Jump to content

I'm infected - please help


Recommended Posts

Hello and Welcome,

You have two security systems running on your system Norton and AVG, that is not good. Please UNinstall one of those ASAP.

Next,

Please download AdwCleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Post that log.

Next,

Malwarebytes Anti-Malware and save it to your desktop.

Alernative D/L mirror

Alternative D/L mirror

Double Click mbam-setup.exe to install the application.

mbamicontw5.gif Please download

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Malwarebytes Anti-Malware and save it to your desktop.

Alernative D/L mirror

Alternative D/L mirror

Double Click mbam-setup.exe to install the application.

mbamicontw5.gif Please download

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Post both logs in reply,

Link to post
Share on other sites

# AdwCleaner v1.604 - Logfile created 11/26/2012 at 20:57:25

# Updated 23/04/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)

# User : Toshiba - TOSHIBA-PC

# Running from : C:\Users\Toshiba\AppData\Local\Temp\installer.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Users\Toshiba\AppData\Local\Conduit

Folder Deleted : C:\Users\Toshiba\AppData\LocalLow\BabylonToolbar

Folder Deleted : C:\Users\Toshiba\AppData\LocalLow\Conduit

Folder Deleted : C:\Users\Toshiba\AppData\Roaming\Babylon

Folder Deleted : C:\Users\Toshiba\AppData\Roaming\OpenCandy

Folder Deleted : C:\ProgramData\Babylon

Folder Deleted : C:\ProgramData\SweetIM

Folder Deleted : C:\Program Files\Conduit

Folder Deleted : C:\Program Files\SweetIM

File Deleted : C:\Users\Toshiba\AppData\Roaming\Mozilla\Firefox\Profiles\lvsm3vng.default\searchplugins\MyStart Search.xml

File Deleted : C:\Users\Toshiba\AppData\Roaming\Mozilla\Firefox\Profiles\lvsm3vng.default\searchplugins\SweetIm.xml

File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\Softonic

Key Deleted : HKCU\Software\SweetIm

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong

Key Deleted : HKLM\SOFTWARE\Babylon

Key Deleted : HKLM\SOFTWARE\Conduit

Key Deleted : HKLM\SOFTWARE\Software

Key Deleted : HKLM\SOFTWARE\SweetIM

Key Deleted : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils

Key Deleted : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator

Key Deleted : HKLM\SOFTWARE\Classes\S

Key Deleted : HKLM\SOFTWARE\Classes\sim-packages

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SweetIM.exe

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [sweetIM]

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [sweetpacks Communicator]

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A439801C-961D-452C-AB42-7848E9CBD289}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{30F9B915-B755-4826-820B-08FBA6BD249D}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{BA14329E-9550-4989-B3F2-9732E92D17CC}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{BA14329E-9550-4989-B3F2-9732E92D17CC}]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-GB)

Profile name : default

File : C:\Users\Toshiba\AppData\Roaming\Mozilla\Firefox\Profiles\lvsm3vng.default\prefs.js

C:\Users\Toshiba\AppData\Roaming\Mozilla\Firefox\Profiles\lvsm3vng.default\user.js ... Deleted !

Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");

Deleted : user_pref("browser.newtab.url", "hxxp://search.babylon.com/?affID=113480&tt=010712_2&babsrc=NT_ss&mn[...]

Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");

Deleted : user_pref("extensions.4faaf2a291247.scode", "\n(function(){var bdomains={\"premiumreports.info\":1,\[...]

Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);

Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=113480&tt=01071[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.InstallationThankYouPage", true);

Deleted : user_pref("extensions.crossriderapp4479.4479.InstallationTime", 1341567030);

Deleted : user_pref("extensions.crossriderapp4479.4479.InstallationUserSettings.searchUserConifrmation", false[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.InstallationUserSettings.setHomepage", false);

Deleted : user_pref("extensions.crossriderapp4479.4479.InstallationUserSettings.setNewTab", false);

Deleted : user_pref("extensions.crossriderapp4479.4479.InstallationUserSettings.setSearch", false);

Deleted : user_pref("extensions.crossriderapp4479.4479.active", true);

Deleted : user_pref("extensions.crossriderapp4479.4479.addressbar", "");

Deleted : user_pref("extensions.crossriderapp4479.4479.affid", "0");

Deleted : user_pref("extensions.crossriderapp4479.4479.backgroundjs", "\n\n/**********************************[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.backgroundver", 2);

Deleted : user_pref("extensions.crossriderapp4479.4479.can_run_bg_code", true);

Deleted : user_pref("extensions.crossriderapp4479.4479.certdomaininstaller", "");

Deleted : user_pref("extensions.crossriderapp4479.4479.changeprevious", false);

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie.InstallationTime.value", "1341567030");

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie.InstallerParams.expiration", "Fri Feb 01 2030 00[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 [...]

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_aoi.value", "1341567030");

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_hotfix20111102645.expiration", "Fri Feb 01 [...]

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_hotfix20111102645.value", "%221%22");

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_installer_params.expiration", "Fri Feb 01 2[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_installer_params.value", "%7B%22source_id%2[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_parent_zoneid.value", "%2241449%22");

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_product_id.expiration", "Fri Feb 01 2030 00[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_product_id.value", "%221242%22");

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_zoneid.value", "%2253466%22");

Deleted : user_pref("extensions.crossriderapp4479.4479.description", "Save big with Giant Savings! Coupons dis[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.domain", "");

Deleted : user_pref("extensions.crossriderapp4479.4479.emailsig", "");

Deleted : user_pref("extensions.crossriderapp4479.4479.enablesearch", false);

Deleted : user_pref("extensions.crossriderapp4479.4479.exposesites", "");

Deleted : user_pref("extensions.crossriderapp4479.4479.fbremoteurl", "");

Deleted : user_pref("extensions.crossriderapp4479.4479.group", 0);

Deleted : user_pref("extensions.crossriderapp4479.4479.homepage", "");

Deleted : user_pref("extensions.crossriderapp4479.4479.iframe", false);

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.InstallerIdentifiers.expiration", "Fri Feb 0[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.InstallerIdentifiers.value", "%7B%22installe[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_appVer.expiration", "Fri Feb 01 20[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_appVer.value", "15");

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_lastVersion.expiration", "Fri Feb [...]

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_lastVersion.value", "0");

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_meta.expiration", "Fri Feb 01 2030[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_meta.value", "%7B%7D");

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_nextCheck.expiration", "Sun Jul 22[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_nextCheck.value", "true");

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_queue.expiration", "Fri Feb 01 203[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_queue.value", "%7B%7D");

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_remote_resources.expiration", "Fri[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_remote_resources.value", "%7B%22re[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.js", "\nvar _GPL_PID=1171,_GPL_baseCDN=\"giantsavings-a[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.manifesturl", "");

Deleted : user_pref("extensions.crossriderapp4479.4479.name", "Giant Savings");

Deleted : user_pref("extensions.crossriderapp4479.4479.newtab", "");

Deleted : user_pref("extensions.crossriderapp4479.4479.opensearch", "");

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_1.code", "appAPI._cr_config={appID:funct[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_1.name", "base");

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_1.ver", 2);

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_13.code", "(function(a){a.selectedText=f[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_13.name", "CrossriderAppUtils");

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_13.ver", 1);

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefin[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_14.name", "CrossriderUtils");

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_14.ver", 1);

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_15.code", "(function(f){var u={};var e=M[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_15.name", "FacebookFFIE");

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_15.ver", 1);

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_16.code", "(function(f,b){if(typeof(b)==[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_16.name", "FFAppAPIWrapper");

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_16.ver", 3);

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_17.code", "if(typeof window!==\"undefine[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_17.name", "jQuery");

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_17.ver", 1);

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_21.code", "var CrossriderDebugManager=(f[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_21.name", "debug");

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_21.ver", 1);

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_22.code", "(function(a){appAPI.queueMana[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_22.name", "resources");

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_22.ver", 1);

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_28.code", "var CrossriderInitializerPlug[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_28.name", "initializer");

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_28.ver", 1);

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_4.code", "/*! jQuery v1.7.1 jquery.com |[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_4.name", "jquery_1_7_1");

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_4.ver", 2);

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins_lists.plugins_0", "17,14,16");

Deleted : user_pref("extensions.crossriderapp4479.4479.plugins_lists.plugins_1", "17,14,13,16,15,4,1,21,22,28"[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]

Deleted : user_pref("extensions.crossriderapp4479.4479.pluginsversion", 4);

Deleted : user_pref("extensions.crossriderapp4479.4479.premium", true);

Deleted : user_pref("extensions.crossriderapp4479.4479.publisher", "215 Apps");

Deleted : user_pref("extensions.crossriderapp4479.4479.searchstatus", 0);

Deleted : user_pref("extensions.crossriderapp4479.4479.setnewtab", false);

Deleted : user_pref("extensions.crossriderapp4479.4479.settingsurl", "");

Deleted : user_pref("extensions.crossriderapp4479.4479.thankyou", "");

Deleted : user_pref("extensions.crossriderapp4479.4479.updateinterval", 360);

Deleted : user_pref("extensions.crossriderapp4479.4479.ver", 15);

Deleted : user_pref("extensions.crossriderapp4479.apps", "4479");

Deleted : user_pref("extensions.crossriderapp4479.bic", "1385ef57f50e5c0a95dc8aff2469e1f2");

Deleted : user_pref("extensions.crossriderapp4479.cid", 4479);

Deleted : user_pref("extensions.crossriderapp4479.firstrun", false);

Deleted : user_pref("extensions.crossriderapp4479.hadappinstalled", true);

Deleted : user_pref("extensions.crossriderapp4479.installationdate", 1341622944);

Deleted : user_pref("extensions.crossriderapp4479.lastcheck", 22381950);

Deleted : user_pref("extensions.crossriderapp4479.lastcheckitem", 22382151);

Deleted : user_pref("extensions.crossriderapp4479.misc.lastBgWorkerTimer", "1341628465125");

Deleted : user_pref("extensions.crossriderapp4479.misc.lastDomWorkerTimer", "1341628465118");

Deleted : user_pref("extensions.crossriderapp4479.modetype", "production");

Deleted : user_pref("extensions.engine@conduit.com.install-event-fired", true);

Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.homepage", "hxxp://home.mywebsearch.com/index.jh[...]

Deleted : user_pref("{336D0C35-8A85-403a-B9D2-65C292C39087}.ScriptData_WSG_temp_referer", "hxxp://search.babyl[...]

-\\ Google Chrome v23.0.1271.64

File : C:\Users\Toshiba\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

Link to post
Share on other sites

Hi,

I did run Malwarebytes.

This is the latest log from it

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.26.03

Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Toshiba :: TOSHIBA-PC [administrator]

27/11/2012 1:52:52 PM

mbam-log-2012-11-27 (13-52-52).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 206774

Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

Link to post
Share on other sites

Ok let me know how your system is responding, also if any issues or concerns remain.....

Also run the following:

Please download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • Click on Scan

RGKRScan.png

Copy paste the log from the Desktop...

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.