browser manager/claro

good morning, I started to download from cnet program and realized immediately it had a malware type thing with it. It is the Claro/ hijack my fireflox homepage, search engine...etc. I managed to cancel the down load half way through but alas I am dealing with this now. I got it removed from add/remove programs, I ran some scans...we change the homepage, and now I am stuck with the 'browser manager' on the programs list at start. It has an uninstall but if I remember from the last time I came across it, it just reinstalls the stuff, so I have left that alone. Could you please help me remove it from the laptop. It is a dell d600. thanks!

brick

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
Please download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  
• Click on Search.
  
• A logfile will automatically open after the scan has finished.
  
• Please post the content of that logfile in your reply.
  
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  

*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

adware cleaner scan first: Thanks...will do malware next

# AdwCleaner v2.008 - Logfile created 11/19/2012 at 15:08:28
# Updated 17/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - FRITSCH-9X4CGZS
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator\My Documents\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****

Found : Application Updater
Found : Browser Manager

***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
File Found : C:\user.js
Folder Found : C:\Documents and Settings\Administrator\Application Data\Babylon
Folder Found : C:\Documents and Settings\Administrator\Application Data\Search Settings
Folder Found : C:\Documents and Settings\Administrator\Local Settings\Application Data\Wajam
Folder Found : C:\Documents and Settings\Administrator\Start Menu\Programs\Browser Manager
Folder Found : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Found : C:\Documents and Settings\All Users\Application Data\Browser Manager
Folder Found : C:\Program Files\Application Updater
Folder Found : C:\Program Files\Common Files\spigot

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Search Settings
Key Found : HKCU\Software\Cr_Installer
Key Found : HKCU\Software\DataMngr
Key Found : HKCU\Software\DataMngr_Toolbar
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Found : HKCU\Software\Search Settings
Key Found : HKLM\Software\Application Updater
Key Found : HKLM\Software\Babylon
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\DataMngr
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\pgafcinpmmpklohkojmllohdhomoefph
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Key Found : HKLM\Software\Search Settings
Key Found : HKLM\SOFTWARE\Software
Key Found : HKU\S-1-5-21-583907252-1580818891-1060284298-500\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Value Found : HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]
Value Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [bProtectorDefaultScope]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{F3FEE66E-E034-436A-86E4-9690573BEE8A}]
Value Found : HKCU\Software\Mozilla\Firefox\Extensions [{b64982b1-d112-42b5-b1e4-d3867c4533f8}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{F3FEE66E-E034-436A-86E4-9690573BEE8A}]

***** [Internet Browsers] *****

-\\ Internet Explorer v6.0.2900.5512

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.claro-search.com/?affID=117467&tt=4612_7&babsrc=HP_ss&mntrId=6c8db43b000000000000001143433540
[HKCU\Software\Microsoft\Internet Explorer\Main - bProtector Start Page] = hxxp://www.claro-search.com/?affID=117467&tt=4612_7&babsrc=HP_ss&mntrId=6c8db43b000000000000001143433540

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default
File : C:\Documents and Settings\Fritsch Family Dell\Application Data\Mozilla\Firefox\Profiles\ej2mcfv2.default\prefs.js

[OK] File is clean.

Profile name : default-1353292727416 [Profil par défaut]
File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0mkfel3l.default-1353292727416\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4321 octets] - [19/11/2012 15:08:28]

########## EOF - C:\AdwCleaner[R1].txt - [4381 octets] ##########

malware log....on to the final scan...thanks!

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.19.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Administrator :: FRITSCH-9X4CGZS [administrator]

11/19/2012 3:49:49 PM
mbam-log-2012-11-19 (15-49-49).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 271346
Time elapsed: 55 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Administrator\My Documents\Downloads\installer_adwcleaner.exe (PUP.BundleInstaller.BEN) -> Quarantined and deleted successfully.

(end)

here is the final log, security check log. Thanks so much!

brick

Results of screen317's Security Check version 0.99.54
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
Secunia PSI (3.0.0.2004)
Malwarebytes Anti-Malware version 1.65.1.1000
Java 7 Update 9
Adobe Flash Player 11.5.502.110
Adobe Reader X (10.1.4)
Mozilla Firefox (16.0.2)
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 2%
````````````````````End of Log``````````````````````

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools ]A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
  

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

here is the combo fix log: Thanks so much!

brick

ComboFix 12-11-20.02 - Administrator 11/20/2012 17:17:42.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1515 [GMT -5:00]
Running from: c:\documents and settings\Administrator\desktop\commy.exe
Command switches used :: /stepdel
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\URTTemp
c:\documents and settings\All Users\SPL3A5B.tmp
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-20 to 2012-11-20 )))))))))))))))))))))))))))))))
.
.
2012-11-05 19:59 . 2012-11-05 19:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\CrashRpt
2012-11-05 19:58 . 2012-11-05 19:59 -------- d-----w- c:\documents and settings\Administrator\KAG
2012-11-03 15:19 . 2012-11-03 15:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Razer
2012-11-03 15:19 . 2012-11-03 15:19 -------- d-----w- c:\program files\Razer
2012-11-03 15:19 . 2012-11-03 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Razer
2012-10-26 22:20 . 2012-09-25 03:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-12 16:11 . 2012-03-29 15:13 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-12 16:11 . 2012-01-23 22:59 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-30 23:51 . 2012-01-23 20:57 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-30 23:51 . 2012-01-23 20:57 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-30 23:51 . 2012-01-23 20:57 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-30 23:51 . 2012-01-23 20:57 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 23:51 . 2012-01-23 20:57 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-10-30 23:51 . 2012-01-23 20:57 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-10-30 23:51 . 2012-01-23 20:57 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-30 23:51 . 2012-01-23 20:57 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-10-30 23:51 . 2012-01-23 20:57 41224 ----a-w- c:\windows\avastSS.scr
2012-10-30 23:50 . 2012-01-23 20:57 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-10-22 08:37 . 2002-09-03 20:03 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2002-09-03 19:58 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 00:54 . 2012-01-23 21:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-19 18:37 . 2012-06-29 15:25 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-19 18:37 . 2012-01-23 23:19 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-17 21:00 . 2012-09-17 21:00 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2012-09-17 21:00 . 2012-09-17 21:00 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2012-09-17 21:00 . 2012-09-17 21:00 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2012-09-17 21:00 . 2012-09-17 21:00 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2012-08-30 20:29 . 2012-01-23 17:06 81920 ------w- c:\windows\system32\ieencode.dll
2012-08-30 20:29 . 2002-09-03 20:03 667136 ----a-w- c:\windows\system32\wininet.dll
2012-08-30 20:29 . 2002-09-03 19:58 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-08-28 13:00 . 2012-01-23 17:06 369664 ------w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2002-09-03 20:03 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-10-30 15:06 . 2012-10-30 15:05 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-06 4763008]
"Akamai NetSession Interface"="c:\documents and settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-10-09 4441920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GB_UPDATE"="c:\program files\Razer\Razer Game Booster\AutoUpdate.exe/AUTORUN" [X]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-07-06 455344]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-06-01 20480]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\documents and settings\Fritsch Family Dell\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.4.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2012-6-27 572000]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmtime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmjswx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Documents and Settings\\Administrator\\KAG\\KAG.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour Port 5353
"1076:TCP"= 1076:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/23/2012 3:57 PM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/23/2012 3:57 PM 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 6:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/23/2012 3:57 PM 21256]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [6/27/2012 2:25 AM 1326176]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [6/27/2012 2:25 AM 681056]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/16/2011 9:19 AM 15544]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/3/2012 12:19 PM 160944]
S3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [2/27/2012 2:07 PM 8576]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 16:11]
.
2012-11-20 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-02 23:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride =
TCP: DhcpNameServer = 192.168.10.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0mkfel3l.default-1353292727416\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/webhp?hl=en
FF - ExtSQL: 2012-10-30 11:05; {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
FF - ExtSQL: 2012-11-08 11:07; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Philips Intelligent Agent - c:\program files\Philips\Intelligent Agent\Philips Intelligent Agent.exe
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-EMBARQDSLSetup - d:\installs\BrdJmp\EMBARQDSLSetup.exe
HKLM-Run-SPC_Monitor - c:\windows\Philips\SPC230NC\Monitor.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-20 17:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2264)
c:\windows\system32\msi.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\lxdmcoms.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2012-11-20 17:31:44 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-20 22:31
.
Pre-Run: 115,954,774,016 bytes free
Post-Run: 117,482,848,256 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - A7ACE186096820F054F5D954B47870ED

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • Hidden Files << Selected
    
  
  
• At the bottom of the page
  
  
  
  • Hidden Objects Only << Selected
    
  
  
• Click on the Create Log button on the bottom right.
  
• After a few seconds a new window should appear.
  
• Select Scan Root Drive. Click on the Start button.
  
• When it is complete a new window will appear to indicate that the scan is finished.
  
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
  

**************************************************

• Download RogueKiller on the desktop
  
• Close all the running programs
  
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  
• Otherwise just double-click on RogueKiller.exe
  
• Pre-scan will start. Let it finish.
  
• Click on SCAN button.
  
• A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
  

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B696F000
Module End: B6987000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F79B9000
Module End: F79BB000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAddBootEntry
Address: B6A8E4BA
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwAllocateVirtualMemory
Address: B6B3BC22
Driver Base: B6B2F000
Driver End: B6B85000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwAssignProcessToJobObject
Address: B6A8EED6
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwClose
Address: B6AD0811
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateEvent
Address: B6A99FA8
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateEventPair
Address: B6A99FF4
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateIoCompletion
Address: B6A9A176
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateKey
Address: B6AD01C5
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateMutant
Address: B6A99F16
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateSection
Address: B6A9A038
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateSemaphore
Address: B6A99F5E
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateThread
Address: B6A8F11C
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateTimer
Address: B6A9A130
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDebugActiveProcess
Address: B6A8F93E
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDeleteBootEntry
Address: B6A8E508
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDeleteKey
Address: B6AD0ED7
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDeleteValueKey
Address: B6AD118D
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDuplicateObject
Address: B6A931C2
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwEnumerateKey
Address: B6AD0D42
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwEnumerateValueKey
Address: B6AD0BAD
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwFreeVirtualMemory
Address: B6B3BCEA
Driver Base: B6B2F000
Driver End: B6B85000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwLoadDriver
Address: B6A8E170
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwModifyBootEntry
Address: B6A8E556
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwNotifyChangeKey
Address: B6A93534
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwNotifyChangeMultipleKeys
Address: B6A903A6
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenEvent
Address: B6A99FD2
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenEventPair
Address: B6A9A016
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenIoCompletion
Address: B6A9A19A
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenKey
Address: B6AD0521
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenMutant
Address: B6A99F3C
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenProcess
Address: B6A92C3E
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenSection
Address: B6A9A0BA
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenSemaphore
Address: B6A99F86
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenThread
Address: B6A92F14
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenTimer
Address: B6A9A154
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwProtectVirtualMemory
Address: B6B3BE4A
Driver Base: B6B2F000
Driver End: B6B85000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryKey
Address: B6AD0A28
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwQueryObject
Address: B6A90272
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwQueryValueKey
Address: B6AD087A
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwQueueApcThread
Address: B6A8FDD4
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwRenameKey
Address: B6B487D2
Driver Base: B6B2F000
Driver End: B6B85000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRestoreKey
Address: B6ACF838
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetBootEntryOrder
Address: B6A8E5A4
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetBootOptions
Address: B6A8E5F2
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetContextThread
Address: B6A8F7BE
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetSystemInformation
Address: B6A8E1FA
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetSystemPowerState
Address: B6A8E3AA
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetValueKey
Address: B6AD0FDE
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwShutdownSystem
Address: B6A8E350
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSuspendProcess
Address: B6A8FAF8
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSuspendThread
Address: B6A8FC54
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSystemDebugControl
Address: B6A8E41A
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwTerminateProcess
Address: B6B8F640
Driver Base: B6B85000
Driver End: B6BA7000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

Function Name: ZwTerminateThread
Address: B6A8F636
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwUnloadDriver
Address: B6B3A41C
Driver Base: B6B2F000
Driver End: B6B85000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwVdmControl
Address: B6A8E640
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwWriteVirtualMemory
Address: B6A8EF1A
Driver Base: B6A77000
Driver End: B6B2F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwCreateProcessEx
At Address: 8058304C
Jump To: B6B54E5A
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: PsGetProcessInheritedFromUniqueProcessId
At Address: 804FD889
Jump To: EABC805A
Module Name: _unknown_

Hooked Function: ObMakeTemporaryObject
At Address: 8059EA53
Jump To: B6B51CF6
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObInsertObject
At Address: 8056513A
Jump To: B6B53810
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\f6eca34c377e57e5c2113e003efede\amd64\filterpipelineprintproc.dll
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\amd64\msxpsdrv.cat
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\amd64\msxpsdrv.inf
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\amd64\msxpsinc.gpd
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\amd64\msxpsinc.ppd
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\amd64\mxdwdrv.dll
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\amd64\xpssvcs.dll
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\i386\filterpipelineprintproc.dll
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\i386\msxpsdrv.cat
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\i386\msxpsdrv.inf
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\i386\msxpsinc.gpd
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\i386\msxpsinc.ppd
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\i386\mxdwdrv.dll
Status: Access denied

Object: C:\f6eca34c377e57e5c2113e003efede\i386\xpssvcs.dll
Status: Access denied

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

RogueKiller V8.3.1 [Nov 20 2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 11/21/2012 11:34:26

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] SysProt.exe -- C:\Documents and Settings\Administrator\Desktop\SysProt\SysProt\SysProt.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Akamai NetSession Interface ("C:\Documents and Settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe") -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-583907252-1580818891-1060284298-500[...]\Run : Akamai NetSession Interface ("C:\Documents and Settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe") -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[257] : NtTerminateProcess @ 0x805857B9 -> HOOKED (\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS @ 0xB6B8F640)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS541616J9AT00 +++++
--- User ---
[MBR] e3138a8fc379cff7a4ed4098f7fafe10
[BSP] 8d444879626e33db4357752b4a9851e2 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_11212012_02d1134.txt >>
RKreport[1]_S_11212012_02d1134.txt

Ok, FYI...we now have he incredibar homepage...before we didn't, perhaps from one of the download sites for the scans?

thanks

brick

bump

Sorry, I didn't get the notification. Can you change your home page to the one you really want?

perhaps from one of the download sites for the scans?

No, I don't think so. All the tools I use are safe with no adware. How's your computer working now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

No biggie Superdave, I figured with holiday weekend, I wouldn't see anything until sunday or monday most likely, but thought I would put the bump in anyway just in case.
I was able to set the correct homepage and it has remained so, but the open a new tab pulls up the incredibar home page..so we half correct. I don't know if that is something under the firefox I need to change...but it never did that before. Otherwise it is running fine.

will run the eset and post log next

thanks!

brick

but the open a new tab pulls up the incredibar home page..so we half correct.

Please look in your programs to see if you can uninstall that incredibar.

I looked in both control panel add and remove and it is not listed and I looked under programs and it is not listed. It only is there when I click 'open t ab' and instead of going to google search page it say Mystart incredibar.

running eset now.

thanks

brick

Superdave wrote:

but the open a new tab pulls up the incredibar home page..so we half correct.

Please look in your programs to see if you can uninstall that incredibar.

here is the eset scanner...there was a lot of stuff there! LOL!

edit: I just checked the open tab option and it is still showing the my start increibar...

thanks

brick

C:\Documents and Settings\Administrator\Desktop\Setup.exe a variant of Win32/Adware.iBryte.C application cleaned by deleting - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP158\A0056106.msi probably a variant of Win32/Toolbar.Widgi application deleted - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP159\A0056227.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP159\A0056245.dll a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP159\A0056246.dll a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP168\A0058683.msi probably a variant of Win32/Toolbar.Widgi application deleted - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP169\A0059013.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP169\A0059014.dll a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP169\A0059015.dll a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP179\A0064548.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP179\A0064569.exe Win32/DownloadAdmin.E application cleaned by deleting - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP179\A0064659.dll a variant of Win32/bProtector.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP179\A0064660.exe a variant of Win32/bProtector.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP179\A0064661.exe a variant of Win32/bProtector.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP182\A0065090.msi probably a variant of Win32/Toolbar.Widgi application deleted - quarantined
C:\System Volume Information\_restore{EA80D543-91A2-44B2-95A0-7BCB641BD482}\RP184\A0065357.exe a variant of Win32/Adware.iBryte.C application cleaned by deleting - quarantined

YES! That worked! fantastic! thank you!

is there anything else you want me to run?

brick

If there's nothing else, we can do some cleanup.

Download this program and run it Uninstall ComboFix .It will remove ComboFix for you.

*********************************************
To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.
****************************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
************************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Ok Superdave, I did the above and I thank you for all your hard work. Everything seems to be just fine again. thanks for the suggestions also, there are several I did not know about but look interesting.

have a great holiday season!

brick

You're welcome and you also have a good, safe Holiday season.