - 2011-12-01 15:00 . 2012-05-31 18:25 237072 c:\windows\system32\MpSigStub.exe
    + 2011-12-01 15:00 . 2012-01-31 12:44 237072 c:\windows\system32\MpSigStub.exe
    + 2012-08-17 01:42 . 2012-08-17 01:42 686792 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_Plugin.exe
    + 2012-08-17 00:42 . 2012-08-17 00:42 686792 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
    + 2012-08-17 00:42 . 2012-08-17 00:42 466632 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.dll
    - 2011-12-15 17:28 . 2012-08-03 15:42 250056 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    + 2011-12-15 17:28 . 2012-08-17 01:42 250056 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    + 2011-06-06 19:55 . 2011-06-06 19:55 686464 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JP2KLib.dll
    + 2011-06-06 18:55 . 2011-06-06 18:55 937920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\adobearm.exe
    + 2012-08-17 01:42 . 2012-08-17 01:42 9465032 c:\windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll
    + 2011-06-06 19:55 . 2011-06-06 19:55 5509512 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AGM.dll
    + 2012-07-28 01:47 . 2012-07-28 01:47 13123584 c:\windows\Installer\1697d.msp
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-07 1519304]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2012-06-07 03:33 1519304 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-07 1519304]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-07 1519304]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-06-07 1564872]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
    AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2011-12-1 106551]
    SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2005-12-22 5513216]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R1 MpKsld765d6ee;MpKsld765d6ee;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF59A015-2A5A-4733-A407-540727046009}\MpKsld765d6ee.sys [8/25/2012 1:10 PM 29904]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/30/2012 11:50 PM 793048]
    R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [12/1/2011 9:51 AM 472644]
    S1 mkhbclcj;mkhbclcj;\??\c:\windows\system32\drivers\mkhbclcj.sys --> c:\windows\system32\drivers\mkhbclcj.sys [?]
    S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]
    S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 4:40 AM 118784]
    S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [7/5/2012 6:41 PM 3048136]
    S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/7/2012 7:12 PM 160944]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [12/15/2011 11:28 AM 250056]
    S3 CFcatchme;CFcatchme;\??\c:\docume~1\Fran\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\Fran\LOCALS~1\Temp\CFcatchme.sys [?]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 11:09 PM 267568]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/26/2012 2:31 PM 113120]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSLD765D6EE
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-25 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-15 01:42]
    .
    2012-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
    .
    2012-08-25 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 23:03]
    .
    2012-08-24 c:\windows\Tasks\RMSchedule.job
    - c:\program files\PC Tools\PC Tools Registry Mechanic\RegMech.exe [2012-01-31 21:06]
    .
    2012-08-24 c:\windows\Tasks\RMSmartUpdate.job
    - c:\program files\PC Tools\PC Tools Registry Mechanic\Update.exe [2012-01-31 21:06]
    .
    2012-08-25 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2012-06-07 03:33]
    .
    2012-08-25 c:\windows\Tasks\User_Feed_Synchronization-{D788EB22-BD64-424F-B03D-4A6C0C682E5D}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://mail.yahoo.com/
    uInternet Connection Wizard,ShellNext = hxxp://espn.go.com/motion/detect.html
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.5.1
    FF - ProfilePath - c:\documents and settings\Fran\Application Data\Mozilla\Firefox\Profiles\y5ng535c.default\
    FF - prefs.js: browser.search.selectedEngine - Web Search
    FF - prefs.js: keyword.URL - hxxps://www.mypoints.com/emp/u/mysearch.vm?st=mypWeb&fctb.dns=1&q=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: extensions.autoDisableScopes - 14
    FF - user.js: security.csp.enable - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-25 13:30
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2180)
    c:\windows\system32\WININET.dll
    c:\windows\system32\hcwhook.DLL
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2012-08-25 13:39:21
    ComboFix-quarantined-files.txt 2012-08-25 19:39
    ComboFix2.txt 2012-08-20 17:37
    ComboFix3.txt 2012-08-06 16:38
    .
    Pre-Run: 125,934,641,152 bytes free
    Post-Run: 125,929,930,752 bytes free
    .
    - - End Of File - - 037BE2CBA188F9407360A068D5970226
     
  6. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    My name is Jeff. I will be taking over for Jimbo while he is gone. Let me look this over briefly and I will return shortly. :)
     
  7. fsumm

    fsumm Thread Starter

    Joined:
    Aug 4, 2012
    Messages:
    23
    Awesome!! Thank you and it's great to see you are in the US too - Jimbo is in the UK;)
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,598
    Fsumm,

    Jeff has graciously offered to take over but would you mind waiting a bit longer? jimbo100 has had to wait for his post to be approved but I'm sure he will be along to continue this with you by the end of the day or tomorrow at the latest. :)
     
  9. fsumm

    fsumm Thread Starter

    Joined:
    Aug 4, 2012
    Messages:
    23
    I'm just grateful that you guys are so vigilent. Hopefully we can move forward quickly and maybe even have this solved today? It's been a long process and I really appreciate Jimbo's diligence.
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,598
    Thanks for your patience. :)
     
  11. jimbo100

    jimbo100 Malware Trainee

    Joined:
    Jul 1, 2011
    Messages:
    185
    Hi there. Can you please remove the following program(s) as they are known to be linked with third party applications that produce unwanted adverts and are not trustworthy.

    Uninstall Program(s) using Add or Remove Programs

    • Click "start" on the taskbar and then click on the "Control Panel" icon.
    • Please doubleclick the "Add or Remove Programs" icon
    • A list of programs installed will be "populated" this may take a bit of time.
    • If they exist, uninstall the following by clicking on the following entries and selecting "remove":
      Ask toolbar
      (or anything ask related)
    Additional instructions can be found here

    Next:
    Update Java

    It is critical to have the latest version of Java installed, because older versions are a security risk that malware often exploits.

    • To get the latest version of Java please go here.
    • Please select "Agree and Start Free Download".
    • Once downloaded please follow the on screen wizard to install it.
    • When installed, please go to Start -> Control Panel -> Add or Remove Ppograms.
    • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
      They should have this icon next to any that are there: [​IMG]
      Select any found and choose remove.

    Could you please post me the link you were looking at for the removal of MyPoints. What other issues are you having other than MyPoints? Is it now possible to enable Microsoft Security Essentials real time protection? Please post the issues you are having so we can tackle them and wrap up this thread. By the way, which browser are you using most of the time?

    Thanks
     
  12. fsumm

    fsumm Thread Starter

    Joined:
    Aug 4, 2012
    Messages:
    23
    I followed the program removal instructions and could not remove all references to the Ask tool bar. Here what I got:
    The error message was "The feature you are trying to us in on a network resource that is
    unavailable.

    Click OK to try again or enter an alternative path to folder containing the installation package "Ask Toolbar.msi" in the box below

    (This is what's in the box now):


    C:\DOCUME~1\Fran\LOCALS~1\Temp\{948AD5B9-A013-40DF-87B6-B77518DA4298}\


    Then I installed Java w/o a problem and I am able to turn on the firewall in MS Security now so that's huge progress thanks!!


    Here's what I got from MyPoints:
    How do I uninstall the MyPoints toolbar?

    To uninstall the MyPoints toolbar from your Internet Explorer or Firefox browser you have two options. You can either:

    • From the toolbar logo dropdown, choose "Uninstall"
    or
    • Open your computer's Control Panel then select "Add or Remove Programs."
    • Find MyPoints in the list of installed applications and click on it.
    • Click on the "Change/Remove" button.
     
  13. jimbo100

    jimbo100 Malware Trainee

    Joined:
    Jul 1, 2011
    Messages:
    185
    Hey there.

    Let's run a tool that will deal with the ask toolbar.

    Please download AdwCleaner from here to your desktop
    Run AdwCleaner and select Delete

    [​IMG]

    Once done it will ask to reboot, allow this
    On reboot a log will be produced please attach that
     
  14. fsumm

    fsumm Thread Starter

    Joined:
    Aug 4, 2012
    Messages:
    23
    Thanks, Jimbo. I'm SO GRATEFUL fir thew help from you guys:eek:

    Here's the log I got from AdwCleaner:


    # AdwCleaner v1.801 - Logfile created 08/28/2012 at 06:19:58
    # Updated 14/08/2012 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : Fran - FRAN-A706F34BFF
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\Fran\My Documents\Downloads\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Found : C:\Documents and Settings\Fran\Local Settings\Application Data\AskToolbar
    Folder Found : C:\Documents and Settings\Fran\Application Data\Mozilla\Firefox\Profiles\y5ng535c.default\FCTB
    Folder Found : C:\Documents and Settings\All Users\Application Data\Ask
    Folder Found : C:\Documents and Settings\All Users\Application Data\Tarma Installer
    Folder Found : C:\Program Files\Ask.com
    Folder Found : C:\Program Files\Wajam
    Folder Found : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
    File Found : C:\Documents and Settings\Fran\Application Data\Mozilla\Firefox\Profiles\y5ng535c.default\searchplugins\Askcom.xml
    File Found : C:\Documents and Settings\Fran\Application Data\Mozilla\Firefox\Profiles\y5ng535c.default\searchplugins\web-search.xml
    File Found : C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

    ***** [Registry] *****

    Key Found : HKCU\Software\APN
    Key Found : HKCU\Software\Ask.com
    Key Found : HKCU\Software\AskToolbar
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
    Key Found : HKLM\SOFTWARE\APN
    Key Found : HKLM\SOFTWARE\AskToolbar
    Key Found : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
    Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
    Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
    Key Found : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
    Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
    Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]

    ***** [Registre - GUID] *****

    Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
    Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.6001.18702

    [OK] Registry is clean.

    -\\ Mozilla Firefox v14.0.1 (en-US)

    Profile name : default
    File : C:\Documents and Settings\Fran\Application Data\Mozilla\Firefox\Profiles\y5ng535c.default\prefs.js

    Found : user_pref("browser.search.defaultengine", "Ask.com");
    Found : user_pref("browser.search.defaultenginename", "Ask.com");
    Found : user_pref("browser.search.order.1", "Ask.com");
    Found : user_pref("browser.search.selectedEngine", "Web Search");
    Found : user_pref("extensions.asktb.abar-war-timeout", "4000");
    Found : user_pref("extensions.asktb.autofill-competitor-query-enabled", true);
    Found : user_pref("extensions.asktb.cbid", "TV");
    Found : user_pref("extensions.asktb.config-updated", false);
    Found : user_pref("extensions.asktb.crumb", "2012.04.02+10.22.31-toolbar020iad-US-RGVudmVyLENPLFVuaXRlZCBTdG[...]
    Found : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}[...]
    Found : user_pref("extensions.asktb.displaybehavior", "");
    Found : user_pref("extensions.asktb.displaytext", "");
    Found : user_pref("extensions.asktb.dtid", "YYYYYYYYUS");
    Found : user_pref("extensions.asktb.dyn-weather-do-locid-lookup-weatherWidget", false);
    Found : user_pref("extensions.asktb.dyn-weather-locid-weatherWidget", "USCO0105");
    Found : user_pref("extensions.asktb.dyn-weather-tempunit-weatherWidget", "F");
    Found : user_pref("extensions.asktb.ff-original-keyword-url", "");
    Found : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...]
    Found : user_pref("extensions.asktb.l", "dis");
    Found : user_pref("extensions.asktb.last-config-req", "1334252502946");
    Found : user_pref("extensions.asktb.last-search-timestamp", "1335217323052");
    Found : user_pref("extensions.asktb.last-v", "3.14.1.100009");
    Found : user_pref("extensions.asktb.locale", "en_US");
    Found : user_pref("extensions.asktb.location", "Denver,CO,United States");
    Found : user_pref("extensions.asktb.lstation", "");
    Found : user_pref("extensions.asktb.news-native-on", true);
    Found : user_pref("extensions.asktb.o", "100000031");
    Found : user_pref("extensions.asktb.pstate", "");
    Found : user_pref("extensions.asktb.qsrc", "2871");
    Found : user_pref("extensions.asktb.search-history-queries", "tj maxx locations||map of denver colorado||lip[...]
    Found : user_pref("extensions.asktb.search-plugin-suggestions-url", "hxxp://ss.websearch.ask.com/query?qsrc=[...]
    Found : user_pref("extensions.asktb.search-suggestions-enabled", true);
    Found : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false);
    Found : user_pref("extensions.asktb.socialmini-first", true);
    Found : user_pref("extensions.asktb.socialmini-interval", "1200000");
    Found : user_pref("extensions.asktb.socialmini-max-char-ticker", "33");
    Found : user_pref("extensions.asktb.socialmini-max-items", "30");
    Found : user_pref("extensions.asktb.socialmini-native-on", true);
    Found : user_pref("extensions.asktb.socialmini-speed", "10000");
    Found : user_pref("extensions.asktb.socialmini-transition-first-open", false);
    Found : user_pref("extensions.asktb.to", "");
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.2799403.KeywordHistory", "rockies%2520baseball%[...]
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.AutoSearchEventData", "auto%20search");
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.ClearCacheDate", 28);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.DNSCatch", true);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.DisplayEULA", false);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.DnsCatchEventData", "dns%20catch");
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.FirstLaunchShown", true);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.LoadLayoutDate.60497", 28);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.MailLastCheckTime", 1346155008);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.NewTabSearchEventData", "tab%20search");
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.RemoveAllData", true);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.ShowRecommendedOptions", false);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.StateReportDate", "1345989521955");
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.TopRightSearchEventData", "top%20right%20search[...]
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.api.settings.fctoolbar51ef49d2624b41948b971c468[...]
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.beforeInstallSaved", true);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.beforeinstall.homepage", "data%3Atext/plain%2Cb[...]
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.beforeinstall.search", "Ask.com");
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.customNewTab", false);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.helpUsImprove", true);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.hideOthers", false);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.processAddrBar", true);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.remove_search", true);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.restoreSearch", false);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.searchHistory", true);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.showFirstLaunchOptions", false);
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.tb_lang", "en");
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.tool_id", "60497");
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.user_id", "80009403");
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.user_key", "e65262202fa84c6118bf99eb95052bcaeba[...]
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.user_layouts", "60497");
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.user_lnames", "MyPoints%20Point%20Finder");
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.xml_service_url", "64e3a27980eeceb34248bc3e680b[...]
    Found : user_pref("freecause51ef49d2624b41948b971c468e9b0efe.yahooSearch", true);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.AutoSearchEventData", "auto%20search");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.ClearCacheDate", 28);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.DNSCatch", true);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.DisplayEULA", true);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.DnsCatchEventData", "dns%20catch");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.EBOMode", true);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.FirstLaunchShown", true);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.InstallDomain", "freecause.com");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.InstallType", "standard");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.LoadLayoutDate.100815", 28);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.NewTabSearchEventData", "tab%20search");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.ShowRecommendedOptions", true);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.StateReportDate", "1345989521827");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.TopRightSearchEventData", "top%20right%20search[...]
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.beforeInstallSaved", true);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.beforeinstall.homepage", "data%3Atext/plain%2Cb[...]
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.beforeinstall.search", "Ask.com");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.customNewTab", true);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.helpUsImprove", true);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.hideOthers", true);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.partnerauth", false);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.processAddrBar", true);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.restoreSearch", false);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.runcmd.", "bb_acct_status_1346155008");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.searchHistory", true);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.session", "A8F540AEB15ACBCA8930AC6D6AF24F82B66B[...]
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.showFirstLaunchOptions", false);
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.tb_lang", "en");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.tool_id", "100815");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.user_id", "108957468");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.user_key", "fc9baaed1cb6c299ad778ac7cf120827873[...]
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.user_layouts", "100815");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.user_lnames", "fcreward.100815.b");
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.xml_service_url", "6bb94bbf55fe2f255901a560824a[...]
    Found : user_pref("freecause758d6aeb75e49f24fd4951b640add07f.yahooSearch", true);

    -\\ Google Chrome v17.0.963.6

    File : C:\Documents and Settings\Fran\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

    Found : "description": "The fastest way to search the web.",

    *************************

    AdwCleaner[R2].txt - [13932 octets] - [28/08/2012 06:19:58]

    ########## EOF - C:\AdwCleaner[R2].txt - [14061 octets] ##########
     
  15. jimbo100

    jimbo100 Malware Trainee

    Joined:
    Jul 1, 2011
    Messages:
    185
    Hi, can you please run the program again and press Delete. The last time you run the program, you pressed search.

    Thanks.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1063843