1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Plz Help Urgently !!! My computer sponatenously surfing porn and Adult sites.

Discussion in 'Virus & Other Malware Removal' started by Aizaz, Dec 8, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. Aizaz

    Aizaz Thread Starter

    Joined:
    Dec 8, 2011
    Messages:
    14
    My computer got infected by a strange malware. . . It automatically starts surfing porn and adult dating sites if left idle for few hours. . . I am using Windows XP PRO with latest updates. . . Few days back I left my pc turned on for an overnight (torrent downloading) and the next day when i opened the browser it asked my to restore prev. Session. I did so and it was some porn sites (however, no one was in my room as it was locked). . . I did fellowing steps to eradicate the problem. . . But it didnt helped. 1. Installed and updated Malwarebytes and scaned full pc.
    2. Scanned my pc with fully updated Kaspersky PURE and McAfee Antivirus plus.
    3. Removed Google Chrome and set Firefox as default browser.
    4. Formatted C: drive and re-installed OS.
    After doing all still have the same problem. . . If I leave my Pc on for a few hours it spontanously loads porn. . . This is too annoying. . . Please help.
     
  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Can you post a screen shot of your partition layout, Select start > right click on "My Computer" > select "Manage" in the new window select > Disk Management.
    You should now see your partiton layout. Maximise the screen. Select the following two keys together Ctrl and Prt Sc SysRq. Next open Paint from your Accessories folder, right click and select paste. Save the image as a jpeg, not bitmap

    Kevin
     
  3. Aizaz

    Aizaz Thread Starter

    Joined:
    Dec 8, 2011
    Messages:
    14
    Here it is.
     

    Attached Files:

  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Thanks for the image, it rules out the new TDL4 re-booted infection. OK continue as follows:

    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • Click on "Change parameters" and place a checkmark next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK


      [​IMG]

    • If an infected file is detected, the default action will be Cure, click on Continue.


      [​IMG]

    • If a suspicious file is detected, the default action will be Skip, click on Continue.


      [​IMG]

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


      [​IMG]

    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

    Kevin
     
  5. Aizaz

    Aizaz Thread Starter

    Joined:
    Dec 8, 2011
    Messages:
    14
    It detected 1 suspecious file. Here is report.

     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Download aswMBR from Here

    If aswMBR prompts to update during its routine, please allow it..

    • Save aswMBR.exe to your Desktop
    • Double click aswMBR.exe to run it
    • Click the Scan button to start the scan as illustrated below

      [​IMG]

      Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives
    • Once the scan finishes click Save log to save the log to your Desktop.

      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
    • You will also notice another file created on the desktop named MBR.dat. Right-click that file and select Send To and then Compressed (zipped) file. Attach that zipped file to your next reply as well.

    Kevin
     
  7. Aizaz

    Aizaz Thread Starter

    Joined:
    Dec 8, 2011
    Messages:
    14
    Thanks for help. . . Here is "aswMBR.txt" content. . . MBR.dat is also attached below.

     

    Attached Files:

    • MBR.zip
      File size:
      511 bytes
      Views:
      1
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Still nothing definite, OK do the following:

    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

    Link 1
    Link 2

    • Ensure that Combofix is saved directly to the Desktop <--- Very important
    • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available Here if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Kevin
     
  9. Aizaz

    Aizaz Thread Starter

    Joined:
    Dec 8, 2011
    Messages:
    14
    Here is the log. . . Sorry for late reply as I am too busy in my studies.

     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Please refrain from posting the logs in code or quote boxes, it make it very hard to read them. Do the following:

    Step 1

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    DDS::
    uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&ptnrS=GRchr999&ptb=rEILvRdHwYobowOTH_PFIA&si=´B~#C ~
    ClearJavaCache::
    Killall::
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=-
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{a1dd409e-157c-41a0-97c1-85761f628ade}]
    
    Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Step 2

    Run ESET Online Scan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the [​IMG] button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on [​IMG] to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the [​IMG] icon on your desktop.
    • Check [​IMG]
    • Click the [​IMG] button.
    • Accept any security warnings from your browser.
    • Check [​IMG]
    • Leave the tick out of remove found threats
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push [​IMG]
    • Push [​IMG], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the [​IMG] button.
    • Push [​IMG]
    You can refer to this animation by neomage if needed.
    Frequently asked questions available Here Please read them before running the scan.

    Also be aware this scan can take several hours to complete depending on the size of your system.

    ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

    Post those two logs and give update current issues,

    Kevin
     
  11. Aizaz

    Aizaz Thread Starter

    Joined:
    Dec 8, 2011
    Messages:
    14
    Step one log:
    ComboFix 11-12-10.01 - Aizaz 12/10/2011 1:46.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1263.972 [GMT -8:00]
    Running from: c:\documents and settings\Aizaz\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Aizaz\Desktop\CFScript.txt
    AV: Kaspersky PURE *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky PURE *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-10 to 2011-12-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-01 17:02 . 2011-12-01 17:02 -------- d-----w- C:\Rbackup
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-28 07:06 . 2004-08-03 20:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 19:41 . 2011-09-26 19:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 19:41 . 2001-08-23 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 19:41 . 2001-08-23 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-11-21 04:21 . 2011-12-01 17:09 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2010-01-06 02:04 . 2011-12-02 15:26 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((( [email protected]_15.38.03 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2001-08-23 10:00 . 2011-12-06 13:22 40196 c:\windows\system32\perfc009.dat
    + 2001-08-23 10:00 . 2011-12-09 15:41 40196 c:\windows\system32\perfc009.dat
    + 2001-08-23 10:00 . 2011-12-09 15:41 311934 c:\windows\system32\perfh009.dat
    - 2001-08-23 10:00 . 2011-12-06 13:22 311934 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
    @="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
    [HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
    2011-05-30 14:50 21864 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
    @="{dd230880-495a-11d1-b064-008048ec2fc5}"
    [HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
    2010-10-02 06:05 129624 ----a-w- c:\program files\Kaspersky Lab\Kaspersky PURE\shellex.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Visual Task Tips"="c:\program files\RunMe\VisualTaskTips\VisualTaskTips.exe" [2007-09-06 36352]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-11-30 642424]
    "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2011-11-14 3437976]
    "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2011-06-16 1500160]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
    "SoundMan"="SOUNDMAN.EXE" [2006-03-02 577536]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky PURE\avp.exe" [2010-10-02 348760]
    .
    c:\documents and settings\Aizaz\Start Menu\Programs\Startup\
    UberIcon.lnk - c:\program files\Materx\UberIcon\UberIcon Manager.exe [2011-11-30 180224]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [12/6/2011 1:58 AM 88632]
    R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
    R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [12/6/2011 1:59 AM 39352]
    R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [11/14/2011 5:39 AM 101616]
    R2 CSObjectsSrv;CryptoStorage control service;c:\program files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [12/21/2009 5:34 PM 743992]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/1/2011 6:27 AM 366152]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/1/2011 6:27 AM 22216]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm
    IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
    IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Aizaz\Application Data\Mozilla\Firefox\Profiles\dghwpcm3.default\
    FF - prefs.js: browser.search.selectedEngine - Google COM
    FF - prefs.js: network.proxy.type - 0
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-10 01:55
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2208)
    c:\program files\Materx\UberIcon\UberIcon.dll
    c:\program files\RunMe\VisualTaskTips\VttHooks.dll
    c:\program files\Internet Download Manager\IDMShellExt.dll
    c:\program files\Internet Download Manager\IDMNetMon.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SOUNDMAN.EXE
    c:\program files\PC Connectivity Solution\ServiceLayer.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-10 01:59:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-10 09:59
    ComboFix2.txt 2011-12-09 15:42
    .
    Pre-Run: 12,813,627,392 bytes free
    Post-Run: 12,804,800,512 bytes free
    .
    - - End Of File - - A591C66112BC6D6F9BD013CA49390880
     
  12. Aizaz

    Aizaz Thread Starter

    Joined:
    Dec 8, 2011
    Messages:
    14
    ESET Log

    C:\Documents and Settings\Aizaz\My Documents\Downloads\BestUninstallTool_Setup.exe a variant of Win32/PerfectUninstaller application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Win32/Adware.FunWeb application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Win32/Adware.FunWeb application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL.vir Win32/Toolbar.MyWebSearch.G application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Win32/Toolbar.MyWebSearch.B application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Win32/Adware.FunWeb application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL.vir Win32/Toolbar.MyWebSearch.G application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Win32/Toolbar.MyWebSearch.D application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Win32/Adware.FunWeb application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Win32/Toolbar.MyWebSearch.P application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Win32/FunWeb application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL.vir Win32/Toolbar.MyWebSearch.H application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3DLGHK.DLL.vir Win32/Toolbar.MyWebSearch.I application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Win32/Toolbar.MyWebSearch.F application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Win32/Toolbar.MyWebSearch.P application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IEOVR.DLL.vir Win32/Toolbar.MyWebSearch.P application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Win32/Toolbar.MyWebSearch.J application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir a variant of Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Win32/Toolbar.MyWebSearch.P application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Win32/Toolbar.MyWebSearch.J application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3TPINST.DLL.vir Win32/Toolbar.MyWebSearch.I application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Win32/Toolbar.MyWebSearch.J application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSUABTN.DLL.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000029.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000030.DLL Win32/Adware.FunWeb application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000031.DLL Win32/Adware.FunWeb application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000032.DLL Win32/Toolbar.MyWebSearch.G application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000033.DLL Win32/Toolbar.MyWebSearch.B application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000034.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000035.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000036.DLL Win32/Adware.FunWeb application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000037.SCR Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000038.DLL Win32/Toolbar.MyWebSearch.G application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000039.DLL Win32/Toolbar.MyWebSearch.D application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000040.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000041.EXE Win32/Adware.FunWeb application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000042.DLL Win32/Toolbar.MyWebSearch.P application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000043.DLL Win32/FunWeb application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000044.DLL Win32/Toolbar.MyWebSearch.H application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000045.DLL Win32/Toolbar.MyWebSearch.I application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000047.DLL Win32/Toolbar.MyWebSearch.F application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000048.DLL Win32/Toolbar.MyWebSearch.P application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000049.DLL Win32/Toolbar.MyWebSearch.P application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000050.EXE Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000052.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000053.DLL Win32/Toolbar.MyWebSearch.J application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000054.DLL a variant of Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000055.DLL Win32/Toolbar.MyWebSearch.P application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000056.EXE Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000057.EXE Win32/Toolbar.MyWebSearch.J application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000058.DLL Win32/Toolbar.MyWebSearch.I application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000059.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000060.EXE Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000061.DLL Win32/Toolbar.MyWebSearch.J application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000062.EXE Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000063.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{280BC8C5-1E07-435D-BF7A-01A9E5A20C46}\RP1\A0000072.scr Win32/Toolbar.MyWebSearch application
     
  13. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Continue as follows please, dont worry about the Qoobox entries, they are safe and will be dealt with when we uninstall Combofix.

    Step 1

    Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
    • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      -------------------------------------------------------------------

      :Files
      ipconfig /flushdns /c
      C:\Documents and Settings\Aizaz\My Documents\Downloads\BestUninstallTool_Setup.exe
      :Commands
      [ClearAllRestorePoints]
      [EmptyTemp]

      ---------------------------------------------------------------------
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red [​IMG] button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.

    Step 2

    Please perform the following scan:
    • Download DDS by sUBs from one of the following links. Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool.
    • When done, DDS will open two (2) logs
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop.
    • The instructions here ask you to attach the Attach.txt.
      [​IMG]
    • Instead of attaching, please copy/past both logs into your next reply.
    • Close the program window, and delete the program from your desktop.
    Please note: You may have to disable any script protection running if the scan fails to run.
    After downloading the tool, disconnect from the internet and disable all antivirus protection.
    Run the scan, enable your A/V and reconnect to the internet.
    Information on A/V control HERE

    Let me see the following in your reply :-

    • Log from OTM
    • DDS.txt
    • Attach.txt

    Also give update on current issues/concerns...

    Kevin
     
  14. Aizaz

    Aizaz Thread Starter

    Joined:
    Dec 8, 2011
    Messages:
    14
    Where can I find the OTM.exe file ?
     
  15. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Apologies, got my threads mixed up. Fix is the same I just missed start of OTM off... as follows please:

    Step 1

    Please download OTM by OldTimer.
    Alternative Mirror 1
    Alternative Mirror 2
    Save it to your desktop.
    Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
    • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      -------------------------------------------------------------------
      :Files
      ipconfig /flushdns /c
      C:\Documents and Settings\Aizaz\My Documents\Downloads\BestUninstallTool_Setup.exe
      :Commands
      [ClearAllRestorePoints]
      [EmptyTemp]

      ---------------------------------------------------------------------
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red [​IMG] button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Step 2

    Please perform the following scan:
    • Download DDS by sUBs from one of the following links. Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool.
    • When done, DDS will open two (2) logs
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop.
    • The instructions here ask you to attach the Attach.txt.
      [​IMG]
    • Instead of attaching, please copy/past both logs into your next reply.
    • Close the program window, and delete the program from your desktop.
    Please note: You may have to disable any script protection running if the scan fails to run.
    After downloading the tool, disconnect from the internet and disable all antivirus protection.
    Run the scan, enable your A/V and reconnect to the internet.
    Information on A/V control HERE

    Let me see the following in your reply :-

    • Log from OTM
    • DDS.txt
    • Attach.txt

    Also give update on current issues/concerns...

    Kevin
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1030273

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice