Babylon Internet Browser Injector

Panster · May 27, 2012

Hello, this is my first time posting in the MalwareBytes forums so I do hope I have followed instructions correctly.

My mom's laptop has been infected by a toolbar that she agreed to use while quickly installing some program. She says she can't remember what the program was, but there was a Babylon Toolbar on all the browsers afterwards. At first I could get rid of the toolbar, but links began to reroute when searched through google to ad websites. I tried running Malware which detected 3 items. I removed them and gave the computer back to my mom. The toolbar didn't come back but the broswer kept rerouting. After another scan with MalwareBytes, 5 items were found. The probelm still persisted. And after a third run the same 5 infections were found. I left the computer alone for a few days and when I came back MalwareBytes had been deleted. I found this out today, and I know this has gotten much more harmful than it was. I was able to reinstall MalwareBytes, and I did run another scan which found 7 items. I did not delete the,. and I have all the logs if that will help.

I understand this now more than a simple browser injector, and I hope you are able to help me. I will provide any information as needed.

Attached is the DDS.txt, and I did not upload the Attach.txt because it said in the file not to unless requested.

Best Regards,

Pan

DDS.txt

gringo_pr · May 28, 2012

Hello and Welcome!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

Please do not run any tools unless instructed to do so.
- We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
[*]Please do not attach logs or use code boxes, just copy and paste the text.
- Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
[*]Please read every post completely before doing anything.
- Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
[*]Please provide feedback about your experience as we go.
- A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

Download Security Check by screen317 from

here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

Panster · May 30, 2012

Hello Gringo, I do believe you helped me previously in the bleeping computer forums. I look forward to your continued help. I have copied into this reply at the bottom both files generated by the Security Check and Combofix in their respective orders.

The computer itself I have not touched since I last ran MalwareBytes, but I tried using the browser before running all the programs you listed in your post. The browser did not reroute at all. This again was before the scans you just provided, so I do not know if the problem is fixed or not. The last time I ran MalwareBytes it detected more items (8) than its previous scan (5), I don't know if it's a possibility MalwareBytes found the problem or not. Considering that the infection did uninstall MalwareBytes before the most recent scan I ran, which I had to reinstall it for, I do want to take extra precautions in making sure the infection is dealt with.

After running Security Check and Combofix, the browser still does not reroute links. I also tried using multiple browsers to see if it was browser specific, and the results were the same. Upon restarting the computer though, my mother reported it booting up much faster than normal. Other miscellaneous and irrelevant problems she was having (java errors, notifications popping up) were fixed too, I assume this is due to some sort of reset that Combofix used. In the end, the problem appears fixed, but if you could, I would greatly appreciate a quick look over to make sure the infection is gone. Also, any advice on how to best avoid problems like this happening in the future or changes I should make to the computer I would greatly appreciate as well.

Best Regards,

Pan

Results of screen317's Security Check version 0.99.41

Windows 7 x64 (UAC is enabled)

Out of date service pack!!

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Disabled!

Lavasoft Ad-Watch Live! Anti-Virus

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Ad-Aware

Malwarebytes Anti-Malware version 1.61.0.1400

Java™ 6 Update 29

Java version out of date!

Adobe Flash Player 11.0.1.152 Flash Player out of Date!

Adobe Reader X (10.1.1)

Mozilla Firefox (8.0.1)

````````Process Check: objlist.exe by Laurent````````

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

Zone Labs ZoneAlarm zlclient.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 12-05-29.01 - JWB 05/29/2012 22:16:07.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3999.2498 [GMT -5:00]

Running from: c:\users\JWB\Desktop\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Install.exe

.

((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-30 )))))))))))))))))))))))))))))))

.

2012-05-30 03:22 . 2012-05-30 03:22 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-05-30 03:13 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F81D5BE6-649F-4C7B-89F9-3D3746EA80F2}\mpengine.dll

2012-05-27 19:48 . 2012-04-04 20:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-20 02:21 . 2012-05-20 02:21 -------- d-----w- c:\users\JWB\AppData\Roaming\Malwarebytes

2012-05-20 02:21 . 2012-05-20 02:21 -------- d-----w- c:\programdata\Malwarebytes

2012-05-20 02:21 . 2012-05-27 19:48 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-05-18 03:18 . 2012-05-18 03:18 -------- d-----w- c:\users\JWB\AppData\Local\adaware

2012-05-18 03:18 . 2012-05-27 17:20 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection

2012-05-18 03:17 . 2012-05-27 17:20 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus

2012-05-18 03:16 . 2012-05-18 03:21 -------- d-----w- c:\users\JWB\AppData\Roaming\Ad-Aware Antivirus

2012-05-11 02:45 . 2012-03-17 07:55 75632 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-05-11 02:45 . 2012-03-03 06:29 1541120 ----a-w- c:\windows\system32\DWrite.dll

2012-05-11 02:45 . 2012-03-03 05:40 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll

2012-05-11 02:45 . 2012-03-03 06:29 320512 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-05-11 02:45 . 2012-03-03 06:29 197120 ----a-w- c:\windows\system32\d3d10_1.dll

2012-05-11 02:45 . 2012-03-03 06:29 1837568 ----a-w- c:\windows\system32\d3d10warp.dll

2012-05-11 02:45 . 2012-03-03 06:29 902656 ----a-w- c:\windows\system32\d2d1.dll

2012-05-11 02:45 . 2012-03-03 05:40 1170944 ----a-w- c:\windows\SysWow64\d3d10warp.dll

2012-05-11 02:45 . 2012-03-03 05:40 739840 ----a-w- c:\windows\SysWow64\d2d1.dll

2012-05-11 02:45 . 2012-03-03 05:40 218624 ----a-w- c:\windows\SysWow64\d3d10_1core.dll

2012-05-11 02:45 . 2012-03-03 05:40 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll

2012-05-11 02:44 . 2012-04-02 05:34 5504880 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-11 02:44 . 2012-04-02 03:01 3143680 ----a-w- c:\windows\system32\win32k.sys

2012-05-11 02:44 . 2012-04-02 04:46 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-05-11 02:44 . 2012-04-02 04:46 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-05-11 02:44 . 2012-03-30 11:09 1895280 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-05-11 02:44 . 2012-04-02 05:24 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll

2012-05-11 02:44 . 2012-04-02 04:40 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll

2012-05-08 04:43 . 2012-05-08 04:43 254 ----a-w- C:\user.js

2012-05-08 04:43 . 2012-05-27 17:20 -------- d-----w- c:\program files (x86)\BabylonToolbar

2012-05-08 04:42 . 2012-05-27 22:05 -------- d-----w- c:\program files (x86)\v-Grabber

2012-05-08 04:42 . 2012-05-08 04:42 -------- d-----w- c:\users\JWB\AppData\Local\Babylon

2012-05-08 04:42 . 2012-05-08 04:42 -------- d-----w- c:\users\JWB\AppData\Roaming\Babylon

2012-05-08 04:42 . 2012-05-08 04:42 -------- d-----w- c:\programdata\Babylon

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-01 06:54 . 2012-04-11 13:40 22896 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-03-01 06:45 . 2012-04-11 13:40 220672 ----a-w- c:\windows\system32\wintrust.dll

2012-03-01 06:40 . 2012-04-11 13:40 80896 ----a-w- c:\windows\system32\imagehlp.dll

2012-03-01 06:35 . 2012-04-11 13:40 5120 ----a-w- c:\windows\system32\wmi.dll

2012-03-01 05:49 . 2012-04-11 13:40 172544 ----a-w- c:\windows\SysWow64\wintrust.dll

2012-03-01 05:45 . 2012-04-11 13:40 158720 ----a-w- c:\windows\SysWow64\imagehlp.dll

2012-03-01 05:40 . 2012-04-11 13:40 5120 ----a-w- c:\windows\SysWow64\wmi.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ABD3B5E1-B268-407B-A150-2641DAB8D898}]

2009-06-08 21:41 120104 ----a-w- c:\program files (x86)\Common Files\Homepage Protection\HomepageProtection.dll

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2012-01-03 21:31 1514152 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"QPService"="c:\program files (x86)\HP\QuickPlay\QPService.exe" [2009-06-24 468264]

"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]

"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-06-24 320056]

"UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]

"ZoneAlarm Client"="c:\program files (x86)\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Amazon Unbox.lnk - c:\program files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2011-11-23 97384]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-13 116648]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2012-05-13 2152688]

R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-08 195336]

R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-13 116648]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-11-06 17152]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]

R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]

S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]

S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]

S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-06-17 19:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-13 21:21]

.

2012-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-13 21:21]

.

2012-05-30 c:\windows\Tasks\HPCeeScheduleForJWB.job

- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-08-17 21:38]

.

--------- x86-64 -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2009-07-14 495104]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.theenglishcottage.com/webmail

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb

mLocal Page = c:\windows\SysWOW64\blank.htm

TCP: Interfaces\{7B5D90F8-DB72-4ADD-AD43-C9F3D991AA80}: NameServer = 75.75.75.75

FF - ProfilePath - c:\users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\

FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)

FF - prefs.js: browser.startup.homepage - hxxps://midge.lookhosting.com:2096/

FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=109935&tt=290412_1_ctrl&babsrc=KW_ss&mntrId=3cd4f9010000000000000c607632b9d8&q=

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935&tt=290412_1_ctrl

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar_i.id - 3cd4f9010000000000000c607632b9d8

FF - user.js: extensions.BabylonToolbar_i.hardId - 3cd4f9010000000000000c607632b9d8

FF - user.js: extensions.BabylonToolbar_i.instlDay - 15468

FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1723:43

FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar_i.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9

FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe

c:\program files (x86)\CyberLink\Shared files\RichVideo.exe

c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

.

**************************************************************************

.

Completion time: 2012-05-29 22:37:30 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-30 03:37

.

Pre-Run: 74,151,350,272 bytes free

Post-Run: 74,428,735,488 bytes free

.

- - End Of File - - A247B0C688E561A32352E562254970E9

gringo_pr · May 30, 2012

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

Double click on OTL.exe to run it.
Under Output, ensure that Minimal Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
- OTL.txt <-- Will be opened and the that I need posted back here
- Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
[*]Please post the contents of OTL.txt in your next reply.

Gringo

Panster · May 30, 2012

Here are the results of the OTL scan:

OTL logfile created on: 5/30/2012 12:52:05 PM - Run 1

OTL by OldTimer - Version 3.2.44.0 Folder = C:\Users\JWB\Desktop

64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.91 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 71.52% Memory free

7.81 Gb Paging File | 6.60 Gb Available in Paging File | 84.49% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 220.82 Gb Total Space | 69.42 Gb Free Space | 31.44% Space Free | Partition Type: NTFS

Drive D: | 11.87 Gb Total Space | 2.00 Gb Free Space | 16.86% Space Free | Partition Type: NTFS

Computer Name: STATION4 | User Name: JWB | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\JWB\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)

PRC - C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe (Amazon.com)

PRC - C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe (Amazon.com)

PRC - C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)

PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)

PRC - C:\Windows\SysWOW64\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)

PRC - C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)

========== Modules (No Company Name) ==========

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\90d42781d5b19478870e412f7b7c71eb\System.Windows.Forms.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\e65dbd1b68789fc21b9fb3c605b699a7\System.Drawing.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b5b9223f5e18a1089a4fe3a896909d9d\System.Xml.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\2ebb3c259eab50af565e3a8dba6ad20e\System.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\5858678a79aae31262b0214424245d06\mscorlib.ni.dll ()

MOD - C:\Program Files (x86)\Common Files\LightScribe\QtGui4.dll ()

MOD - C:\Program Files (x86)\Common Files\LightScribe\QtCore4.dll ()

MOD - C:\Program Files (x86)\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll ()

========== Win32 Services (SafeList) ==========

SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV:64bit: - (RemoteAccess) -- C:\Windows\SysNative\mprdim.dll (Microsoft Corporation)

SRV:64bit: - (Mcx2Svc) -- C:\Windows\SysNative\Mcx2Svc.dll (Microsoft Corporation)

SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)

SRV - (ADVService) -- C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe (Amazon.com)

SRV - (BBSvc) -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE (Microsoft Corporation.)

SRV - (BBUpdate) -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)

SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)

SRV - (vsmon) -- C:\Windows\SysWOW64\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)

SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)

SRV - (RemoteAccess) -- C:\Windows\SysWOW64\mprdim.dll (Microsoft Corporation)

SRV - (HsfXAudioService) -- C:\Windows\SysWOW64\XAudio64.dll (Conexant Systems, Inc.)

SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

SRV - (clr_optimization_v2.0.50727_64) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

SRV - (GameConsoleService) -- C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe (WildTangent, Inc.)

========== Driver Services (SafeList) ==========

DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)

DRV:64bit: - (Lbd) -- C:\Windows\SysNative\drivers\Lbd.sys (Lavasoft AB)

DRV:64bit: - (Point64) -- C:\Windows\SysNative\drivers\point64.sys (Microsoft Corporation)

DRV:64bit: - (NuidFltr) -- C:\Windows\SysNative\drivers\nuidfltr.sys (Microsoft Corporation)

DRV:64bit: - (dc3d) -- C:\Windows\SysNative\drivers\dc3d.sys (Microsoft Corporation)

DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)

DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)

DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)

DRV:64bit: - (Vsdatant) -- C:\Windows\SysNative\drivers\vsdatant.sys (Check Point Software Technologies LTD)

DRV:64bit: - (CnxtHdAudService) -- C:\Windows\SysNative\drivers\CHDRT64.sys (Conexant Systems Inc.)

DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation)

DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)

DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)

DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)

DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)

DRV:64bit: - (crcdisk) -- C:\Windows\SysNative\drivers\crcdisk.sys (Microsoft Corporation)

DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)

DRV:64bit: - (udfs) -- C:\Windows\SysNative\drivers\udfs.sys (Microsoft Corporation)

DRV:64bit: - (cdfs) -- C:\Windows\SysNative\drivers\cdfs.sys (Microsoft Corporation)

DRV:64bit: - (XAudio) -- C:\Windows\SysNative\drivers\XAudio64.sys (Conexant Systems, Inc.)

DRV:64bit: - (HSF_DPV) -- C:\Windows\SysNative\drivers\CAX_DPV.sys (Conexant Systems, Inc.)

DRV:64bit: - (mdmxsdk) -- C:\Windows\SysNative\drivers\mdmxsdk.sys (Conexant)

DRV:64bit: - (winachsf) -- C:\Windows\SysNative\drivers\CAX_CNXT.sys (Conexant Systems, Inc.)

DRV:64bit: - (CAXHWAZL) -- C:\Windows\SysNative\drivers\CAXHWAZL.sys (Conexant Systems, Inc.)

DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated)

DRV:64bit: - (SrvHsfV92) -- C:\Windows\SysNative\drivers\VSTDPV6.SYS (Conexant Systems, Inc.)

DRV:64bit: - (SrvHsfWinac) -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS (Conexant Systems, Inc.)

DRV:64bit: - (SrvHsfHDA) -- C:\Windows\SysNative\drivers\VSTAZL6.SYS (Conexant Systems, Inc.)

DRV:64bit: - (yukonw7) -- C:\Windows\SysNative\drivers\yk62x64.sys (Marvell)

DRV:64bit: - (netw5v64) Intel® -- C:\Windows\SysNative\drivers\netw5v64.sys (Intel Corporation)

DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)

DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)

DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)

DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)

DRV:64bit: - (RSUSBSTOR) -- C:\Windows\SysNative\drivers\RtsUStor.sys (Realtek Semiconductor Corp.)

DRV:64bit: - (IntcHdmiAddService) Intel® -- C:\Windows\SysNative\drivers\IntcHdmi.sys (Intel® Corporation)

DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek )

DRV:64bit: - (HpqKbFiltr) -- C:\Windows\SysNative\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)

DRV - (Lavasoft Kernexplorer) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys ()

DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...avilion&pf=cnnb

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {403CE8DA-BA42-478B-945D-BCD60FB70B3C}

IE:64bit: - HKLM\..\SearchScopes\{397CFBAF-01FE-4A0D-950E-041F4905DC38}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpl

IE:64bit: - HKLM\..\SearchScopes\{403CE8DA-BA42-478B-945D-BCD60FB70B3C}: "URL" = http://www.bing.com/...rc=IE-SearchBox

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...avilion&pf=cnnb

IE - HKLM\..\SearchScopes,DefaultScope = {403CE8DA-BA42-478B-945D-BCD60FB70B3C}

IE - HKLM\..\SearchScopes\{397CFBAF-01FE-4A0D-950E-041F4905DC38}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpl

IE - HKLM\..\SearchScopes\{403CE8DA-BA42-478B-945D-BCD60FB70B3C}: "URL" = http://www.bing.com/...rc=IE-SearchBox

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.theenglis...age.com/webmail

IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}

IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...0000c607632b9d8

IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\SearchScopes\{E75786E6-6CED-43E4-A207-43FDD9D1901F}: "URL" = http://websearch.ask...56-947E49C66D0F

IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"

FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"

FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"

FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"

FF - prefs.js..browser.startup.homepage: "https://midge.lookhosting.com:2096/"

FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=109935&tt=290412_1_ctrl&babsrc=KW_ss&mntrId=3cd4f9010000000000000c607632b9d8&q="

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_0_1.dll File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8064.0206: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2009/08/17 15:33:24 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/11/28 21:18:56 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2011/11/06 16:24:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JWB\AppData\Roaming\Mozilla\Extensions

[2012/05/10 23:41:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions

[2011/11/06 17:07:01 | 000,000,000 | ---D | M] (PlainOldFavorites) -- C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}

[2012/03/11 22:32:35 | 000,000,000 | ---D | M] (GOM Player + Ask Toolbar) -- C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com

[2012/01/03 16:27:44 | 000,002,333 | ---- | M] () -- C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\searchplugins\askcom.xml

[2011/11/06 16:13:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions

[2012/02/15 13:14:01 | 000,634,964 | ---- | M] () (No name found) -- C:\USERS\JWB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\4P68J9EQ.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI

[2011/11/28 21:18:56 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll

[2012/05/07 23:42:53 | 000,002,356 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml

[2011/09/28 19:26:50 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

[2011/11/28 21:18:56 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/05/29 22:33:32 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (hpBHO Class) - {ABD3B5E1-B268-407B-A150-2641DAB8D898} - C:\Program Files (x86)\Common Files\Homepage Protection\HomepageProtection.dll (AOL Products)

O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)

O2 - BHO: (GOM Player + Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)

O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)

O3 - HKLM\..\Toolbar: (GOM Player + Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

O4:64bit: - HKLM..\Run: [cAudioFilterAgent] C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe (Conexant Systems, Inc.)

O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [igfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [intelliPoint] c:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)

O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)

O4 - HKLM..\Run: [ApnUpdater] C:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)

O4 - HKLM..\Run: [updatePRCShortCut] C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1389045141-546431936-601846973-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1389045141-546431936-601846973-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)

O16:64bit: - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)

O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7B5D90F8-DB72-4ADD-AD43-C9F3D991AA80}: NameServer = 75.75.75.75

O18:64bit: - Protocol\Handler\livecall - No CLSID value found

O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found

O18:64bit: - Protocol\Handler\msnim - No CLSID value found

O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found

O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)

O32 - HKLM CDRom: AutoRun - 1

O34 - HKLM BootExecute: (autocheck autochk *)

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/30 12:47:24 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\JWB\Desktop\OTL.exe

[2012/05/29 23:00:56 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2012/05/29 22:14:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2012/05/29 22:14:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2012/05/29 22:14:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2012/05/29 22:14:06 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2012/05/29 22:14:01 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/05/29 22:07:17 | 004,530,590 | R--- | C] (Swearware) -- C:\Users\JWB\Desktop\ComboFix.exe

[2012/05/27 17:20:31 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\JWB\Desktop\dds.scr

[2012/05/27 14:48:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/05/27 14:48:56 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

[2012/05/27 14:48:25 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\JWB\Desktop\mbam-setup-1.61.0.1400.exe

[2012/05/27 09:22:25 | 000,000,000 | ---D | C] -- C:\Windows\Minidump

[2012/05/19 21:21:43 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Roaming\Malwarebytes

[2012/05/19 21:21:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2012/05/19 21:21:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware

[2012/05/17 22:18:13 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Local\adaware

[2012/05/17 22:18:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Browsing Protection

[2012/05/17 22:17:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Ad-Aware Antivirus

[2012/05/17 22:16:08 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Roaming\Ad-Aware Antivirus

[2012/05/10 21:45:06 | 001,541,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll

[2012/05/10 21:45:05 | 001,837,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10warp.dll

[2012/05/10 21:45:05 | 000,902,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d2d1.dll

[2012/05/10 21:45:05 | 000,320,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1core.dll

[2012/05/10 21:45:05 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1.dll

[2012/05/10 21:44:32 | 005,504,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe

[2012/05/10 21:44:29 | 003,958,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe

[2012/05/10 21:44:29 | 003,902,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe

[2012/05/07 23:43:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BabylonToolbar

[2012/05/07 23:42:25 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\vGrabber

[2012/05/07 23:42:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\v-Grabber

[2012/05/07 23:42:04 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Local\Babylon

[2012/05/07 23:42:02 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Roaming\Babylon

[2012/05/07 23:42:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon

[1 C:\Windows\SysNative\drivers\*.tmp files -> C:\Windows\SysNative\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/30 12:46:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2012/05/30 12:28:22 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\JWB\Desktop\OTL.exe

[2012/05/30 12:26:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2012/05/30 08:29:44 | 000,023,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2012/05/30 08:29:44 | 000,023,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2012/05/30 08:23:47 | 000,000,290 | ---- | M] () -- C:\ProgramData\hpqp.ini

[2012/05/30 08:23:46 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2012/05/30 08:22:04 | 3145,089,024 | -HS- | M] () -- C:\hiberfil.sys

[2012/05/29 22:33:32 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts

[2012/05/29 22:24:16 | 000,000,326 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForJWB.job

[2012/05/29 21:55:58 | 004,530,590 | R--- | M] (Swearware) -- C:\Users\JWB\Desktop\ComboFix.exe

[2012/05/29 21:55:12 | 000,853,862 | ---- | M] () -- C:\Users\JWB\Desktop\SecurityCheck.exe

[2012/05/27 17:22:52 | 000,726,444 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2012/05/27 17:22:52 | 000,624,412 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2012/05/27 17:22:52 | 000,106,756 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2012/05/27 17:10:18 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\JWB\Desktop\dds.scr

[2012/05/27 14:48:58 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/05/27 09:22:21 | 234,304,633 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2012/05/19 21:01:02 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\JWB\Desktop\mbam-setup-1.61.0.1400.exe

[2012/05/11 08:11:18 | 000,355,576 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[2012/05/09 16:19:23 | 000,000,064 | ---- | M] () -- C:\Windows\SysWow64\rp_stats.dat

[2012/05/09 16:19:23 | 000,000,044 | ---- | M] () -- C:\Windows\SysWow64\rp_rules.dat

[2012/05/07 23:43:02 | 000,000,254 | ---- | M] () -- C:\user.js

[1 C:\Windows\SysNative\drivers\*.tmp files -> C:\Windows\SysNative\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/29 22:14:09 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2012/05/29 22:14:09 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2012/05/29 22:14:09 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2012/05/29 22:14:09 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2012/05/29 22:14:09 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2012/05/29 22:07:17 | 000,853,862 | ---- | C] () -- C:\Users\JWB\Desktop\SecurityCheck.exe

[2012/05/27 14:48:58 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/05/27 09:22:21 | 234,304,633 | ---- | C] () -- C:\Windows\MEMORY.DMP

[2012/05/07 23:43:02 | 000,000,254 | ---- | C] () -- C:\user.js

[2011/12/20 23:29:41 | 000,000,512 | ---- | C] () -- C:\Users\JWB\AppData\Roaming\wklnhst.dat

[2011/11/09 16:04:30 | 000,000,064 | ---- | C] () -- C:\Windows\SysWow64\rp_stats.dat

[2011/11/09 16:04:30 | 000,000,044 | ---- | C] () -- C:\Windows\SysWow64\rp_rules.dat

[2011/11/06 01:45:05 | 000,000,290 | ---- | C] () -- C:\ProgramData\hpqp.ini

[2011/02/11 20:15:08 | 000,982,240 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin

[2011/02/11 20:15:08 | 000,439,308 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin

[2011/02/11 20:15:08 | 000,092,356 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin

< End of report >

gringo_pr · May 30, 2012

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

Double-click OTL.exe to start the program.

Copy and Paste the following code into the

textbox. Do not include the word Code


:OTL
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_0_1.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
IE:64bit: - HKLM\..\SearchScopes\{397CFBAF-01FE-4A0D-950E-041F4905DC38}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpl
IE - HKLM\..\SearchScopes\{397CFBAF-01FE-4A0D-950E-041F4905DC38}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpl
IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...0000c607632b9d8
IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\SearchScopes\{E75786E6-6CED-43E4-A207-43FDD9D1901F}: "URL" = http://websearch.ask...56-947E49C66D0F
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
FF - prefs.js..browser.startup.homepage: "https://midge.lookhosting.com:2096/"
FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=109935&tt=290412_1_ctrl&babsrc=KW_ss&mntrId=3cd4f9010000000000000c607632b9d8&q="
[2012/03/11 22:32:35 | 000,000,000 | ---D | M] (GOM Player + Ask Toolbar) -- C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com
[2012/01/03 16:27:44 | 000,002,333 | ---- | M] () -- C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\searchplugins\askcom.xml
[2012/05/07 23:42:53 | 000,002,356 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)
O2 - BHO: (GOM Player + Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
O3 - HKLM\..\Toolbar: (GOM Player + Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)
[2012/05/07 23:43:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BabylonToolbar
[2012/05/07 23:42:25 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\vGrabber
[2012/05/07 23:42:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\v-Grabber
[2012/05/07 23:42:04 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Local\Babylon
[2012/05/07 23:42:02 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Roaming\Babylon
[2012/05/07 23:42:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon
[2012/05/07 23:43:02 | 000,000,254 | ---- | M] () -- C:\user.js
:Files
ipconfig /flushdns /c
:Commands
[PURITY]
[emptyjava]
[EMPTYFLASH]

Then click the Run Fix button at the top.
Click .
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo

Panster · May 30, 2012

Hello,

Below are the results of the custom script you provided to put in the Custom Scans/Fixes box. As for the state of the computer, I am unsure on how to judge if it is operating as it should without the infection. The only visible symptoms to me were that the browser rerouted links at random and always links clicked on through google, also that MalwareBytes was deleted at one point. Since I have started this topic, none of the symptoms have shown themselves. The computer seems to run much faster than it did before, and no other other suspicious activity is being displayed.

Custom Scans/Fix result:

========== OTL ==========

64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@adobe.com/FlashPlayer\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.

File Protocol\Handler\livecall - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-itss\ deleted successfully.

File Protocol\Handler\ms-itss - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.

File Protocol\Handler\msnim - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.

File Protocol\Handler\wlmailhtml - No CLSID value found not found.

64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{397CFBAF-01FE-4A0D-950E-041F4905DC38}\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{397CFBAF-01FE-4A0D-950E-041F4905DC38}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{397CFBAF-01FE-4A0D-950E-041F4905DC38}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{397CFBAF-01FE-4A0D-950E-041F4905DC38}\ not found.

Registry value HKEY_USERS\S-1-5-21-1389045141-546431936-601846973-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00000000-6E41-4FD3-8538-502F5495E5FC} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\ deleted successfully.

C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll moved successfully.

HKEY_USERS\S-1-5-21-1389045141-546431936-601846973-1003\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!

Registry key HKEY_USERS\S-1-5-21-1389045141-546431936-601846973-1003\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.

Registry key HKEY_USERS\S-1-5-21-1389045141-546431936-601846973-1003\Software\Microsoft\Internet Explorer\SearchScopes\{E75786E6-6CED-43E4-A207-43FDD9D1901F}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E75786E6-6CED-43E4-A207-43FDD9D1901F}\ not found.

Prefs.js: "Ask.com" removed from browser.search.defaultengine

Prefs.js: "Search the web (Babylon)" removed from browser.search.defaultenginename

Prefs.js: "Search the web (Babylon)" removed from browser.search.order.1

Prefs.js: "Search the web (Babylon)" removed from browser.search.selectedEngine

Prefs.js: "https://midge.lookhosting.com:2096/" removed from browser.startup.homepage

Prefs.js: "http://search.babylon.com/?affID=109935&tt=290412_1_ctrl&babsrc=KW_ss&mntrId=3cd4f9010000000000000c607632b9d8&q=" removed from keyword.URL

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com\searchplugins folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com\defaults\preferences folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com\defaults folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com\chrome\skin folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com\chrome\content folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com\chrome folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\searchplugins\askcom.xml moved successfully.

C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml moved successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ deleted successfully.

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll moved successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.

File C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{98889811-442D-49dd-99D7-DC866BE87DBC} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ deleted successfully.

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.

File C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater deleted successfully.

C:\Program Files (x86)\Ask.com\Updater\Updater.exe moved successfully.

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh folder moved successfully.

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17 folder moved successfully.

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar folder moved successfully.

C:\Users\JWB\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\vGrabber folder moved successfully.

C:\Program Files (x86)\v-Grabber\imageformats folder moved successfully.

C:\Program Files (x86)\v-Grabber\converter folder moved successfully.

C:\Program Files (x86)\v-Grabber folder moved successfully.

C:\Users\JWB\AppData\Local\Babylon\Setup\HtmlScreens folder moved successfully.

C:\Users\JWB\AppData\Local\Babylon\Setup folder moved successfully.

C:\Users\JWB\AppData\Local\Babylon folder moved successfully.

C:\Users\JWB\AppData\Roaming\Babylon folder moved successfully.

C:\ProgramData\Babylon folder moved successfully.

C:\user.js moved successfully.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\JWB\Desktop\cmd.bat deleted successfully.

C:\Users\JWB\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: JWB

->Java cache emptied: 178374 bytes

User: Public

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: JWB

->Flash cache emptied: 8193785 bytes

User: Public

Total Flash Files Cleaned = 8.00 mb

OTL by OldTimer - Version 3.2.44.0 log created on 05302012_133846

gringo_pr · May 30, 2012

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

gringo_pr · June 5, 2012

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Panster · June 5, 2012

I apologize for the delay in my response, but thank you for remaining persistent on your end.

At the end of this message is the log created by ComboFix after running the CFScript, it was done in Reduced Functionality mode due to a window stating that ComboFix had expired. If this provides undesirable results, I will reperform the script in a way that you prescribe.

In the post before your most recent, you asked that I check the computer for any abnormal behavior. I did so before running the ComboFix script by letting my mother use her laptop normally, connecting her back to the internet as well. The first thing she did was check her email, which is run off of servers that our family hosts. She could not log in, and we found instantly after this that we were then locked out of our server. Apparently, a SQL injection script was running on the browser when my mother entered her password, which it then used to log into our server and reset all the passwords including the root. Using a backdoor, we were able to regain control of the server and change the passwords. My father concluded that the laptop is being remotely controlled, and that a hard drive wipe would not solve the problem on the laptop. I have kept the laptop unconnected to the internet, and in the short window it was connected the previous events occurred. No other computers or devices in the network seem to have contracted the virus, and it still remains on the laptop. I have not reconnected it since then and will avoid doing so unless absolutely necessary as the infection seem extremely harmful.

ComboFix 12-05-29.01 - JWB 06/05/2012 10:23:22.2.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3999.2835 [GMT -5:00]

Running from: c:\users\JWB\Desktop\ComboFix.exe

Command switches used :: c:\users\JWB\Desktop\CFScript.txt

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

- REDUCED FUNCTIONALITY MODE -

.

((((((((((((((((((((((((( Files Created from 2012-05-05 to 2012-06-05 )))))))))))))))))))))))))))))))

.

2012-06-05 15:25 . 2012-06-05 15:25 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-05-30 18:38 . 2012-05-30 18:38 -------- d-----w- C:\_OTL