Sign in to follow this  
rjackson

I Can't Seem to Get Rid of ThisTrogan JS:HideMe-B [Trj]

Recommended Posts

I have a blog that now if I try to open the webpage, it gets blocked with an antivirus warning of this Trojan JS:HideMe-B. But I can't get rid of it.

 

I am attaching my DDS report. What do you suggest?

 

Thank you.

Share this post


Link to post
Share on other sites

Hi Reginald,

 

1. Regarding your blog, I think that either it has been hacked and someone has changed the code for the pages or it's false positive from Avast. In the first case, you need to restore the pages of the blog. In the other case, you need to inform Avast of the false positive and Avast will change its definitions, see http://forum.avast.com/index.php?topic=131579.0 .

 

2. Regarding your computer, it's too many antivirus programs running. As far as I can see you have three programs with real-time protection, Ad-Aware, Avast and Microsoft Security Essentials, and that can give you many problems as crashes and a slow computer. Uninstall all of them, restart the computer, install one of them. If you choose to not install Ad-Aware as your main antivirus program, you can install it in compatible mode as an on-demand scanner. When Ad-Aware is installed as an on-demand scanner, it will not have have real-time protection enabled. As far as I know, the other two antivirus programs don't have that mode.

 

3. But there are also some toolbars and other add-ons to Internet Explorer and Firefox installed that are malicious or questionable.

Ask Toolbar http://www.systemlookup.com/CLSID/56968-GenericAskToolbar_dll_GENERI_1_DLL.html

PageRage Toolbar http://www.systemlookup.com/CLSID/65609-tbPage_dll_tbPag0_dll_tbPag1_dll.html

SaveValet IE http://www.systemlookup.com/CLSID/74685-SaveValetIE_32_dll_SaveValetIE_64_dll.html

Yontoo Layers 1.10.01 http://www.systemlookup.com/CLSID/56875-YontooIEClient_dll_YontooIEClient_2_dll.html

I recommend that you uninstall all of them.

 

4. These two are old versions with a lot of known vulnerabilities that makes it easy to infect the computer from a web page:

Java 7 Update 9

Java™ 6 Update 39

I recommend that you uninstall them. If you really need to have Java installed, it is important that you keep it updated at all times. You'll find the latest version on http://www.java.com/ .

 

5. To get rid of everything of those toolbars and add-ons (an uninstallation isn't enough), please save AdwCleaner by Xplode on the desktop: http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner

 

Turn off all programs, including browsers.

Double-click on AdwCleaner to start the program.

 

Click on the Search button.

Wait until the search has finished.

A report will be displayed, copy its content and paste into your answer.

If the report isn't displayed, it exist as C:\AdwCleaner[R1].txt.

Share this post


Link to post
Share on other sites

Thank you very much for your reply! On my antivirus programs, what if I have real-time protection turned off on all and keep it on for just one of them?

Share this post


Link to post
Share on other sites

You are welcome, Reginald :)

 

No, it isn't enough to turn off real-time protection, since the drivers of the program are still installed and the conflicts are between the drivers. I recommend that you uninstall Microsoft Security Essentials, since that program isn't as good as Ad-Aware and Avast. You can also uninstall Ad-Aware by following How to uninstall Ad-Aware 10.x and, after a restart of the computer, install Ad-Aware in compatible mode as an on-demand scanner, see http://www.lavasoftsupport.com/index.php?/topic/33131-ad-aware-105-released/ .

 

Have you managed to get rid of all the bad toolbars and add-ons to Internet Explorer and Firefox?

Share this post


Link to post
Share on other sites

Thank you for the information! I will uninstall and install what you suggest.

 

I did managed to get rid of all those toolbars.

 

Thanks again. You're GOOD!

Share this post


Link to post
Share on other sites

Celicia - A number of toolbars have snuck onto my computer and my Control Panel will not uninstall them. How else can I uninstall toolbars application files?

Share this post


Link to post
Share on other sites

Hi again,

 

Please, post new logs from DDS since I need to see them to know what to do.

Share this post


Link to post
Share on other sites

Hi,

 

You have to run DDS again and post the new logs, I need to see the current status of the computer.

Share this post


Link to post
Share on other sites

Reginald,

 

I have merged your two topics. To attach files to a reply, you have to click the "More Reply Options" button.

 

Please, save AdwCleaner by Xplode on the desktop: http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Report button.
A report will be displayed, copy its content and paste into your answer.
If the report isn't displayed, it exist as C:\AdwCleaner[R1].txt.

Share this post


Link to post
Share on other sites

1. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Clean button.

Click on OK.
Click on OK on any message that pops up.
The computer will be restarted.

A report will be displayed, copy its content and paste into your answer.
If the report isn't displayed, it exist as C:\AdwCleaner[s1].txt

2. Run DDS and paste the content of the two logs into your answer.

Share this post


Link to post
Share on other sites

Hi,

 

1. Which program did you install a few days ago?

2013-09-28 20:18:50 -------- d-----w- c:\program files\CurationSoft

I can't find any information about that program/company.

 

2. What toolbars do you see now when AdwCleaner has deleted a lot of files and registry items related to many toolbars and other add-ons?

 

3. Did the toolbars appear after the installation of all these programs?

2013-09-22 22:06:58 -------- d-----w- c:\program files\Music Remote
2013-09-22 21:05:35 -------- d-----w- c:\program files\GUMA2E1.tmp
2013-09-22 21:00:43 -------- d-----w- c:\program files\Uniblue
2013-09-22 20:45:50 -------- d-----w- c:\program files\SpeedItup Free
2013-09-22 20:44:29 -------- d-----w- c:\programdata\ZalmanInstaller_52331
2013-09-22 20:26:30 -------- d-----w- c:\program files\Uninstaller
2013-09-22 20:25:31 -------- d--h--w- c:\programdata\Common Files
2013-09-22 20:24:41 -------- d-----w- c:\program files\wrapper_inst
2013-09-22 20:07:34 -------- d-----w- C:\900cfa42ac26e50857
2013-09-22 20:04:07 -------- d-----w- c:\program files\LyricsMonkey-1

 

If yes, please uninstall as many as possible of them.

 

4. The Speeditup Free program has very bad reviews, please uninstall it.

https://www.mywot.com/en/scorecard/speeditupfree.com

http://download.cnet.com/SpeedItup-Free/3000-18512_4-10766309.html#rateit

2013-09-22 20:45:50 -------- d-----w- c:\program files\SpeedItup Free

 

5. Upload this file to http://www.virustotal.com/ using the Choose file button (select reanalyze if asked) and post back the link to the scan report:

c:\program files\wrapper_inst\service.exe

 

Repeat with this file: c:\windows\system32\FlashPlayerInstaller.exe

 

6. Are you sure that Severe Weather Alerts is a safe program?

 

7. Open User Account Control Settings by clicking the Start button, and then clicking Control Panel. In the search box, type uac, and then click Change User Account Control settings. Set the level to one of the two highest settings.

Share this post


Link to post
Share on other sites

Hi once again,

 

Curation Soft was an update. But all the applications you had listed plus toolbars, all showed up around the same time and I believe it was when I was asked to update a Flash Player and it opened up a download page.

 

I was able to delete all but one: c:\program files\wrapper\inst. Cannot get rid of it.

 

I did run it through virus total scan and also followed your instructions to up the level to my User Account Control Settings.

 

I thank you again!

Share this post


Link to post
Share on other sites

Hi Reginald,

 

I would like to see the results from the Virustotal site for the two files to be able to check if they are good or malicious.

 

It probably was a fake Flash Player update. Always manually go to the Adobes site to get the updates, but usually Flash Player updates itself.

 

You need to use ComboFix to be able to delete the malicious/unwanted files and folders that can't be deleted manually.

Please, follow the instructions on http://www.bleepingcomputer.com/combofix/how-to-use-combofix for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer.
If ComboFix displays a message, for example that a rootkit was found, write it down as detailed as possible.

Share this post


Link to post
Share on other sites

Ok Celecia,

 

I tried to attached the Virustotal report you asked, for "c:\program files\wrapper_inst\service.exe," but the upload wouldn't allow me to. It kept saying "You aren't permitted to upload this kind of file." It is just a word file but hopefully you can get it from this link: https://app.box.com/s/jtnqdaad9us07vzsfc0g. I'm still having no success in deleting this file.

 

As for the Flash Player file, it was nowhere to be found. I could not find it anywhere on my computer. It may have gotten deleted on adw.cleaner or something.

 

I downloaded and ran the Combofix, but no messages ever displayed about any rootkit. However I was able to attached this report.

 

Thank you for your time and patience.

ComboFix Report.txt

Share this post


Link to post
Share on other sites

Sorry, Reginald,

 

1. I don't want the Virustotal report as an attachment, I want the web address of the report page. When the scan is finished, please copy the content of the address field in the browser (e.g. Internet Explorer) and paste the address into your answer here.

 

2. Please, uninstall (if possible):

SaltarSmart due to http://www.systemlookup.com/CLSID/79057-SaltarSmartBHO_dll.html

Babylon Toolbar http://www.systemlookup.com/CLSID/71915-BabylonToolbarTlbr_dll.html

Browsersafeguard http://www.systemlookup.com/Startup/26305-Browsersafeguard_exe.html

Blubster Toolbar http://www.systemlookup.com/CLSID/5938-Blubster_Toolbar_dll.html

 

3. Please, attach new DDS logs, since you have installed programs after the previous DDS logs were created. Please, avoid installing new programs and making other big changes in the computer.

 

4. Move ComboFix from the Downloads folder to the desktop and run it again. Paste the new log into your answer, since the previous one isn't complete.

 

5. Save SystemLook on the desktop from one of these links:
http://jpshortstuff.247fixes.com/SystemLook.exe
http://images.malwareremoval.com/jpshortstuff/SystemLook.exe

Double-click on SystemLook file to run it.

Copy all lines in the box

:dir
C:\Program Files\wrapper_inst
C:\Program Files\OpenIt
C:\Program Files\bomlabio
:file
c:\windows\system32\FlashPlayerInstaller.exe
c:\program files\wrapper_inst\service.exe
C:\Windows\system32\FlashPlayerApp.exe
C:\Program Files\wrapper_inst\file_to_run.exe
and paste in the big text field in SýstemLook.
Click on the Look button to start the search.
When finished Notepad will pop-up with the log. Copy the log and paste into your answer. If Notepad doesn't pop-up you can find the log as SystemLook.txt on the Desktop.

 

P.S. I prefer if you paste the content of log files directly into your answer instead of attaching them, if I don't write something else. Very hard to keep control of all logs when I get many open Notepad windows with all logs.

Share this post


Link to post
Share on other sites

https://www.virustotal.com/en/file/9464007e1fa64041df6f945668a90607924044e80010eac31135d105048b6832/analysis/1381039188/

ComboFix 13-10-04.02 - dell630 10/06/2013 9:04:18.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1526.693 [GMT -5:00]
Running from: C:\Users\dell630\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
FW: avast! Internet Security *Disabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\ProgramData\DSearchLink
C:\ProgramData\DSearchLink\DSearchLink.exe

((((((((((((((((((((((((( Files Created from 2013-09-06 to 2013-10-06 )))))))))))))))))))))))))))))))

2013-10-06 14:16:43 . 2013-10-06 14:16:52 -------- d-----w- C:\Users\dell630\AppData\Local\temp
2013-10-06 14:16:43 . 2013-10-06 14:16:43 -------- d-----w- C:\Users\Default\AppData\Local\temp
2013-10-05 04:24:37 . 2013-10-05 04:24:37 862712 ----a-r- C:\Users\dell630\AppData\Roaming\Microsoft\Installer\{6848C97D-3728-4199-A70D-817E65D96ECC}\TweetDeck.exe
2013-10-05 04:24:35 . 2013-10-05 04:24:35 -------- d-----w- C:\Program Files\Twitter
2013-10-05 04:03:22 . 2013-10-05 04:03:22 -------- d-----w- C:\Program Files\SaveValet
2013-10-05 04:03:11 . 2013-10-05 04:08:46 -------- d-----w- C:\Program Files\Optimizer Pro
2013-10-05 03:58:44 . 2013-10-06 01:46:08 60872 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{487C0A68-5E79-412E-B783-675F85CB1B13}\offreg.dll
2013-10-05 03:15:02 . 2013-10-05 03:45:03 -------- d-----w- C:\Program Files\Common Files\AVG Secure Search
2013-10-05 00:46:59 . 2013-09-05 05:02:37 7328304 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{487C0A68-5E79-412E-B783-675F85CB1B13}\mpengine.dll
2013-10-04 01:14:06 . 2013-10-04 01:14:30 -------- d-----w- C:\Program Files\Microsoft Mouse and Keyboard Center
2013-10-02 22:47:51 . 2013-10-02 22:47:51 -------- d-----w- C:\Users\dell630\AppData\Local\avgchrome
2013-10-02 21:44:21 . 2013-10-02 21:44:21 -------- d-----w- C:\Users\dell630\AppData\Roaming\0D0S1L2Z1P1B
2013-10-02 21:44:13 . 2013-10-02 21:44:13 -------- d-----w- C:\ProgramData\Babylon
2013-10-02 21:44:12 . 2013-10-02 21:44:12 -------- d-----w- C:\Users\dell630\AppData\Roaming\Babylon
2013-10-02 21:44:09 . 2013-10-02 21:44:09 -------- d-----w- C:\Users\dell630\AppData\Roaming\DigitalSite
2013-10-02 21:44:05 . 2013-10-02 21:44:05 -------- d-----w- C:\Program Files\OpenIt
2013-10-01 03:13:21 . 2003-09-18 19:32:06 499712 ----a-w- C:\Windows\system32\msvcp71.dll
2013-10-01 03:13:21 . 2003-09-18 19:32:06 348160 ----a-w- C:\Windows\system32\msvcr71.dll
2013-10-01 03:13:20 . 2003-09-18 19:32:00 1060864 ----a-w- C:\Windows\system32\MFC71.dll
2013-10-01 03:13:17 . 1998-10-29 21:45:06 306688 ----a-w- C:\Windows\IsUninst.exe
2013-10-01 03:09:10 . 2004-04-23 05:00:00 7680 ----a-w- C:\Windows\system32\CNMVS5y.DLL
2013-10-01 03:09:10 . 2004-04-23 05:00:00 54272 ----a-w- C:\Windows\system32\Spool\prtprocs\w32x86\CNMPP5y.DLL
2013-10-01 02:56:31 . 2004-03-11 16:06:07 86016 ----a-r- C:\Windows\system32\CNMCP5y.exe
2013-10-01 02:54:58 . 2013-10-01 03:13:18 -------- d-----w- C:\Program Files\Canon
2013-10-01 02:37:03 . 2013-10-01 02:37:03 -------- d--h--w- C:\Windows\system32\CanonIJ Uninstaller Information
2013-10-01 02:36:40 . 2013-10-01 02:36:40 -------- d--h--w- C:\ProgramData\CanonBJ
2013-10-01 02:36:28 . 2012-03-14 10:00:00 84992 ----a-w- C:\Windows\system32\Spool\prtprocs\w32x86\CNMPPA9.DLL
2013-10-01 02:36:28 . 2012-03-14 10:00:00 29184 ----a-w- C:\Windows\system32\Spool\prtprocs\w32x86\CNMPDA9.DLL
2013-10-01 02:35:01 . 2010-03-18 22:12:02 114688 ----a-w- C:\Windows\system32\CNC495I.dll
2013-10-01 02:35:00 . 2010-03-18 22:12:28 1335296 ----a-w- C:\Windows\system32\CNC495C.dll
2013-10-01 02:35:00 . 2010-03-18 22:11:30 106496 ----a-w- C:\Windows\system32\CNC495U.dll
2013-10-01 02:34:59 . 2010-03-19 00:25:16 307200 ----a-w- C:\Windows\system32\CNC495L.dll
2013-10-01 02:34:59 . 2008-08-25 23:02:28 15872 ----a-w- C:\Windows\system32\CNHMCA.dll
2013-10-01 02:34:39 . 2012-03-14 10:00:00 311296 ----a-w- C:\Windows\system32\CNMLMA9.DLL
2013-10-01 02:26:17 . 2004-04-23 05:00:00 17920 ----a-w- C:\Windows\system32\Spool\prtprocs\w32x86\CNMPD5y.DLL
2013-10-01 02:26:16 . 2004-04-23 05:00:00 116736 ----a-w- C:\Windows\system32\CNMLM5y.DLL
2013-10-01 02:26:06 . 2013-10-01 02:26:06 -------- d-----w- C:\BJPrinter
2013-10-01 02:25:44 . 2013-10-01 02:25:57 -------- d-----w- C:\Windows\IP1500
2013-10-01 02:25:43 . 2013-10-01 03:08:42 -------- d-----w- C:\Windows\StartHtmico
2013-09-28 20:18:50 . 2013-09-28 20:18:51 -------- d-----w- C:\Program Files\CurationSoft
2013-09-25 01:45:52 . 2013-09-30 01:39:56 -------- d-----w- C:\Program Files\Flash Player Pro
2013-09-22 22:06:58 . 2013-09-22 22:06:58 -------- d-----w- C:\Program Files\Music Remote
2013-09-22 20:44:29 . 2013-09-22 20:47:37 -------- d-----w- C:\ProgramData\ZalmanInstaller_52331
2013-09-22 20:25:31 . 2013-09-22 20:25:31 -------- d--h--w- C:\ProgramData\Common Files
2013-09-22 20:24:41 . 2013-10-01 01:03:08 -------- d-----w- C:\Program Files\wrapper_inst
2013-09-22 20:03:24 . 2013-07-04 07:12:00 632656 ----a-w- C:\Windows\system32\msvcr80.dll
2013-09-22 20:03:23 . 2013-07-04 07:12:00 554832 ----a-w- C:\Windows\system32\msvcp80.dll
2013-09-22 20:03:23 . 2013-07-04 07:12:00 479232 ----a-w- C:\Windows\system32\msvcm80.dll
2013-09-22 03:44:56 . 2013-09-28 23:51:25 -------- d-----w- C:\Program Files\bomlabio
2013-09-21 03:55:45 . 2013-09-21 03:55:45 -------- d-----w- C:\Users\dell630\AppData\Local\twitter
2013-09-21 02:57:00 . 2013-09-21 03:55:18 -------- d-----w- C:\Program Files\SaltarSmart
2013-09-21 02:56:44 . 2013-10-01 00:54:55 -------- d-----w- C:\Users\dell630\AppData\Local\SevereWeatherAlerts
2013-09-20 23:06:01 . 2013-09-20 23:06:01 -------- d-----w- C:\Users\dell630\AppData\Roaming\TweetDeckFast
2013-09-15 04:45:20 . 2013-09-15 04:45:20 -------- d-----w- C:\Users\dell630\SyncFolder
2013-09-15 04:23:19 . 2013-07-04 07:11:58 773968 ----a-w- C:\Windows\system32\msvcr100.dll
2013-09-15 04:23:19 . 2013-07-04 07:11:58 421200 ----a-w- C:\Windows\system32\msvcp100.dll
2013-09-15 04:22:01 . 2013-09-15 04:22:01 -------- d-----w- C:\Users\dell630\AppData\Local\Programs
2013-09-15 04:20:45 . 2013-09-15 04:20:49 -------- d-----w- C:\Users\dell630\AppData\Roaming\SpeedAnalysis3
2013-09-15 04:10:01 . 2013-09-29 03:03:32 -------- d-----w- C:\Program Files\Blubster
2013-09-14 23:08:31 . 2013-09-20 01:09:02 3723656 ----a-w- C:\Windows\system32\FlashPlayerInstaller.exe
2013-09-14 02:30:36 . 2013-08-05 01:56:47 133056 ----a-w- C:\Windows\system32\drivers\ataport.sys
2013-09-14 02:30:33 . 2013-08-08 01:03:07 2348544 ----a-w- C:\Windows\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-09-22 03:38:44 . 2012-03-30 14:39:15 692616 ----a-w- C:\Windows\system32\FlashPlayerApp.exe
2013-09-22 03:38:43 . 2011-06-15 01:51:35 71048 ----a-w- C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-08-30 07:48:13 . 2013-03-14 00:28:24 177864 ----a-w- C:\Windows\system32\drivers\aswVmm.sys
2013-08-30 07:48:13 . 2011-12-07 23:34:57 369584 ----a-w- C:\Windows\system32\drivers\aswSP.sys
2013-08-30 07:48:13 . 2011-12-07 23:34:52 56080 ----a-w- C:\Windows\system32\drivers\aswTdi.sys
2013-08-30 07:48:12 . 2013-03-14 00:28:20 49376 ----a-w- C:\Windows\system32\drivers\aswRvrt.sys
2013-08-30 07:48:12 . 2012-03-22 02:04:38 61680 ----a-w- C:\Windows\system32\drivers\aswRdr2.sys
2013-08-30 07:48:12 . 2011-12-07 23:34:51 770344 ----a-w- C:\Windows\system32\drivers\aswSnx.sys
2013-08-30 07:48:11 . 2012-11-13 01:08:44 21576 ----a-w- C:\Windows\system32\drivers\aswKbd.sys
2013-08-30 07:48:11 . 2011-12-07 23:34:57 29816 ----a-w- C:\Windows\system32\drivers\aswFsBlk.sys
2013-08-30 07:48:11 . 2011-12-07 23:34:45 66336 ----a-w- C:\Windows\system32\drivers\aswMonFlt.sys
2013-08-30 07:47:40 . 2011-12-07 23:33:48 41664 ----a-w- C:\Windows\avastSS.scr
2013-08-30 07:47:32 . 2011-12-07 23:33:47 229648 ----a-w- C:\Windows\system32\aswBoot.exe
2013-08-20 01:04:46 . 2011-04-01 02:54:31 737072 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2013-08-20 01:03:35 . 2011-04-01 02:54:00 2876528 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2013-08-20 01:01:09 . 2011-04-01 02:53:33 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2013-08-20 01:01:01 . 2011-03-31 23:45:08 539984 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2013-08-07 09:22:04 . 2011-03-19 00:00:52 238872 ------w- C:\Windows\system32\MpSigStub.exe
2013-07-25 08:57:27 . 2013-08-19 01:07:50 1620992 ----a-w- C:\Windows\system32\WMVDECOD.DLL
2013-07-19 01:41:01 . 2013-08-19 01:04:10 2048 ----a-w- C:\Windows\system32\tzres.dll
2013-07-11 21:58:18 . 2011-05-04 06:17:29 737072 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2013-07-11 21:56:55 . 2011-04-13 04:42:33 2876528 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2013-07-11 21:52:45 . 2011-04-13 04:42:02 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2013-07-11 21:52:20 . 2011-05-04 05:33:10 539984 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2013-07-09 05:03:34 . 2013-08-19 01:10:28 3913664 ----a-w- C:\Windows\system32\ntoskrnl.exe
2013-07-09 05:03:34 . 2013-08-19 01:10:24 3968960 ----a-w- C:\Windows\system32\ntkrnlpa.exe
2013-07-09 04:53:46 . 2013-08-19 01:10:22 1289096 ----a-w- C:\Windows\system32\ntdll.dll
2013-07-09 04:52:10 . 2013-08-19 01:09:37 175104 ----a-w- C:\Windows\system32\wintrust.dll
2013-07-09 04:50:42 . 2013-08-19 01:09:48 652800 ----a-w- C:\Windows\system32\rpcrt4.dll
2013-07-09 04:46:31 . 2013-08-19 01:09:38 1166848 ----a-w- C:\Windows\system32\crypt32.dll
2013-07-09 04:46:31 . 2013-08-19 01:09:34 140288 ----a-w- C:\Windows\system32\cryptsvc.dll
2013-07-09 04:46:31 . 2013-08-19 01:09:29 103936 ----a-w- C:\Windows\system32\cryptnet.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-08-30 07:47:20 121968 ----a-w- C:\Program Files\AVAST Software\Avast\ashShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedItupFree"="C:\Program Files\SpeedItup Free\speeditupfree.exe" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2009-09-23 23:30:48 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2009-09-23 23:30:48 173592]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2009-09-23 23:30:48 150552]
"avast"="C:\Program Files\AVAST Software\Avast\avastUI.exe" [2013-08-30 07:47:34 4858968]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 21:06:36 958576]
"pcreg"="C:\Program Files\wrapper_inst\service.exe" [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 00:02:18 113024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54:14 551296 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Users^dell630^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Socialbox.lnk]
path=C:\Users\dell630\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Socialbox.lnk
backup=C:\Windows\pss\Socialbox.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Browsing Protection]
2013-01-31 15:11:58 542632 ----a-w- C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06:36 958576 ----a-w- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
2010-08-19 21:23:10 3069192 ----a-w- C:\Program Files\TechSmith\Jing\Jing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2013-09-06 12:39:58 5703920 ----a-w- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2011-07-11 21:47:06 74752 ----a-w- C:\Program Files\Winamp\winampa.exe

R3 dc3d;MS Hardware Device Detection Driver (USB);C:\Windows\system32\DRIVERS\dc3d.sys [2013-03-25 19:41:44 65200]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2013-03-25 00:13:33 2152152]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-08-18 20:25:12 15232]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys [2010-11-20 10:21:14 15872]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 22:13:45 207360]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 22:13:46 980992]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 22:13:45 661504]
R3 Synth3dVsc;Synth3dVsc;C:\Windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-20 10:24:41 52224]
R3 tsusbhub;tsusbhub;C:\Windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;C:\Windows\system32\drivers\rdvgkmd.sys [x]
S0 aswKbd;aswKbd; [x]
S0 aswRvrt;aswRvrt; [x]
S0 aswVmm;aswVmm; [x]
S0 gfibto;gfibto;C:\Windows\system32\drivers\gfibto.sys [2013-03-17 01:18:12 13560]
S0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys [2011-08-18 20:25:12 64512]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 16:27:02 12880]
S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 21:55:22 67664]
S1 SBRE;SBRE;C:\Windows\system32\drivers\SBREdrv.sys [2012-07-02 20:52:45 101720]
S2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [2012-09-25 13:49:36 116608]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;C:\Windows\system32\drivers\aswMonFlt.sys [2013-08-30 07:48:11 66336]
S2 pcregservice;pcregservice Service;C:\Program Files\wrapper_inst\file_to_run.exe [2013-09-22 20:24:49 31344]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\netw5v32.sys [2009-07-13 22:02:51 4231168]

Contents of the 'Scheduled Tasks' folder

2013-10-06 C:\Windows\Tasks\Adobe Flash Player Updater.job
- C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 14:39:15 . 2013-09-22 03:38:44]

2013-10-06 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2013-09-22 20:59:55 . 2013-09-22 20:59:35]

2013-10-06 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2013-09-22 20:59:55 . 2013-09-22 20:59:35]

 

I tried to run System Look but I when I click on the "Look" button I would always get an error message: "Script Required"

 

The files SaltarSmart, Babylon Toolbar, Browsersafeguard, and Blubster Toolbar have been uninstalled.

 

 

 

 

attach.txt

dds.txt

Share this post


Link to post
Share on other sites

1. It is very difficult to clean the computer when you install new bad programs during the cleaning.

2013-10-05 04:24:35 -------- d-----w- c:\program files\Twitter
2013-10-05 04:03:22 -------- d-----w- c:\program files\SaveValet
2013-10-05 04:03:11 -------- d-----w- c:\program files\Optimizer Pro
2013-10-05 04:02:26 -------- d-----w- c:\programdata\DSearchLink

http://www.systemlookup.com/CLSID/74685-SaveValetIE_32_dll_SaveValetIE_64_dll.html

Uninstall SaveValet.

 

Don't install more programs if you want any more help from me. An infected computer shouldn't be used for any other purpose than cleaning.

 

2. Regarding SystemLook: Did you copy the lines inside the box and pasted them into SystemLook as I wrote?

3. Please, follow the description on http://www.bleepingcomputer.com/combofix/how-to-use-combofix carefully to save ComboFix on the desktop, and not in the Downloads folder, before running ComboFix.

Share this post


Link to post
Share on other sites

Due to lack of feedback, this topic has been closed.

 

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

 

Thank You !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this