Jump to content

WEIRD recurring about:blank browser hijacker problem!?

UpThePosh
 Share

Recommended Posts

UpThePosh

UpThePosh

Posted
Posted

Hello,

I've got a weird recurring problem with the 'about:blank' browser hijacker.

About 2 weeks ago, I noticed my homepage in Internet Explorer 9 had changed to about:blank for some reason. I changed it back to google and then 2 or 3 days later it had changed back to about:blank. I don't know if this is related to my about:blank problem or not, but I've noticed my desktop icons seem to refresh sometimes when I'm loading a webpage and minimize the browser.

So I did some searches about this on the internet and found I probably had the 'about:blank' browser hijacker and followed the advice I could find. I already have Mcafee Internet Security running constantly so I did a full scan and nothing bad showed up.

I then downloaded MalwareBytes and ran a full scan and it found a 'Hijacker.Application' and removed/repaired the 2 files it found that

were a problem as below:

Registry Values Detected: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_Application (Hijacker.Application) -> Data:

http://go.microsoft....Id=57426&Ext=%s -> Quarantined and deleted successfully.

Registry Data Items Detected: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|Application (Hijacker.Application) -> Bad:

(http://www.helpmeope...m/?n=app&ext=%s) Good: (http://shell.windows...edir.asp?Ext=%s) -> Quarantined and repaired successfully.

Then 2 or 3 days later the about:blank problem came back. I've read that this problem is meant to redirect me to a dodgy search engine, or give me loads of pop-ups, or redirect me to pages that look like the real desired page but aren't, etc. I don't 'seem' to have any of these problems, just the fact that my homepage keeps changing (every 2 or 3 days) to about:blank.

So, I then downloaded SUPERAntiSpyware and ran a full scan, nothing showed up. Ran Malware Bytes again and McAfee, nothing showed up. Did these 3 different full scans multiple times even tried using the 'rkill' program thing before running them, and tried running them in Safe Mode to see if that would find anything harmful, but nothing was found. I have also reset my Internet settings to see if that worked, but it hasn't. Also have done a full scan with 2 x Microsoft scans with nothing found.

So, the problem is back again today and I have no idea what to do now to get rid of it. Has anyone else experienced this?

I don't even know if I need to be worried or not, because all that I can see is happening is just every 2 or 3 days my homepage gets

changed to about:blank.

Has anyone got any advice PLEASE?

Do I even need to be worried?

Thanks in advance!!

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites
UpThePosh

UpThePosh

Posted
  • Author
Posted

Hi, thanks for your fast reply.

Here is the MBAM log:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.25.05

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Alistair :: ALISTAIR-PC [administrator]

25/07/2012 16:27:14

mbam-log-2012-07-25 (16-27-14).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 256868

Time elapsed: 11 minute(s), 42 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

When I followed the DDS link Mcaffe site advisor popped up saying this:

Warning: Dangerous Site

big_red1.png

Whoa!

Are you sure you want to go there?

http://download.bleepingcomputer.com/sUBs/dds.scr may be risky to visit.

Why were you redirected to this page?

  • When we visited this site, we found it exhibited one or more risky behaviors.

Should I still do that part?!

Link to post
Share on other sites
UpThePosh

UpThePosh

Posted
  • Author
Posted

Hi, here is the DDS log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1

Run by Alistair at 16:57:32 on 2012-07-25

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.689 [GMT 1:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe

C:\Windows\system32\rundll32.exe

C:\Windows\system32\mfevtps.exe

C:\Program Files\Sony\Network Utility\NSUService.exe

C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Windows\system32\igfxext.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe

C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe

c:\PROGRA~1\mcafee\SITEAD~1\saui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.google.com/webhp?complete=0&hl=en

uSearch Bar = Preserve

mDefault_Page_URL = hxxp://www.club-vaio.com

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120622110946.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll

TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [<NO NAME>]

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com

IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\programs\partygaming\partycasino\RunApp.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{808E30BC-1DA5-4992-BC60-0B9F0AF50CD1} : DhcpNameServer = 192.168.0.1

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

Notify: VESWinlogon - VESWinlogon.dll

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 464304]

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-8 65752]

R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-4-13 64912]

R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-4-13 169608]

R1 RapportCerberus_34302;RapportCerberus_34302;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]

R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-7-8 71480]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-7-8 166840]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-13 21504]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-4-13 214904]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-4-13 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-4-13 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-4-13 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-4-13 166288]

R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2011-1-24 25824]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-4-13 161632]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-4-13 151880]

R2 NSUService;NSUService;c:\program files\sony\network utility\NSUService.exe [2008-2-9 299008]

R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-12-10 65536]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-7-8 976728]

R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2011-6-1 14088]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-4-13 57600]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-4-13 180848]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-4-13 59456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-4-13 340920]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-8-1 812544]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-1 30192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-4-13 87656]

.

=============== Created Last 30 ================

.

2012-07-20 10:07:36 -------- d-----w- c:\program files\CCleaner

2012-07-19 14:21:04 -------- d-----w- c:\users\alistair\appdata\roaming\SUPERAntiSpyware.com

2012-07-19 14:19:27 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-07-19 14:19:27 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-07-18 08:50:30 -------- d-----w- c:\users\alistair\appdata\roaming\Malwarebytes

2012-07-18 08:48:44 -------- d-----w- c:\programdata\Malwarebytes

2012-07-18 08:48:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-18 08:48:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-11 10:28:16 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-07-11 10:13:52 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll

2012-07-11 10:13:40 1401856 ----a-w- c:\windows\system32\msxml6.dll

2012-07-11 10:13:40 1248768 ----a-w- c:\windows\system32\msxml3.dll

2012-07-11 10:12:33 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-07-11 10:12:32 278528 ----a-w- c:\windows\system32\schannel.dll

2012-07-11 10:12:32 204288 ----a-w- c:\windows\system32\ncrypt.dll

2012-07-08 06:19:18 65752 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2012-06-30 13:34:33 -------- d-----w- c:\program files\Oracle

2012-06-30 13:33:46 772504 ----a-w- c:\windows\system32\npDeployJava1.dll

.

==================== Find3M ====================

.

2012-07-15 07:37:43 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-15 07:37:43 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-03 17:45:00 348160 ----a-w- c:\windows\system32\msvcr71.dll

2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 14:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 14:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-05-04 18:29:16 687504 ----a-w- c:\windows\system32\deployJava1.dll

2012-05-01 14:03:49 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

============= FINISH: 17:00:03.41 ===============

Link to post
Share on other sites
UpThePosh

UpThePosh

Posted
  • Author
Posted

Hi screen317,

Please find below the 2 new logs. Both were run with Anti-Virus and Firewall turned off. One thing I noticed was the ComboFix log was not saved automatically to where it said it would. There are 2 other files there: PEV (Application) and snapshot.00.dat.

ComboFix log:

ComboFix 12-07-26.03 - Alistair 25/07/2012 17:39:26.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.874 [GMT 1:00]

Running from: c:\users\Alistair\Downloads\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Install.exe

c:\users\Alistair\CleanUp.exe

c:\users\Alistair\GoToAssistDownloadHelper.exe

c:\users\Alistair\PGDetector.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))

.

.

2012-07-25 16:54 . 2012-07-25 16:54 -------- d-----w- c:\users\postgres\AppData\Local\temp

2012-07-25 16:54 . 2012-07-25 16:54 -------- d-----w- c:\users\postgres.Alistair-PC\AppData\Local\temp

2012-07-25 16:54 . 2012-07-25 16:54 -------- d-----w- c:\users\postgres.Alistair-PC.000\AppData\Local\temp

2012-07-25 16:54 . 2012-07-25 16:54 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-20 10:07 . 2012-07-20 10:07 -------- d-----w- c:\program files\CCleaner

2012-07-19 14:21 . 2012-07-19 14:21 -------- d-----w- c:\users\Alistair\AppData\Roaming\SUPERAntiSpyware.com

2012-07-19 14:19 . 2012-07-25 13:03 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-07-19 14:19 . 2012-07-19 14:19 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-07-18 08:50 . 2012-07-18 08:50 -------- d-----w- c:\users\Alistair\AppData\Roaming\Malwarebytes

2012-07-18 08:48 . 2012-07-18 08:48 -------- d-----w- c:\programdata\Malwarebytes

2012-07-18 08:48 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-18 08:48 . 2012-07-18 08:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-11 10:28 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-07-11 10:13 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll

2012-07-11 10:13 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll

2012-07-11 10:13 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll

2012-07-11 10:12 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-07-11 10:12 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll

2012-07-11 10:12 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll

2012-07-08 06:19 . 2012-07-08 06:19 65752 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2012-06-30 13:35 . 2012-06-30 13:35 -------- d-----w- c:\program files\Common Files\Java

2012-06-30 13:34 . 2012-06-30 13:34 -------- d-----w- c:\program files\Oracle

2012-06-30 13:33 . 2012-05-04 18:29 772504 ----a-w- c:\windows\system32\npDeployJava1.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-15 07:37 . 2012-04-01 08:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-15 07:37 . 2011-06-03 13:52 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-03 17:45 . 2006-07-11 17:35 348160 ----a-w- c:\windows\system32\msvcr71.dll

2012-06-02 22:19 . 2012-06-23 09:43 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-23 09:43 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-23 09:42 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-23 09:42 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-23 09:43 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:12 . 2012-06-23 09:43 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12 . 2012-06-23 09:42 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 14:19 . 2012-06-23 09:42 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 14:12 . 2012-06-23 09:42 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-05-04 18:29 . 2010-06-07 16:19 687504 ----a-w- c:\windows\system32\deployJava1.dll

2012-05-01 14:03 . 2012-06-15 13:13 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2010-09-21 2735200]

.

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2010-09-21 2735200]

.

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-01 39408]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2007-07-25 02:26 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]

c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-06 22:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2007-06-10 00:12 118784 ----a-w- c:\program files\Apoint\Apoint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]

2012-02-20 20:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]

2010-06-26 17:09 167936 ----a-w- c:\program files\Freecorder\FLVSrvc.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2010-07-28 18:20 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2007-06-30 01:06 154136 ----a-w- c:\windows\System32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2007-06-30 01:07 137752 ----a-w- c:\windows\System32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]

2007-06-12 01:27 317560 ----a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2012-03-27 04:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]

2012-03-21 20:16 1318816 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Instant Backup]

2011-01-24 18:35 136416 ----a-w- c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSUFloatingUI]

2008-11-05 07:32 262144 ----a-w- c:\program files\Sony\Network Utility\LANUtil.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2007-06-30 01:07 133656 ----a-w- c:\windows\System32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2011-10-24 14:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]

2007-06-26 00:39 4489216 ----a-w- c:\windows\RtHDVCpl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard]

2011-06-01 16:42 79112 ----a-w- c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2012-01-17 10:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-01-01 21:43 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2012-06-03 17:45 296056 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - RAPPORTIASO

*Deregistered* - mfeavfk01

*Deregistered* - RapportIaso

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 09:56]

.

2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 09:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/webhp?complete=0&hl=en

uInternet Settings,ProxyOverride = *.local

IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\programs\PartyGaming\PartyCasino\RunApp.exe

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 192.168.0.1

.

.

------- File Associations -------

.

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-WudfPf

SafeBoot-WudfRd

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-25 17:54

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b4

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2012-07-25 17:58:16

ComboFix-quarantined-files.txt 2012-07-25 16:58

.

Pre-Run: 53,721,444,352 bytes free

Post-Run: 53,019,439,104 bytes free

.

- - End Of File - - 6FA1934612BBF2BD48A61FC891F45E87

New DDS log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1

Run by Alistair at 18:01:22 on 2012-07-25

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.776 [GMT 1:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe

C:\Windows\system32\mfevtps.exe

C:\Program Files\Sony\Network Utility\NSUService.exe

C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Windows\system32\igfxext.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe

C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Common Files\McAfee\Core\mchost.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\ComboFix\PEV.exe

C:\Windows\system32\notepad.exe

C:\Windows\explorer.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/webhp?complete=0&hl=en

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120622110946.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll

TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com

IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\programs\partygaming\partycasino\RunApp.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{808E30BC-1DA5-4992-BC60-0B9F0AF50CD1} : DhcpNameServer = 192.168.0.1

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

Notify: VESWinlogon - VESWinlogon.dll

AppInit_DLLs: c:\progra~1\google\google~1\GoogleDesktopNetwork3.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 464304]

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-8 65752]

R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-4-13 64912]

R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-4-13 169608]

R1 RapportCerberus_34302;RapportCerberus_34302;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]

R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-7-8 71480]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-7-8 166840]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-13 21504]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-4-13 214904]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-4-13 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-4-13 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-4-13 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-4-13 166288]

R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2011-1-24 25824]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-4-13 161632]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-4-13 151880]

R2 NSUService;NSUService;c:\program files\sony\network utility\NSUService.exe [2008-2-9 299008]

R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-12-10 65536]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-7-8 976728]

R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2011-6-1 14088]

R2 VCFw;VAIO Content Folder Watcher;c:\program files\common files\sony shared\vaio content folder watcher\VCFw.exe [2009-3-5 5189992]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-4-13 57600]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-4-13 180848]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-4-13 340920]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-8-1 812544]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-1 30192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-4-13 59456]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-4-13 87656]

S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2007-8-14 745472]

S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2007-8-14 397312]

S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2007-8-14 1089536]

S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2010-5-11 480624]

S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2010-5-11 83312]

S3 VUAgent;VUAgent;c:\program files\sony\vaio update 5\VUAgent.exe [2010-5-11 792976]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-07-25 16:58:28 -------- d-sh--w- C:\$RECYCLE.BIN

2012-07-25 16:35:53 98816 ----a-w- c:\windows\sed.exe

2012-07-25 16:35:53 518144 ----a-w- c:\windows\SWREG.exe

2012-07-25 16:35:53 256000 ----a-w- c:\windows\PEV.exe

2012-07-25 16:35:53 208896 ----a-w- c:\windows\MBR.exe

2012-07-25 16:35:46 -------- d-----w- C:\ComboFix

2012-07-20 10:07:36 -------- d-----w- c:\program files\CCleaner

2012-07-19 14:21:04 -------- d-----w- c:\users\alistair\appdata\roaming\SUPERAntiSpyware.com

2012-07-19 14:19:27 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-07-19 14:19:27 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-07-18 08:50:30 -------- d-----w- c:\users\alistair\appdata\roaming\Malwarebytes

2012-07-18 08:48:44 -------- d-----w- c:\programdata\Malwarebytes

2012-07-18 08:48:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-18 08:48:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-11 10:28:16 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-07-11 10:13:52 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll

2012-07-11 10:13:40 1401856 ----a-w- c:\windows\system32\msxml6.dll

2012-07-11 10:13:40 1248768 ----a-w- c:\windows\system32\msxml3.dll

2012-07-11 10:12:33 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-07-11 10:12:32 278528 ----a-w- c:\windows\system32\schannel.dll

2012-07-11 10:12:32 204288 ----a-w- c:\windows\system32\ncrypt.dll

2012-07-08 06:19:18 65752 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2012-06-30 13:34:33 -------- d-----w- c:\program files\Oracle

2012-06-30 13:33:46 772504 ----a-w- c:\windows\system32\npDeployJava1.dll

.

==================== Find3M ====================

.

2012-07-15 07:37:43 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-15 07:37:43 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-03 17:45:00 348160 ----a-w- c:\windows\system32\msvcr71.dll

2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 14:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 14:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-05-04 18:29:16 687504 ----a-w- c:\windows\system32\deployJava1.dll

2012-05-01 14:03:49 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

============= FINISH: 18:02:04.38 ===============

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Uninstall these toolbars if you don't use them.

Freecorder Toolbar

Google Toolbar

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites
UpThePosh

UpThePosh

Posted
  • Author
Posted

Hi screen317,

Thanks for your help so far.

I use those 2 toolbars so don't really want to uninstall them.

Ran the TFC by OldTimer. It cleared 130MB.

ESET scan found no threats. Here is the log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

(not sure if that is correct log but that was only thing there called log, the scan ran for 2 hours and found nothing)

Security Check log:

Results of screen317's Security Check version 0.99.43

Windows Vista Service Pack 2 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Disabled!

McAfee Anti-Virus and Anti-Spyware

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

SUPERAntiSpyware

Malwarebytes Anti-Malware version 1.62.0.1300

CCleaner

JavaFX 2.1.1

Java 7 Update 5

Adobe Reader 8 Adobe Reader out of Date!

Adobe Reader X (10.1.3)

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 4 % Defragment your hard drive soon!

````````````````````End of Log``````````````````````

Not really sure if my problem is fixed yet because it normally takes 2-4 days for my homepage to get changed/hijacked to about:blank after I keep resetting it. It changed this Saturday just gone, and then changed again today (Weds) this morning (UK time)so will have to wait a while to see if it's fixed. I don't understand any of the logs I've posted. Do they say they've found/fixed any problems anywhere?

Also, I don't seem to get any of the usual symptoms of a hijacked browser (ie redirects, pop ups, changed favorites, etc) just my homepage keeps changing. I read a thread earlier where someone keeps getting redirected to weird pages when their using amazon. Should I mess about on Amazon to see if I get redirected? Are there any other sites I could try that are prone to getting the re-directs?

Thanks again for your help!!!

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

It's likely that some program is resetting the start page.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Adobe Reader 8

Restart your computer.

Can you see if the issue persists in Firefox?

Link to post
Share on other sites
UpThePosh

UpThePosh

Posted
  • Author
Posted

It's been 5 days now and my homepage hasn't changed to about:blank yet!!! That's the longest it's gone since I first had the problem.

But, I did notice today when I opened a link in a new tab for a split second it read about:blank (in the tab) before proceeding to the webpage. Not sure if that's a sign it will come back or not. I think that's what used to happen just before my homepage gets changed. So, I'm wondering whether it's worth you leaving this topic open for a week to see if it does come back?!

Thanks again for your help.

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Great! :D

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites
  • 2 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.