Jump to content

Hijack.FolderOptions, PUM.Hijack.HomePageControl, PUM.Disabled.SecurityCenter. NEED HELP TO FIX IT


Recommended Posts

I'm facing a lot of issues with my desktop. Please help me out. I do not know how it happened. Searching through various forums and the Malwarebyes forum itself, I've concluded (not sure though) its a problem of this 'Hijack.' virus thing. Before that here are some of the problems I'm having now.

 

BEFORE using "Last know Good Configuration" from the Advanced boot options.

 

1. The control panel is not working 
I'm able to open it. But the only thing that appears is a blank window (with none of the options in control panel); and the window gets stuck or unresponsive. May be due to a corrupt cpl file (after referring the net. but not sure on what that is) 

2. Services like regedit, anti-virus softwares, etc. cannot be opened in normal mode 
I suspect it has to be a virus, that disables such services. But I did a scan using Avast in safe mode and didnt find any virus. 

3. Lost Admin privileges, though I'm using the admin user account 
I tried to install the BitDefender antivirus initially after all these problems occurred. But the installation could not be completed as it pointed out that I did not have admin privileges. 

4. Theme set to classic windows theme automatically. Unable to use Personalize option 
My windows 7 theme has been reset to a classic window theme, and I'm not able to alter it.

 

 

AFTER using "Last know Good Configuration" from the Advanced boot options.

 

My system gets stuck in "Normal Mode". I'm able to use "Safe Mode" only.

 

1. The control panel is not working 
Still not able to access it even in safe mode.

2. Services like regedit, anti-virus softwares, etc. cannot be opened in normal mode 
Unable to open. But works in safe mode.

3. Theme restored to aero style in normal mode 
The theme has been restored. But whats the point if the whole system hangs :(

 

 

 

OK. Here's the log of the scan I did with Malwarebytes.

 

 

SCAN result of my system drives (C & D; C is my primary drive):

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org
 
Database version: v2013.07.04.04
 
Windows 7 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7600.16385
Basil Benjamin :: BASILBENJAMIN [administrator]
 
Protection: Disabled
 
7/5/2013 1:14:47 AM
mbam-log-2013-07-05 (01-14-47).txt
 
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 372823
Time elapsed: 30 minute(s), 15 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|system3 (Backdoor.Agent) -> Data: C:\Users\Public\Documents\Basil Benjamin.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|system5 (Backdoor.Agent) -> Data: C:\ProgramData\Basil Benjamin.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NofolderOptions (Hijack.FolderOptions) -> Data: 1 -> Quarantined and deleted successfully.
 
Registry Data Items Detected: 6
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel|HomePage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel|HomePage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore|DisableConfig (Windows.Tool.Disabled) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 10
C:\Users\Public\Documents\Basil Benjamin.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\Basil Benjamin.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\Aju.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Aju.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Basil Benjamin.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Users\Aju\AppData\Roaming\Microsoft\Windows\Start Menu\Aju.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Users\Aju\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aju.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Users\Basil Benjamin\AppData\Roaming\Microsoft\Windows\Start Menu\Basil Benjamin.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Users\Basil Benjamin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Basil Benjamin.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Users\Public\Documents\Aju.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
 
(end)
 
 
SCAN result of my external drives (E):
 
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.07.04.04
 
Windows 7 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7600.16385
Aju :: BASILBENJAMIN [administrator]
 
Protection: Disabled
 
7/4/2013 1:08:06 PM
mbam-log-2013-07-04 (13-08-06).txt
 
Scan type: Full scan (E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213328
Time elapsed: 45 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NofolderOptions (Hijack.FolderOptions) -> Data: 1 -> Quarantined and deleted successfully.
 
Registry Data Items Detected: 6
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel|HomePage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel|HomePage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore|DisableConfig (Windows.Tool.Disabled) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
 
SCAN result of my external drives (G):
 
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.07.04.04
 
Windows 7 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7600.16385
Aju :: BASILBENJAMIN [administrator]
 
Protection: Disabled
 
7/4/2013 1:48:28 PM
mbam-log-2013-07-04 (13-48-28).txt
 
Scan type: Full scan (G:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 233247
Time elapsed: 7 minute(s), 7 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NofolderOptions (Hijack.FolderOptions) -> Data: 1 -> Quarantined and deleted successfully.
 
Registry Data Items Detected: 6
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel|HomePage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel|HomePage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore|DisableConfig (Windows.Tool.Disabled) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 2
G:\MUSIC PRODUCTION\VST n Plugins\Lennar Digital Sylenth1 v.2.02\LennarDigital.Sylenth1.VSTi.v2.202.Incl Keygen & Banks(2).rar (Trojan.Agent) -> No action taken.
G:\MUSIC PRODUCTION\VST n Plugins\Lennar Digital Sylenth1 v.2.02\LennarDigital.Sylenth1.VSTi.v2.202.Incl.Keygen-AiR\keygen.exe (Trojan.Agent) -> No action taken.
 
(end)
 
 
SCAN result of my another external drive (E):
 
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.07.04.04
 
Windows 7 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7600.16385
Aju :: BASILBENJAMIN [administrator]
 
Protection: Disabled
 
7/4/2013 1:14:11 PM
mbam-log-2013-07-04 (13-14-11).txt
 
Scan type: Full scan (E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 223676
Time elapsed: 5 minute(s), 46 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 7
E:\GAMES\Call of Duty Modern Warfare 2\d3drm.dll (Malware.Packer.Gen) -> No action taken.
E:\SETUP FILES\ms office 2010\Microsoft Office 2010 Professional Plus x64 and x86 14.0.4743.1000 Full Activated\Activator office 2010.exe (PUP.RiskwareTool.CK) -> No action taken.
E:\SETUP FILES\ms office 2010\Ms Office 2010 64& 32 Bit\32 Activator office 2010.exe (PUP.RiskwareTool.CK) -> No action taken.
E:\SETUP FILES\sony vegas\crack vegas 9\sONY vEGAS 9Keygen.exe (Trojan.Agent.CK) -> No action taken.
E:\System Volume Information\_restore{85A6F7F9-F1DF-4872-9268-55326B1F857E}\RP144\A0022951.exe (Riskware.Took.CK) -> Quarantined and deleted successfully.
E:\eBooks\SELF HELP\COOKING AND HEALTH\OrganicSecrets.zip (Trojan.PWS.Agent) -> Quarantined and deleted successfully.
E:\eBooks\SELF HELP\HOW TO\HOLIDAY PLANNING.zip (Trojan.PWS.Agent) -> Quarantined and deleted successfully.
 
(end)
 
 
Please guide me on how to fix it. Appreciate it.
Thank You. 

 

Link to post
Share on other sites

  • Root Admin

Hello and :welcome:

Please visit this webpage for instructions on downloading and running ComboFix: How to use ComboFix

Please make sure you disable your security applications before running ComboFix.

Once Combofix has completed it will produce and open a log file. Please attach that log file to your next reply.

If needed the file can be located here: C:\combofix.txt

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

Link to post
Share on other sites

  • Root Admin

The log shows that you appear to have 2 antivirus programs running. avast and AVG

You can only have one antivirus installed so please pick one of them to use and Fully uninstall the other one.

Please check now and see if you can logon to Normal Mode or not and let me know.

Please run the following and post back the logs. Getting late here so I'll check back on you sometime tomorrow.

STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

    STEP 02

    Please download Malwarebytes Anti-Rootkit from HERE

    • Unzip the contents to a folder in a convenient location.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
    STEP 03

    Please download Junkware Removal Tool to your desktop.

    • Shutdown your antivirus to avoid any conflicts.
    • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next reply message
    • When completed make sure to re-enable your antivirus
    STEP 04

    Please download AdwCleaner by Xplode to your desktop.

    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • If prompted by the User Account Control click Yes to allow it to run.
    • Under Actions click on the Delete button.
    • Click OK on all prompts.
    • You will be prompted to restart your computer. A text file will open after the restart.
    • Please post the entire contents of that logfile to your next reply.
    • You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.
    STEP 05

    button_eos.gif

    Please go here to run the online antivirus scannner from ESET.

    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked
    • Click on Advanced Settings and ensure these options are ticked:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Click Scan
    • Wait for the scan to finish
    • If any threats were found, click the 'List of found threats' , then click Export to text file....
    • Save it to your desktop, then please copy and paste that log as a reply to this topic.
    Thanks
Link to post
Share on other sites

I uninstalled avast. And now I'm able to access my system in normal mode (But still do not know what all functions work and what all functions do not work now). I'm not able to access control panel still, but I'm able to open regedit which I couldn't open before. So should I do the steps you mentioned in normal mode or safe mode (because I'm not sure if my "Normal mode" is fully functional)? Would it be possible for you to reply to this post before you leave? :)

Link to post
Share on other sites

  • Root Admin

If possible try to run Combofix again from Normal Mode (disable your other AV) and pay attention to the "illegal key note" and then yes after that go ahead and run the other tools as requested.

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

Thanks

Link to post
Share on other sites

The ComboFix log of the scan performed in 'Normal Mode". Guess I'll run the steps in normal mode itself. will switch to safe if MBAR doesn't work (like you said). 

 

Sir, I have one more query..its that I can't find my AVG. When I had installed Avast, I had actually uninstalled AVG. But according to the log, you said there are 2 AVs in my system. But I'm not able to locate AVG. Any help with that?

ComboFix.txt

Link to post
Share on other sites

Here's the latest ComboFix log file. I uninstalled both AVG & Avast and installed Bit Defender. Don't know if that would make any difference, but now I have an AV that functions. 

 

NOTE: I had disabled all the AV functions during the ComboFix Scan, so that it does not interfere.

Link to post
Share on other sites

(Pertaining to STEP 3)

 

Junkware Removal Tool Results (log):  (also attached as text file)

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Ultimate x86
Ran by Aju on Sat 07/06/2013 at 16:11:29.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs\\Tabs
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\babylon
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\default tab
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\default tab
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\defaulttab
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\defaulttab
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\systweak
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\Software\defaulttab
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\bbylntlbr.bbylntlbrhlpr
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\bbylntlbr.bbylntlbrhlpr.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\prod.cap
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\conduitinstaller_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\conduitinstaller_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\mybabylontb_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\mybabylontb_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\softonic_ggl_1_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\softonic_ggl_1_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\wajam_install_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\wajam_install_rasmancs
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F597FC9E-6C07-4F49-9615-84D4F4191AD9}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\ProgramData\babylon"
Successfully deleted: [Folder] "C:\Users\Aju\AppData\Roaming\babylon"
Successfully deleted: [Folder] "C:\Users\Aju\AppData\Roaming\defaulttab"
Successfully deleted: [Folder] "C:\Users\Aju\appdata\local\babylon"
Successfully deleted: [Folder] "C:\Users\Aju\appdata\local\visi_coupon"
Successfully deleted: [Folder] "C:\Users\Aju\appdata\locallow\softonic"
Successfully deleted: [Folder] "C:\Program Files\oapps"
Successfully deleted: [Folder] "C:\Program Files\wondershare"
Successfully deleted: [Folder] "C:\ProgramData\ask" 
 
 
 
~~~ FireFox
 
Successfully deleted: [File] C:\user.js
Successfully deleted: [File] "C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml"
Successfully deleted: [File] C:\Users\Aju\AppData\Roaming\mozilla\firefox\profiles\cq2rh072.default\user.js
Successfully deleted: [File] C:\Users\Aju\AppData\Roaming\mozilla\firefox\profiles\cq2rh072.default\extensions\addon@defaulttab.com.xpi
Successfully deleted: [File] C:\Users\Aju\AppData\Roaming\mozilla\firefox\profiles\cq2rh072.default\searchplugins\search-here.xml
Successfully deleted the following from C:\Users\Aju\AppData\Roaming\mozilla\firefox\profiles\cq2rh072.default\prefs.js
 
user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
user_pref("extensions.BabylonToolbar_i.babExt", "");
user_pref("extensions.BabylonToolbar_i.babTrack", "affID=100490");
user_pref("extensions.BabylonToolbar_i.hardId", "0c1a62d7000000000000002421a204e1");
user_pref("extensions.BabylonToolbar_i.id", "0c1a62d7000000000000002421a204e1");
user_pref("extensions.BabylonToolbar_i.instlDay", "15313");
user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
user_pref("extensions.BabylonToolbar_i.newTab", false);
user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9");
user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1722:44:22");
user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
user_pref("extensions.wajam.affiliate_id", "5926");
user_pref("extensions.wajam.firstrun", "false");
user_pref("extensions.wajam.log_send_info", "false");
user_pref("extensions.wajam.no_trace", "false");
user_pref("extensions.wajam.server_current_mapping_version", "0.21087");
user_pref("extensions.wajam.unique_id", "F0A4CAAD1406EC49B0BFA9FA81A83DB6");
user_pref("extensions.wajam.user_current_mapping_version", "0");
user_pref("extensions.wajam.version", "1.26");
Emptied folder: C:\Users\Aju\AppData\Roaming\mozilla\firefox\profiles\cq2rh072.default\minidumps [86 files]
 
 
 
~~~ Chrome
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 07/06/2013 at 16:15:28.15
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

JRT.txt

Link to post
Share on other sites

PERTAINING TO STEP 4

AdwCleaner Results (log): (also attached as text file)

 

 

# AdwCleaner v2.304 - Logfile created 07/06/2013 at 16:24:06

# Updated 03/07/2013 by Xplode

# Operating system : Windows 7 Ultimate  (32 bits)

# User : Aju - BASILBENJAMIN

# Boot Mode : Normal

# Running from : C:\Users\Aju\Desktop\AdwCleaner.exe

# Option [Delete]

 

 

***** [services] *****

 

 

***** [Files / Folders] *****

 

File Deleted : C:\Users\Basil Benjamin\AppData\Roaming\Mozilla\Firefox\Profiles\0ip6l3rh.default\searchplugins\Askcom.xml

File Deleted : C:\Users\Basil Benjamin\AppData\Roaming\Mozilla\Firefox\Profiles\0ip6l3rh.default\searchplugins\softonic.xml

Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare

Folder Deleted : C:\ProgramData\ParetoLogic

Folder Deleted : C:\Users\Basil Benjamin\AppData\LocalLow\Softonic

Folder Deleted : C:\Users\Basil Benjamin\AppData\Roaming\DriverCure

Folder Deleted : C:\Users\Basil Benjamin\AppData\Roaming\ParetoLogic

 

***** [Registry] *****

 

Key Deleted : HKCU\Software\InstallCore

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Deleted : HKLM\Software\AVG Secure Search

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7ABBFE1C-E485-44AA-8F36-353751B4124D}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL

Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX

Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

 

***** [internet Browsers] *****

 

-\\ Internet Explorer v8.0.7600.16385

 

[OK] Registry is clean.

 

-\\ Mozilla Firefox v22.0 (en-US)

 

File : C:\Users\Basil Benjamin\AppData\Roaming\Mozilla\Firefox\Profiles\0ip6l3rh.default\prefs.js

 

C:\Users\Basil Benjamin\AppData\Roaming\Mozilla\Firefox\Profiles\0ip6l3rh.default\user.js ... Deleted !

 

Deleted : user_pref("browser.search.defaultengine", "Ask.com");

Deleted : user_pref("browser.search.order.1", "Ask.com");

Deleted : user_pref("extensions.Softonic.admin", false);

Deleted : user_pref("extensions.Softonic.aflt", "orgnl");

Deleted : user_pref("extensions.Softonic.autoRvrt", "false");

Deleted : user_pref("extensions.Softonic.dfltLng", "");

Deleted : user_pref("extensions.Softonic.dfltSrch", true);

Deleted : user_pref("extensions.Softonic.dspNew", "Search the web (Softonic)");

Deleted : user_pref("extensions.Softonic.dspOld", "Google");

Deleted : user_pref("extensions.Softonic.excTlbr", false);




Deleted : user_pref("extensions.Softonic.id", "0c1a62d7000000000000002421a204e1");

Deleted : user_pref("extensions.Softonic.instlDay", "15514");

Deleted : user_pref("extensions.Softonic.instlRef", "MON00001");



Deleted : user_pref("extensions.Softonic.prdct", "Softonic");

Deleted : user_pref("extensions.Softonic.prtnrId", "softonic");

Deleted : user_pref("extensions.Softonic.rvrtMsg", "Click Yes to keep current home page and default search set[...]

Deleted : user_pref("extensions.Softonic.srchPrvdr", "Search the web (Softonic)");

Deleted : user_pref("extensions.Softonic.tlbrId", "base");


Deleted : user_pref("extensions.Softonic.vrsn", "1.5.24.3");

Deleted : user_pref("extensions.Softonic.vrsni", "1.5.24.3");

Deleted : user_pref("extensions.Softonic_i.dnsErr", true);

Deleted : user_pref("extensions.Softonic_i.hmpg", true);

Deleted : user_pref("extensions.Softonic_i.newTab", false);

Deleted : user_pref("extensions.Softonic_i.smplGrp", "none");

Deleted : user_pref("extensions.Softonic_i.vrsnTs", "1.5.24.39:15:47");

Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");

 

File : C:\Users\Aju\AppData\Roaming\Mozilla\Firefox\Profiles\cq2rh072.default\prefs.js

 

[OK] File is clean.

 

-\\ Google Chrome v27.0.1453.116

 

File : C:\Users\Basil Benjamin\AppData\Local\Google\Chrome\User Data\Default\Preferences

 

[OK] File is clean.

 

File : C:\Users\Aju\AppData\Local\Google\Chrome\User Data\Default\Preferences

 


 

File : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences

 

[OK] File is clean.

 

*************************

 

AdwCleaner[s1].txt - [5899 octets] - [06/07/2013 16:24:06]

 

########## EOF - C:\AdwCleaner[s1].txt - [5959 octets] ##########

 

AdwCleanerS1.txt

Link to post
Share on other sites

PERTAINING TO STEP 5

ESET ONLINE SCAN REPORT (log): (also attached as text file)

 

C:\Program Files\0048\014.js JS/Kryptik.ALL trojan

C:\Qoobox\Quarantine\C\Program Files\DefaultTab\DefaultTabSearch.exe.vir a variant of Win32/Toolbar.DefaultTab.B application

C:\Qoobox\Quarantine\C\Users\Aju\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll.vir Win32/Toolbar.DefaultTab.A application

C:\Qoobox\Quarantine\C\Users\Aju\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabStart.exe.vir Win32/Toolbar.DefaultTab.A application

C:\Qoobox\Quarantine\C\Users\Aju\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabStart64.exe.vir Win64/Toolbar.DefaultTab.A application

C:\Qoobox\Quarantine\C\Users\Aju\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabWrap.dll.vir Win32/Toolbar.DefaultTab.A application

C:\Qoobox\Quarantine\C\Users\Aju\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabWrap64.dll.vir Win64/Toolbar.DefaultTab.A application

C:\Qoobox\Quarantine\C\Users\Aju\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe.vir Win32/Toolbar.DefaultTab.A application

C:\Users\Administrator\AppData\Roaming\1f401\0956.js JS/Kryptik.ALL trojan

C:\Users\Aju\AppData\Roaming\1f401\0956.js JS/Kryptik.ALL trojan

C:\Users\Aju\Downloads\cbsidlm-tr1_13-Realtek_High_Definition_Audio_Codec_Windows_Vista__Windows_7__Windows_8_32bit-ORG-10788600.exe Win32/DownloadAdmin.G application

C:\Users\Basil Benjamin\AppData\Roaming\1f401\0956.js JS/Kryptik.ALL trojan

C:\Users\Basil Benjamin\Desktop\pics\waterfallsFree.exe a variant of Win32/InstallIQ.A application

C:\Users\Basil Benjamin\Documents\InternationalPrimoPDF.exe Win32/OpenCandy application

C:\Users\Basil Benjamin\Documents\winamp5621_full_emusic-7plus_all.exe Win32/OpenCandy application

C:\Users\Basil Benjamin\Documents\Downloads\winamp5621_full_bundle_emusic-7plus_all.exe Win32/OpenCandy application

C:\Users\Basil Benjamin\Downloads\setup.exe multiple threats

C:\Users\Basil Benjamin\Downloads\SoftonicDownloader_for_camstudio.exe a variant of Win32/SoftonicDownloader.D application

C:\Users\Basil Benjamin\Downloads\veetle-0.9.19.exe Win32/OpenCandy application

C:\Users\Basil Benjamin\Downloads\VLCVideoConverterSetup.exe a variant of Win32/Somoto.A application

C:\Users\Basil Benjamin\Downloads\winamp5621_full_emusic-7plus_all.exe Win32/OpenCandy application

D:\Aju Downloads\cnet2_Nero_BurnLite-10_0_10500_exe.exe a variant of Win32/InstallCore.D application

D:\Aju Downloads\cnet2_Setup_FreeBurner_exe.exe a variant of Win32/InstallCore.D application

D:\Aju Downloads\Setup_FreeBurner.exe Win32/Toolbar.SearchSuite application

D:\Aju Downloads\SoftonicDownloader_for_daemon-tools.exe a variant of Win32/SoftonicDownloader.A application

D:\Aju Downloads\winamp5621_full_emusic-7plus_all.exe Win32/OpenCandy application

D:\Back up- 15082011\basil Benjamin\My Documents\InternationalPrimoPDF.exe Win32/OpenCandy application

D:\BASIL FOLDERS\BPCL E  Folder\pics\waterfallsFree.exe a variant of Win32/InstallIQ.A application

D:\BASIL FOLDERS\BPCL E  Folder\U music\va21.exe a variant of Win32/AdInstaller application

D:\DAP Downloads\VA32_DapSo.exe a variant of Win32/Bundled.Toolbar.Ask application

D:\Dropbox Folder(Aju)\Dropbox\Cracks & Keygens\novation v station keygen.exe a variant of Win32/Keygen.AD application

D:\My Documents\InternationalPrimoPDF.exe Win32/OpenCandy application

 

ESET Online Scan Report_johnluther.txt

Link to post
Share on other sites

  • Root Admin

Topic has been re-opened on the understanding that all illegal software has been removed from the system.

Please go ahead and delete everything from the ESET log except the items under C:\Qoobox\ those are already neutralized.

 

Next, download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


 

Thanks

Link to post
Share on other sites

  • Root Admin

Let's see if this tool can help to reset for you or not.  I'll check back on you tomorrow.

 

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.
 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.