esaassoc Posted December 26, 2012 ID:627068 Share Posted December 26, 2012 I have scanned with malwarebytes no problems found.My avast keeps popping up with systemroot/svchost.exe is trying to access a bunch of random sites and while im surfing on google if i click a link it usually redirects me to some randon ip address in my browser.attach.txtdds.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 26, 2012 ID:627069 Share Posted December 26, 2012 I see you`ve ran Combofix and TDSSKiller, can you post those two logs.TDSSKiller will be here - C:\TDSSKiller.[Version]_[Date]_[Time]_log.txtCombofix here - C:\Combofix.txt Link to post Share on other sites More sharing options...
esaassoc Posted December 26, 2012 Author ID:627128 Share Posted December 26, 2012 Combofix will not run properly i have tried it multiple times it makes my pc freeze or automatically reboot. Not sure what to do.TDSSKiller.2.8.15.0_26.12.2012_13.47.22_log.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 27, 2012 ID:627131 Share Posted December 27, 2012 Download Farbar Recovery Scan Tool on a clean PC (if possible) and save to a flash drive (memory stick). Use which ever of the folllowing is applicable to your system. (32 or 64 bit)Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ <--- 64 bit version Save to USB flash driveDownload http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ <--- 32 bit version Save to USB Flash drivePlug the flashdrive into the infected PC.Enter System Recovery Options I give two methods, use whichever is convenient for you.To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select Your Country as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select Your Country as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand PromptSelect Command PromptIn the command window type in notepad and press Enter.The notepad opens. Under File menu select Open.Select "Computer" and find your flash drive letter and close the notepad.In the command window type e:\frst64 or e:\frst depending on your version. Press EnterNote: Replace letter e with the drive letter of your flash drive.The tool will start to run.When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.Kevin Link to post Share on other sites More sharing options...
esaassoc Posted December 27, 2012 Author ID:627390 Share Posted December 27, 2012 after clicking repair your computer mode a grey box comes up with ERROR : F3-F100-0010 Link to post Share on other sites More sharing options...
kevinf80 Posted December 27, 2012 ID:627392 Share Posted December 27, 2012 Are using the installation DVD to access system recovery options? Link to post Share on other sites More sharing options...
esaassoc Posted December 27, 2012 Author ID:627420 Share Posted December 27, 2012 no i was useing the boot option i just used the cd here is the reportFRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 27, 2012 ID:627435 Share Posted December 27, 2012 OK, thanks for that log, do the following:1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/2. Unzip the File to a convenient location. (Recommend the Desktop)3. Open the folder where the contents were unzipped to run mbar.exe4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)6. The following image opens, select Next.7. The following image opens, select Update8. When the Update completes, select Next9. In the following window ensure "Targets" are ticked. Then select "Scan"10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:12. Select "Yes" to close down the program. If NO infections were found you will see the following image:13. Select "Exit" to close down.14. Copy and paste the two following logs from the mbar folder:System - logMbar - log Date and time of scan will also be shownPost those two logs in your reply. Link to post Share on other sites More sharing options...
esaassoc Posted December 28, 2012 Author ID:627474 Share Posted December 28, 2012 it found 9 items im cleaning it now here is the logsmbar-log-2012-12-27 (20-14-14).txtsystem-log.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 28, 2012 ID:627563 Share Posted December 28, 2012 Thanks for the logs, ok we can go one further step to remove infection:1. Open the mbar folder run mbar.exe as before....2. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:3. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)4. The following image opens, select Next.5. The following image opens, select Update6. When the update completes select Next.7. In the following window ensure "Targets" are ticked. Then select "Scan"8. If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats. Or if you are sure any entries should not be kept, just untick them.9. The Clean up procedure will be Scheduled for process.10. When scheduling is complete the following image will appear,11. Select the Yes tab, the system should re-boot to complete the cleaning process.12. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:System - logMbar - log Date and time of scan will also be shown, (copy/paste the most recent by date/time)Thanks,Kevin... Link to post Share on other sites More sharing options...
esaassoc Posted December 28, 2012 Author ID:627746 Share Posted December 28, 2012 I just did another scan found nothingmbar-log-2012-12-28 (08-08-30).txtsystem-log.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 28, 2012 ID:627756 Share Posted December 28, 2012 How is your system responding now, any issues or concerns? run the following online AV scan:Run Eset Online Scanner**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as adminGo Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET. Turn off the real time scanner of any existing antivirus program while performing the online scan click on the Run ESET Online Scanner button Tick the box next to YES, I accept the Terms of Use.Click Start When asked, allow the add/on to be installedClick Start Make sure that the option Remove found threats is unticked Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.Click Scan wait for the virus definitions to be downloaded Wait for the scan to finishWhen the scan is complete If no threats were found put a checkmark in "Uninstall application on close" close program report to me that nothing was foundIf threats were found click on "list of threats found" click on "export to text file" and save it as ESET SCAN and save to the desktop Click on back put a checkmark in "Uninstall application on close" click on finishclose programcopy and paste the report hereNext,Download Security Check by screen317 from either of the following:http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exeSave it to your Desktop.Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Kevin Link to post Share on other sites More sharing options...
esaassoc Posted December 29, 2012 Author ID:627803 Share Posted December 29, 2012 I must say thanks. The malwarebytes root kit remover is awesome as well pc is running better no more annoying pop ups or web redirects. Scan with eset came back with theseC:\TDSSKiller_Quarantine\26.12.2012_13.48.03\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AYI trojan cleaned by deleting - quarantinedC:\TDSSKiller_Quarantine\26.12.2012_13.48.03\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AM trojan cleaned by deleting - quarantinedC:\Users\user\AppData\Local\Temp\Av-test.txt Eicar test file cleaned by deleting - quarantinedC:\Users\user\Desktop\d2\EPMaphack\EasyLoad.exe a variant of Win32/HackTool.Inject.H application cleaned by deleting - quarantinedC:\Users\user\Downloads\cnet_eex_zip.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantinedC:\Users\user\Downloads\frostwire-5.3.5.windows.exe Win32/OpenCandy application cleaned by deleting - quarantinedC:\Users\user\Downloads\Win7_64bit_Repair_Disk.iso.exe Win32/InstalleRex.E.Gen application cleaned by deleting - quarantinedC:\Users\user\Downloads\Aeonsofts Fake Mailer V2.0.exe\Aeonsofts Fake Mailer V2.0.exe a variant of MSIL/Packed.CodeFort.A application cleaned by deleting - quarantinedC:\Users\user\Downloads\GSA Email Spiderv5.30\email_spider.exe a variant of Win32/Packed.Themida application cleaned by deleting - quarantinedC:\Users\user\Downloads\Hacking RDP\Hacking RDP\Run List through here...SECOND\service.exe Win32/HackTool.RDPBrutty.A trojan cleaned by deleting - quarantinedC:\Users\user\Downloads\Windows 7 Home Premium (64 Bit)\Extra Activation Programs\Windows 7 Loader eXtreme Edition 3.5.0.3.exe a variant of Win32/HackKMS.A application cleaned by deleting - quarantinedC:\Users\user\Downloads\Windows 7 Home Premium (64 Bit)\File Sharing Programs\Frost-Wire 4.21.3.exe Win32/OpenCandy application cleaned by deleting - quarantinedsecurity check log Results of screen317's Security Check version 0.99.56 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! avast! Antivirus Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.70.0.1100 Java 7 Update 10 Java version out of Date! Adobe Flash Player 11.5.502.135 Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox (17.0.1) Google Chrome 23.0.1271.97 ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe ESET ESET Online Scanner OnlineCmdLineScanner.exe Malwarebytes' Anti-Malware mbamscheduler.exe AVAST Software Avast AvastSvc.exe AVAST Software Avast AvastUI.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0%````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
kevinf80 Posted December 29, 2012 ID:627893 Share Posted December 29, 2012 Thanks for update, do the following:Adobe Reader is outdated...Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat ReaderStep 1 - Select your Operating System.Step 2 - Select your Langauge.Step 3 - Select latest version.Untick the option for McAfee security scanner if offered.Download and install.Having the latest updates ensures there are no security vulnerabilities in your system.Next,Your Java maybe out of date. Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older version of Java components and upgrade the application.Upgrading Java:Go to http://java.com/en/ and click on "Do I have Java"It will check your current version and then offer to update to the latest versionWatch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them.Next,Re-boot your system, run DDS again and post a fresh set of logs. Let me know if there are any remaining issues or concerns...Thanks,Kevin Link to post Share on other sites More sharing options...
esaassoc Posted December 29, 2012 Author ID:628114 Share Posted December 29, 2012 system is running better.attach.txtdds.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 29, 2012 ID:628122 Share Posted December 29, 2012 Download http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner by Xplode onto your Desktop. Please close all open programs and internet browsers. Double click on Adwcleaner.exe to run the tool. Click on Delete. Confirm each time with OK. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply. You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.Post that log, let me know if you have any remaining issues or concerns.... Link to post Share on other sites More sharing options...
esaassoc Posted December 29, 2012 Author ID:628126 Share Posted December 29, 2012 everything seems ok now. # AdwCleaner v2.104 - Logfile created 12/29/2012 at 15:25:47# Updated 29/12/2012 by Xplode# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)# User : user - AARON# Boot Mode : Normal# Running from : C:\Users\user\Downloads\adwcleaner.exe# Option [Delete]***** [services] ********** [Files / Folders] *****Deleted on reboot : C:\Program Files (x86)\Common Files\AVG Secure SearchDeleted on reboot : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomcFile Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\avg-secure-search.xmlFolder Deleted : C:\Program Files (x86)\Ask.comFolder Deleted : C:\Program Files (x86)\AVG Secure SearchFolder Deleted : C:\Program Files (x86)\ConduitFolder Deleted : C:\ProgramData\AVG Secure SearchFolder Deleted : C:\ProgramData\InstallMateFolder Deleted : C:\ProgramData\PartnerFolder Deleted : C:\ProgramData\TrymediaFolder Deleted : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomcFolder Deleted : C:\windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}***** [Registry] *****Key Deleted : HKCU\Software\APNKey Deleted : HKCU\Software\AppDataLow\Software\AskToolbarKey Deleted : HKCU\Software\AppDataLow\Software\ConduitKey Deleted : HKCU\Software\AppDataLow\Software\SmartBarKey Deleted : HKCU\Software\Ask.comKey Deleted : HKCU\Software\AVG Secure SearchKey Deleted : HKCU\Software\Google\Chrome\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomcKey Deleted : HKCU\Software\IGearSettingsKey Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}Key Deleted : HKLM\Software\APNKey Deleted : HKLM\Software\AskToolbarKey Deleted : HKLM\Software\AVG Secure SearchKey Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLLKey Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXEKey Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLLKey Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPIKey Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObjKey Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWndKey Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEFKey Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEFKey Deleted : HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocolKey Deleted : HKLM\SOFTWARE\Classes\SKey Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApiKey Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3072253Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLEKey Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1Key Deleted : HKLM\Software\ConduitKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-pluginKey Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomcKey Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure SearchKey Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEFKey Deleted : HKLM\SOFTWARE\SoftwareValue Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]***** [internet Browsers] *****-\\ Internet Explorer v9.0.8112.16457[OK] Registry is clean.-\\ Mozilla Firefox v17.0.1 (en-US)-\\ Google Chrome v23.0.1271.97*************************AdwCleaner[R1].txt - [8885 octets] - [29/12/2012 15:25:19]AdwCleaner[s1].txt - [8699 octets] - [29/12/2012 15:25:47]########## EOF - C:\AdwCleaner[s1].txt - [8759 octets] ########## Link to post Share on other sites More sharing options...
esaassoc Posted December 29, 2012 Author ID:628136 Share Posted December 29, 2012 this just popped up should i be concerned ? Link to post Share on other sites More sharing options...
esaassoc Posted December 29, 2012 Author ID:628138 Share Posted December 29, 2012 it just popped up again but it was Type: outgoing Link to post Share on other sites More sharing options...
esaassoc Posted December 29, 2012 Author ID:628140 Share Posted December 29, 2012 system is redirecting me on google again if i click one link it redirects to a different site Link to post Share on other sites More sharing options...
kevinf80 Posted December 29, 2012 ID:628141 Share Posted December 29, 2012 Please download RogueKiller from here http://tigzy.geekstogo.com/Tools/RogueKiller.exe or here http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe and save Direct to your Desktop. Quit all running programs For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe 1. Wait until Prescan has finished... The following EULA will appear, please select accept2. Ensure MBR scan, Check faked and AntiRootkit are checked3. Select Scan When the scan completes select Report, copy and paste that to your reply.Kevin... Link to post Share on other sites More sharing options...
esaassoc Posted December 29, 2012 Author ID:628143 Share Posted December 29, 2012 RogueKiller V8.4.1 [Dec 28 2012] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/Website : http://tigzy.geekstogo.com/roguekiller.phpBlog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : user [Admin rights]Mode : Scan -- Date : 12/29/2012 15:54:39¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\windows\system32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: TOSHIBA MK2555GSXN ATA Device +++++--- User ---[MBR] 4deb0487614f0b6a0bccdd3cb69e4ba9[bSP] 4c30b99c9f817797a17f15b63c6dfaa4 : Windows Vista MBR CodePartition table:0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 227588 Mo2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 469174272 | Size: 9386 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[1]_S_12292012_02d1554.txt >>RKreport[1]_S_12292012_02d1554.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 29, 2012 ID:628150 Share Posted December 29, 2012 That is really strange, there are two active partitions showing. OK, I want you to run MBAR again, do not do anything other than the instructions I post. If MBAR folder is already on your Desktop, delete it then we stat again,1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/2. Unzip the File to a convenient location. (Recommend the Desktop)3. Open the folder where the contents were unzipped to run mbar.exe4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)6. The following image opens, select Next.7. The following image opens, select Update8. When the Update completes, select Next9. In the following window ensure "Targets" are ticked. Then select "Scan"10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:12. Select "Yes" to close down the program. If NO infections were found you will see the following image:13. Select "Exit" to close down.14. Copy and paste the two following logs from the mbar folder:System - logMbar - log Date and time of scan will also be shownPost those two logs in your reply. Link to post Share on other sites More sharing options...
esaassoc Posted December 29, 2012 Author ID:628205 Share Posted December 29, 2012 anti rootkit came back cleanmbar-log-2012-12-29 (17-09-40).txtsystem-log.txt Link to post Share on other sites More sharing options...
esaassoc Posted December 29, 2012 Author ID:628207 Share Posted December 29, 2012 its still doing browser redirect if i search google click a link i get redirected to radom add sites http://click.livesearchnow.com/ads-clicktrack/click/jump1.do?sid=fPUJf64IkIGtjcEI1eOUOpngnrJNInfr708BZRBUHWE%3D&affiliate=46251&subid=3482&rc=0&terms=esaassociation&stm=2012-12-29-15-06-18 Link to post Share on other sites More sharing options...
Recommended Posts