Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

http://www.searchnu.com/102 trojan

Started by JayL, Mar 09 2012 02:28 PM

This topic is locked

10 replies to this topic

#1 JayL

Member

Full Member
8 posts

Posted 09 March 2012 - 02:28 PM

I'm running XP 64; DDS will not load on this version of windows.
Kaspersky & Registry Mechanic could not find any viruses or trojans.

If I set my homepage to google/news and then restart firefox, searchnu becomes the homepage. Other manifestations [possibly related] : pc freezes if running multiple processes; sticky keys resets to normal keyboard; file saves and pc configuration [quick launch toolbar] not saved with a reboot.

I have a desktop image, but when I tried to attach it to this post, was told it is too big. In any case, here's a link to the image: My link.

Attached Files

checkup.txt 991bytes 121 downloads
mbam-log-2012-03-09 (11-59-50).txt 15.65K 80 downloads
mbam-log-2012-03-09 (13-06-48).txt 13.77K 60 downloads
hijackthis.txt 8.21K 74 downloads

Back to top

#2 The Dark Knight

Malware Vigilante

Trusted Advisor*
2,175 posts

Posted 09 March 2012 - 11:37 PM

Results of screen317's Security Check version 0.99.31
Windows XP Service Pack 2 x64
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Kaspersky Anti-Virus 2012
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Java™ 6 Update 29
Java version out of date!
Mozilla Firefox (10.0.2)
Mozilla Thunderbird (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Kaspersky Lab Kaspersky Anti-Virus 2012 avp.exe
``````````End of Log````````````

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

Back to top

#3 The Dark Knight

Malware Vigilante

Trusted Advisor*
2,175 posts

Posted 09 March 2012 - 11:37 PM

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.09.04

Windows XP Service Pack 2 x64 NTFS
Internet Explorer 6.0.3790.3959
Administrator :: XP64 [administrator]

Protection: Enabled

3/9/2012 11:59:50 AM
mbam-log-2012-03-09 (11-59-50).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 283353
Time elapsed: 50 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 46
C:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004827.dll (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004828.exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004829.exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004830.exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004831.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004832.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004833.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004834.exe (Adware.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004835.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004836.exe (Adware.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004837.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004838.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004839.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004840.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004841.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004842.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004843.exe (Adware.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004844.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004845.exe (Adware.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004846.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004847.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004848.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004849.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004850.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004851.exe (Adware.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004852.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004853.exe (Adware.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004854.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004855.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004856.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004857.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004858.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004859.exe (Adware.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004860.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004861.exe (Adware.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004862.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004863.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004864.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004865.exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004866.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004867.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004868.exe (Adware.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004869.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004870.exe (Adware.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004871.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004872.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

(end)

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

Back to top

#4 The Dark Knight

Malware Vigilante

Trusted Advisor*
2,175 posts

Posted 09 March 2012 - 11:38 PM

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.09.04

Windows XP Service Pack 2 x64 NTFS
Internet Explorer 6.0.3790.3959
Administrator :: XP64 [administrator]

Protection: Enabled

3/9/2012 11:59:50 AM
mbam-log-2012-03-09 (13-06-48).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 283353
Time elapsed: 50 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 46
C:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004827.dll (Adware.GamePlayLabs) -> No action taken.
C:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004828.exe (Adware.GamePlayLabs) -> No action taken.
C:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004829.exe (Adware.GamePlayLabs) -> No action taken.
C:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004830.exe (Adware.GamePlayLabs) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004831.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004832.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004833.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004834.exe (Adware.Agent) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004835.exe (Adware.FunWeb) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004836.exe (Adware.Agent) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004837.exe (Adware.FunWeb) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004838.exe (RiskWare.Tool.CK) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004839.exe (RiskWare.Tool.CK) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004840.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004841.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004842.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004843.exe (Adware.Agent) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004844.exe (Adware.FunWeb) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004845.exe (Adware.Agent) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004846.exe (Adware.FunWeb) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004847.exe (RiskWare.Tool.CK) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004848.exe (RiskWare.Tool.CK) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004849.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004850.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004851.exe (Adware.Agent) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004852.exe (Adware.FunWeb) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004853.exe (Adware.Agent) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004854.exe (Adware.FunWeb) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004855.exe (RiskWare.Tool.CK) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004856.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004857.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004858.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004859.exe (Adware.Agent) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004860.exe (Adware.FunWeb) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004861.exe (Adware.Agent) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004862.exe (Adware.FunWeb) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004863.exe (RiskWare.Tool.CK) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004864.exe (RiskWare.Tool.CK) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004865.exe (Trojan.Dropper.PGen) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004866.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004867.exe (Affiliate.Downloader) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004868.exe (Adware.Agent) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004869.exe (Adware.FunWeb) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004870.exe (Adware.Agent) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004871.exe (Adware.FunWeb) -> No action taken.
D:\System Volume Information\_restore{0B97CB89-A10C-4F17-82EA-27491B81D1AA}\RP6\A0004872.exe (RiskWare.Tool.CK) -> No action taken.

(end)

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

Back to top

#5 The Dark Knight

Malware Vigilante

Trusted Advisor*
2,175 posts

Posted 09 March 2012 - 11:38 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:30:44 PM, on 3/9/2012
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.1830)
Boot mode: Normal

Running processes:
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Omega Research\Program\orschd.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\PROGRA~2\WINDOW~3\Datamngr\DATAMN~1.EXE
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Java\jre6\bin\jqs.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoDashboard.exe
C:\Program Files (x86)\Memeo\AutoBackup\InstantBackup.exe
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Documents and Settings\Administrator\Desktop\Dropper.exe
C:\Program Files (x86)\Registry Mechanic\RegMech.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dts.search-re...stemid=102&sr=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/102
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dts.search-re...q={searchTerms}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dts.search-re...q={searchTerms}
F2 - REG:system.ini: UserInit=userinit,
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WINDOW~3\Datamngr\ToolBar\searchqudtx.dll
O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~2\WINDOW~3\Datamngr\BROWSE~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WINDOW~3\Datamngr\ToolBar\searchqudtx.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe"
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~2\WINDOW~3\Datamngr\DATAMN~1.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Memeo Instant Backup] "C:\Program Files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe" --silent --no_ui
O4 - HKLM\..\Run: [Seagate Dashboard] "C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe" --silent --no_ui
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Omega Research Task Scheduler.lnk = C:\Program Files (x86)\Omega Research\Program\orschd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\ievkbd.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~2\WINDOW~3\Datamngr\datamngr.dll C:\PROGRA~2\WINDOW~3\Datamngr\IEBHO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\SysWOW64\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\SysWOW64\browseui.dll
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Seagate Dashboard Service (SeagateDashboardService) - Memeo - C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 8410 bytes

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

Back to top

#6 The Dark Knight

Malware Vigilante

Trusted Advisor*
2,175 posts

Posted 09 March 2012 - 11:48 PM

Welcome JayL to SpywareInfo. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear.

Just a few things before we begin:

:excl:

Before proceeding:

In the upper right hand corner of this topic there is a button labelled Watch this topic. Please click this button, select Immediate E-Mail notification and then click Proceed to ensure you are notified when I reply.
Please back up your personal documents and files by copying them to a location other than your system drive.

For the duration of this topic:
Please DO NOT run, install and/or uninstall/remove any tools/ programs other than those I suggest to you in order to avoid conflicts and/or additional problems on your system. :thumbup:

When you receive new instructions:

Please read the whole post before carrying out any of the instructions.
All our tools must be downloaded to the Desktop and launched from there (unless I specify otherwise).
Please perform all steps in the received order and DO NOT proceed if you need clarification.
Please DO NOT re-run any program unless I ask you to.
Please DO NOT plug in any external devices like USBs and Hard Drives unless I ask you to.
If you encounter any problems please stop and let me know.

When replying:

Please click the Add Reply button so that my reply is not posted back to me. Thank you!
Please copy and paste your logs into your post unless I specifically ask you to attach one.

_________________________________________________________________________________________________________________________________

To start us off, please use HijackThis to do a little more cleanup:

Please open HijackThis.
Click Do a system scan only.
Check the following entries (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dts.search-re...stemid=102&sr=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/102
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dts.search-re...q={searchTerms}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dts.search-re...q={searchTerms}
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WINDOW~3\Datamngr\ToolBar\searchqudtx.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WINDOW~3\Datamngr\ToolBar\searchqudtx.dll
Please close all other open windows and click Fix checked.
Close HijackThis.
Reboot your computer.

==========

Then, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

Please include the C:\ComboFix.txt in your next reply for further review.
==========

Finally, please download to your Desktop:

TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

Click on the Start Scan button and wait for the scan and disinfection process to be over.
If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue
If a suspicious file is detected, the default action will be Skip, click on Continue
If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.

==========

In your next reply, please post the following:

Fresh HijackThis log.
ComboFix.txt.
Log from TDSSKiller.

How is your computer currently running?

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

Back to top

#7 JayL

Member

Full Member
8 posts

Posted 11 March 2012 - 08:59 AM

Dark Night,
Will do to best of my ability. 1st problem:
====>> Please DO NOT plug in any external devices like USBs and Hard Drives unless I ask you to.

All my data is located on external hard drives. When my pc boots they are automatically reattached. One of my symptoms is machine freezing; also unscheduled reboot. Yesterday, I was out of town - I had left my machine on. When I returned, it had rebooted and hung during the reboot.

Thanx for the help.

Back to top

#8 JayL

Member

Full Member
8 posts

Posted 11 March 2012 - 10:01 AM

Dark Knight,
ComboFix doesn't run on XP 64.
TDSSKiller doesn't find any problems.
After HighjackSThis fix & reboot, searchnu still there.

Back to top

#9 JayL

Member

Full Member
8 posts

Posted 11 March 2012 - 10:15 AM

here's the HighjackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:12 AM, on 3/11/2012
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.1830)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Omega Research\Program\orschd.exe
C:\Program Files (x86)\Java\jre6\bin\jqs.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\PROGRA~2\WINDOW~3\Datamngr\DATAMN~1.EXE
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoDashboard.exe
C:\Program Files (x86)\Memeo\AutoBackup\InstantBackup.exe
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit,
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files

(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -

C:\PROGRA~2\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} -

C:\PROGRA~2\WINDOW~3\Datamngr\BROWSE~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files

(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files

(x86)\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus

2012\avp.exe"
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~2\WINDOW~3\Datamngr\DATAMN~1.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft

Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java

Update\jusched.exe"
O4 - HKLM\..\Run: [Memeo Instant Backup] "C:\Program Files

(x86)\Memeo\AutoBackup\MemeoLauncher2.exe" --silent --no_ui
O4 - HKLM\..\Run: [Seagate Dashboard] "C:\Program Files (x86)\Seagate\Seagate

Dashboard\MemeoLauncher.exe" --silent --no_ui
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes'

Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RDReminder] C:\Program Files (x86)\RegClean Pro\RegCleanPro.exe -rem
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User

'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User

'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User

'Default user')
O4 - Global Startup: Omega Research Task Scheduler.lnk = C:\Program Files (x86)\Omega

Research\Program\orschd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program

Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\ievkbd.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files

(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -

C:\PROGRA~2\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~2\WINDOW~3\Datamngr\datamngr.dll

C:\PROGRA~2\WINDOW~3\Datamngr\IEBHO.dll
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files

(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner -

C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file

missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file

missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner -

C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. -

C:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes'

Anti-Malware\mbamservice.exe
O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files

(x86)\Memeo\AutoBackup\MemeoBackgroundService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner -

C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file

missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC

Tools - C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe

(file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe

(file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner -

C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Seagate Dashboard Service (SeagateDashboardService) - Memeo - C:\Program

Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe

(file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe

(file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner -

C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 7436 bytes

Back to top

#10 The Dark Knight

Malware Vigilante

Trusted Advisor*
2,175 posts

Posted 14 March 2012 - 07:46 PM

Hey JayL.

My apologies for the late reply.

ComboFix should be able to run. Please delete your current copy of ComboFix.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com).

There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin.
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the Desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Before proceeding any further the processes that belong to Windows Recovery need to be terminated so that it does not interfere with the cleaning procedure.

Double-click on the RKill.exe icon in order to automatically attempt to stop any processes associated with Windows Recovery and other Rogue programs.
===

Please do not reboot your computer.

Then, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

Please include the C:\ComboFix.txt in your next reply for further review.
==========

Next, please download OTL.exe by OldTimer to your Desktop.

Close all windows and double click OTL.exe.
In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Click Run Scan and let the program run uninterrupted.
When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread.
You may need to use two posts to get it all.

===========

Finally, please download MBRCheck by a_d_13 to your Desktop from one of these locations:

http://ad13.geekstogo.com/MBRCheck.exe
http://download.blee...al/MBRCheck.exe
http://www.kernelmod...fo/MBRCheck.exe

Close all opened programs/ windows and double-click on MBRCheck.exe.
It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.
==========

In your next post, please provide the following:

ComboFix.txt.
OTL.txt.
Extras.txt.
MBRCheck log.

Is the redirect still present?

Edited by The Dark Knight, 14 March 2012 - 07:47 PM.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

Back to top

#11 The Dark Knight

Malware Vigilante

Trusted Advisor*
2,175 posts

Posted 24 March 2012 - 05:44 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.