WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Trojan.JS.Redirector.xa

3 posters

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa10th January 2013, 9:33 am

more_horiz
Go ahead with log when you can.

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa10th January 2013, 2:42 pm

more_horiz
I can't attach txt's
I'm getting message : "Uploaded file is not valid"

It's OK now, it was a "coding" problem - only ANSI is accepted !

Last edited by santasa on 10th January 2013, 2:47 pm; edited 1 time in total

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa10th January 2013, 2:44 pm

more_horiz
otl

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa10th January 2013, 2:46 pm

more_horiz
extras

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa10th January 2013, 6:23 pm

more_horiz
Please tell them here: http://forums.majorgeeks.com/showthread.php?&p=1796958#post1796958 , that you'll stay at GeekPolice. Smile...

I would like to have you completely remove Firefox and its profile. Please first make a backup of your bookmarks and any other important information.

Let me know if you have trouble preparing for this. Once you're ready, I'll let you know how to do this. Smile...

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa10th January 2013, 7:46 pm

more_horiz
I see you found out about my little mischief Shh a secret

Anyway, I am going to do as you asked, although I have two different instances of FF - I have Aurora as 32bit, and FF17.xx as 64bit - both of these provoking Alerts with my KIS2012.
My IE and Opera are apparently unaffected with this infection !

OK then, I have lots of work tonight, especially with my enormous Bookmark file which I dragging around since god knows when, so that recently I had much trouble to save as back-up or move from one to another installation - I will post as soon as I am finished, except something unexpected.

Of course, I am sticking with you guys, .... Bow or Thanks

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa11th January 2013, 1:24 am

more_horiz
Okay. Smile...

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa12th January 2013, 7:08 pm

more_horiz
Dear friend, it's seems that your instructions helped ! I removed FF and Aurora completely, cleared everything from registry, and installed new FF.
I made back-up of all my settings & preferences, add-ons, etc. but I will use only add-ons, bookmarks, and some settings that I am sure wont infect it again.
I would appreciate one last advice regarding what you think I should avoid to use from these back-ups, or where do you think this trojan hid himself.

Thank you very much and cheers from Sarajevo,
Santa

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa12th January 2013, 7:57 pm

more_horiz
Unfortunately it's back, Alerts are back!

And since I didn't use anything from those back-ups except most of the add-ons/extensions, and restored usernames & password back-ups, I suddenly have serious doubts in resolving this issue. I hope I am wrong.

I used FEBE for the process of backing up and I did it one back up at the time (add-ons separately, preference separately, themes separately, etc.), which means I was able to restore everything separately and one at the time (even add-on I could restore one at the time). When I finished restoring add-ons everything was OK, but in the midst of restoring add-ons settings/preferences Alert appeared again - actually it appeared during restoring my registration with WOT.
i will probably remove FF again, while waiting you to reply....

-------

I have reinstalled FF again and I will try to restore just few most essential of add-ons, while waiting for your reply...

------

Ok - as I said I reinstalled FF and after that restored some 30-40% of my old add-ons, also restored Bookmarks and usernames/passwords option. This time I haven't been restored Session Backup, add-on which I suspected was responsible for re-infecting FF with this trojan when I imported backed-up sessions into this add-on (Session Backup or something).
Now, I am browsing like this for few hours and everything seems alright, for now. But I would like to restore all my add-ons on which I relied so much (like anyone else how use FF).
So do you have any idea which add-on or its preference was infected, or if you suspect on something else...
Santa

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa13th January 2013, 7:20 pm

more_horiz
Delete old ComboFix, download new from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Run and post a log, please. Smile...

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa14th January 2013, 6:54 pm

more_horiz
ComboFix 13-01-14.01 - Sandi 14.01.2013 19:25:46.2.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2812.1549 [GMT 1:00]
Running from: c:\users\Sandi\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-14 to 2013-01-14 )))))))))))))))))))))))))))))))
.
.
2013-01-14 18:44 . 2013-01-14 18:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-14 18:44 . 2013-01-14 18:44 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2013-01-14 06:40 . 2013-01-14 06:40 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-01-14 06:37 . 2013-01-14 06:36 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-01-14 06:36 . 2013-01-14 06:36 -------- d-----w- c:\program files (x86)\Java
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2013-01-13 15:31 . 2013-01-13 15:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2013-01-13 15:30 . 2013-01-13 15:31 -------- d-----w- c:\program files (x86)\QuickTime
2013-01-12 21:24 . 2013-01-12 21:24 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-01-12 07:18 . 2013-01-12 07:18 -------- d-----w- c:\users\Sandi\AppData\Local\Mozilla
2013-01-12 03:50 . 2013-01-12 03:50 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3D66D4FC-6916-4805-B11D-B3F5CBC7C8A0}\offreg.dll
2013-01-11 18:56 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3D66D4FC-6916-4805-B11D-B3F5CBC7C8A0}\mpengine.dll
2013-01-10 07:27 . 2013-01-10 07:27 -------- d-----w- c:\program files (x86)\ESET
2013-01-09 04:10 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll
2013-01-09 04:10 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-01-09 04:08 . 2012-11-30 05:41 424448 ----a-w- c:\windows\system32\KernelBase.dll
2013-01-09 04:07 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe
2013-01-09 04:07 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys
2012-12-22 02:01 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-22 02:01 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-22 02:01 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-22 02:01 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 16:17 . 2012-12-16 16:17 -------- d-----w- c:\users\Sandi\AppData\Local\Adobe_Systems_Incorporate
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-14 06:36 . 2010-09-25 20:05 780192 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-01-13 20:16 . 2012-04-01 16:56 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-13 20:16 . 2011-05-14 18:33 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-13 15:16 . 2012-09-01 09:48 859072 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-01-10 02:37 . 2009-10-23 13:47 67599240 ----a-w- c:\windows\system32\MRT.exe
2012-11-30 04:45 . 2013-01-09 04:08 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-11-14 07:06 . 2012-12-13 02:07 17811968 ----a-w- c:\windows\system32\mshtml.dll
2012-11-14 06:32 . 2012-12-13 02:07 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-11-14 06:11 . 2012-12-13 02:07 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 06:04 . 2012-12-13 02:07 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-11-14 06:04 . 2012-12-13 02:07 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 06:02 . 2012-12-13 02:07 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 06:02 . 2012-12-13 02:07 237056 ----a-w- c:\windows\system32\url.dll
2012-11-14 05:59 . 2012-12-13 02:07 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-11-14 05:58 . 2012-12-13 02:07 816640 ----a-w- c:\windows\system32\jscript.dll
2012-11-14 05:57 . 2012-12-13 02:07 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 05:57 . 2012-12-13 02:07 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 05:55 . 2012-12-13 02:07 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-11-14 05:55 . 2012-12-13 02:07 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-11-14 05:53 . 2012-12-13 02:07 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-11-14 05:52 . 2012-12-13 02:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-14 05:46 . 2012-12-13 02:07 248320 ----a-w- c:\windows\system32\ieui.dll
2012-11-14 02:09 . 2012-12-13 02:07 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-11-14 01:58 . 2012-12-13 02:07 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-11-14 01:57 . 2012-12-13 02:07 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-11-14 01:49 . 2012-12-13 02:07 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-11-14 01:48 . 2012-12-13 02:07 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-11-14 01:44 . 2012-12-13 02:07 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-11-13 20:29 . 2012-11-13 20:29 354216 ----a-w- c:\windows\SysWow64\DivXControlPanelApplet.cpl
2012-11-09 05:45 . 2012-12-13 00:10 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-09 04:42 . 2012-12-13 00:10 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-11-02 05:59 . 2012-12-13 00:09 478208 ----a-w- c:\windows\system32\dpnet.dll
2012-11-02 05:11 . 2012-12-13 00:09 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-10-29 10:50 . 2011-04-20 13:50 637272 ----a-w- c:\windows\system32\drivers\klif.sys
2012-10-25 02:12 . 2012-10-25 02:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-10-25 02:12 . 2012-10-25 02:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2011-06-16 03:07 . 2011-06-16 03:07 16896 ----a-w- c:\program files\wmdmhelper.dll
2011-06-16 03:07 . 2011-06-16 03:07 139264 ----a-w- c:\program files\dunzip32.dll
2011-06-16 03:07 . 2011-06-16 03:07 641024 ----a-w- c:\program files\rjbres.dll
2011-06-16 03:07 . 2011-06-16 03:07 360960 ----a-w- c:\program files\rjdlg.dll
2011-06-16 03:07 . 2011-06-16 03:07 34304 ----a-w- c:\program files\rjprog.dll
2011-06-16 03:07 . 2011-06-16 03:07 9216 ----a-w- c:\program files\fixrjb.exe
2011-06-16 03:07 . 2011-06-16 03:07 45056 ----a-w- c:\program files\ierjplug.dll
2011-06-16 03:07 . 2011-06-16 03:07 1115376 ----a-w- c:\program files\cddbmusicid.dll
2011-06-16 03:07 . 2011-06-16 03:07 943344 ----a-w- c:\program files\cddblink.dll
2011-06-16 03:07 . 2011-06-16 03:07 23552 ----a-w- c:\program files\tnetdtct.dll
2011-06-16 03:07 . 2011-06-16 03:07 2041072 ----a-w- c:\program files\cddbcontrol.dll
2011-06-16 03:07 . 2011-06-16 03:07 74240 ----a-w- c:\program files\tsasdk.dll
2011-06-16 03:07 . 2011-06-16 03:07 48640 ----a-w- c:\program files\tpasdk.dll
2011-06-16 03:07 . 2011-06-16 03:07 45056 ----a-w- c:\program files\mmcdda32.dll
2011-06-16 03:07 . 2011-06-16 03:07 67072 ----a-w- c:\program files\rpwa3260.dll
2011-06-16 03:07 . 2011-06-16 03:07 16296 ----a-w- c:\program files\realtfon.fon
2011-06-16 03:07 . 2011-06-16 03:07 45744 ----a-w- c:\program files\rpshellsearch.dll
2011-06-16 03:06 . 2011-06-16 03:06 368776 ----a-w- c:\program files\realconverter.exe
2011-06-16 03:06 . 2011-06-16 03:06 344712 ----a-w- c:\program files\convert.exe
2011-06-16 03:06 . 2011-06-16 03:06 390384 ----a-w- c:\program files\mc_enc_mp4v.dll
2011-06-16 03:06 . 2011-06-16 03:06 372864 ----a-w- c:\program files\realtrimmer.exe
2011-06-16 03:06 . 2011-06-16 03:06 120960 ----a-w- c:\program files\realshare.exe
2011-06-16 03:06 . 2011-06-16 03:06 719360 ----a-w- c:\program files\dbghelp.dll
2011-06-16 03:06 . 2011-06-16 03:06 72192 ----a-w- c:\program files\rjwmapln.dll
2011-06-16 03:06 . 2011-06-16 03:06 46592 ----a-w- c:\program files\rpau3260.dll
2011-06-16 03:05 . 2011-06-16 03:05 26768 ----a-w- c:\program files\rndevicedbbuilder.exe
2011-06-16 03:05 . 2011-06-16 03:05 88064 ----a-w- c:\program files\hxaudiodevicehook.dll
2011-06-16 03:05 . 2011-06-16 03:05 116392 ----a-w- c:\program files\rdsf3260.dll
2011-06-16 03:05 . 2011-06-16 03:05 86528 ----a-w- c:\program files\rpplugprot.dll
2011-06-16 03:05 . 2011-06-16 03:05 64672 ----a-w- c:\program files\rpshell.dll
2011-06-16 03:05 . 2011-06-16 03:05 9728 ----a-w- c:\program files\realjbox.exe
2011-06-16 03:05 . 2011-06-16 03:05 17064 ----a-w- c:\program files\rphelperapp.exe
2011-06-16 03:05 . 2011-06-16 03:05 490112 ----a-w- c:\program files\realplay.exe
2011-06-16 03:05 . 2011-06-16 03:05 415416 ----a-w- c:\program files\recordingmanager.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 11:58 333192 ----a-w- c:\program files (x86)\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files (x86)\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Eraser"="c:\program files (x86)\Eraser\Eraser.exe" [2007-12-22 916240]
"SRS Audio Sandbox"="c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2010-01-07 3676952]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-12-13 969104]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-02 98304]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]
"UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"TkBellExe"="c:\program files\Update\realsched.exe" [2011-06-16 273544]
"avp"="c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2012-10-29 206448]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280]
"DivXMediaServer"="c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Sandi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\DRIVERS\DKRtWrt.sys [2011-02-14 44624]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1255736]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2009-07-14 10752]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 61976]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 311656]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-03-11 834544]
S1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\program files\HWiNFO64\HWiNFO64A.SYS [2011-05-22 28032]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2011-03-04 11864]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-03-10 29488]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-03-02 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-02 203264]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2010-11-09 21992]
S2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2008-07-10 214040]
S2 PanService;PandoraService;c:\program files (x86)\PANDORA.TV\PanService\PandoraService.exe [2012-06-22 625816]
S2 PDFSFilter;PDFSFilter;c:\windows\system32\DRIVERS\PDFsFilter.sys [2011-06-06 79888]
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2009-03-30 2075480]
S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe [2010-08-19 386344]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 22544]
S3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [2008-07-10 34840]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-06-26 46176]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-05-23 215040]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-03-09 36408]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-14 09:20 1606760 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-09 16:04]
.
2013-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-09 16:04]
.
2013-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2974327514-3669766198-1081035601-1000Core.job
- c:\users\Sandi\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-25 04:15]
.
2013-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2974327514-3669766198-1081035601-1000UA.job
- c:\users\Sandi\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-25 04:15]
.
2012-12-30 c:\windows\Tasks\HPCeeScheduleForSandi.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-08-17 21:38]
.
2013-01-13 c:\windows\Tasks\ReclaimerUpdateFiles_Sandi.job
- c:\users\Sandi\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-19 21:08]
.
2013-01-14 c:\windows\Tasks\ReclaimerUpdateXML_Sandi.job
- c:\users\Sandi\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-19 21:08]
.
2013-01-10 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Sandi.job
- c:\users\Sandi\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-19 21:08]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"IntelliType Pro"="c:\program files\Microsoft Device Center\itype.exe" [2012-06-26 1464928]
"IntelliPoint"="c:\program files\Microsoft Device Center\ipoint.exe" [2012-06-26 2004584]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Presario&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Anti-Banner - c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Save Page As PDF ... - file://c:\program files (x86)\Nitro PDF\PDF Download\nitroweb.htm
IE: {{E3CB497B-E230-4445-8B34-13476822F867} - c:\program files\Tidy Favorites\OpenTFV.js
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - {70BEC6D2-977B-43CB-9A50-424099BA3897} -
TCP: DhcpNameServer = 77.77.192.10 77.78.192.10 94.140.66.194
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\
FF - prefs.js: browser.startup.homepage - hxxps://addons.mozilla.org/en-US/firefox/collections/Santa/s/?page=3|about:newaddon?id={23fcfd51-4958-4f00-80a3-ae97e717ed8b}|https://www.google.ba/search?num=30&hl=bs&client=firefox-a&tbo=d&rls=org.mozilla:en-US:official&spell=1&q=Plugin+for+Firefox&sa=X&ei=8ODyUMrGG4WItQbQhICQBw&ved=0CCoQBSgA&biw=1360&bih=651|https://www.google.ba/search?num=30&hl=bs&client=firefox-a&tbo=d&rls=org.mozilla:en-US:official&q=flash+plugin+for+firefox&revid=1325548727&sa=X&ei=8-DyUJu3GonVtAb2q4DoCg&ved=0CIECENUCKAM&biw=1360&bih=651|https://www.mozilla.org/en-US/plugincheck/|http://www.interoperabilitybridges.com/|https://www.google.ba/search?q=Arsenal&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=rcs|https://plus.google.com/u/0/|https://www.google.com/webhp?hl=en&tab=Xw
FF - ExtSQL: 2013-01-12 23:24; {EF522540-89F5-46b9-B6FE-1829E2B572C6}; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}.xpi
FF - ExtSQL: 2013-01-12 23:24; {5546F97E-11A5-46b0-9082-32AD74AAA920}; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\{5546F97E-11A5-46b0-9082-32AD74AAA920}.xpi
FF - ExtSQL: 2013-01-12 23:24; googledictionary@toptip.ca; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\googledictionary@toptip.ca.xpi
FF - ExtSQL: 2013-01-12 23:24; ehtip@robertkatic; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\ehtip@robertkatic
FF - ExtSQL: 2013-01-12 23:24; abhere2@moztw.org; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\abhere2@moztw.org.xpi
FF - ExtSQL: 2013-01-12 23:57; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi
FF - ExtSQL: 2013-01-12 23:57; tabutils@ithinc.cn; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\tabutils@ithinc.cn.xpi
FF - ExtSQL: 2013-01-12 23:57; tabscope@xuldev.org; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\tabscope@xuldev.org.xpi
FF - ExtSQL: 2013-01-12 23:57; pavel.sherbakov@gmail.com; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\pavel.sherbakov@gmail.com
FF - ExtSQL: 2013-01-13 00:55; {4BBDD651-70CF-4821-84F8-2B918CF89CA3}; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - ExtSQL: 2013-01-13 00:55; zoompage@DW-dev; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\zoompage@DW-dev.xpi
FF - ExtSQL: 2013-01-13 00:55; en-US@dictionaries.addons.mozilla.org; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\en-US@dictionaries.addons.mozilla.org
FF - ExtSQL: 2013-01-13 06:28; {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi
FF - ExtSQL: 2013-01-13 06:28; {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}.xpi
FF - ExtSQL: 2013-01-13 06:28; status4evar@caligonstudios.com; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\status4evar@caligonstudios.com.xpi
FF - ExtSQL: 2013-01-13 16:38; firefox-managefolders@googlecode.com; c:\users\Sandi\AppData\Roaming\Mozilla\Firefox\Profiles\8z67cma1.default\extensions\firefox-managefolders@googlecode.com.xpi
FF - ExtSQL: 2013-01-13 17:14; {23fcfd51-4958-4f00-80a3-ae97e717ed8b}; c:\program files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
.
.
"ImagePath"="\"c:\program files\CyberLink\Shared files\RichVideo64.exe\"\00Z
[\]^_™\00\00™\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~™\00\00™\00\00\00\00™\00\00\00\00\00\00\00\00‘’“"
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-14 19:50:52
ComboFix-quarantined-files.txt 2013-01-14 18:50
ComboFix2.txt 2013-01-09 04:28
.
Pre-Run: 77.426.671.616 bytes free
Post-Run: 77.447.884.800 bytes free
.
- - End Of File - - 269EABBB879FB438C0AD200764E15B9A

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa14th January 2013, 8:07 pm

more_horiz
I suspect on these add-ons/extensions, actually their data/informations/urls these add-ons preserving :

- Scrapbook
- Session Manager (with Session Manager Export Tool)
- Textarea Cache
- Lazarus: Form Recovery
- Resurrect Pages
- SreenshotPimp

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa15th January 2013, 5:42 pm

more_horiz
ComboFix Script


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    ClearJavaCache::

    Registry::
    [-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
    [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    DDS::
    IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - {70BEC6D2-977B-43CB-9A50-424099BA3897} -
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Trojan.JS.Redirector.xa - Page 1 CFScriptB-4
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.



Norman Malware Cleaner

Please download Norman Malware Cleaner and save to your desktop.
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa20th January 2013, 6:40 pm

more_horiz
I am sorry for delay, I hope you are still willing to finish this with me - here's ComboFix log file....

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa23rd January 2013, 8:04 am

more_horiz
then visit our site->

............................................................................................

Ceylon Tech Support

descriptionTrojan.JS.Redirector.xa - Page 1 EmptyRe: Trojan.JS.Redirector.xa

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum