Author Topic: [Resolved] Browser Hijacked... Avira & MBAM ineffective....  (Read 2079 times)

Offline BunnySlave

  • Bronze Member
  • Posts: 27
[Resolved] Browser Hijacked... Avira & MBAM ineffective....
« on: November 10, 2015, 07:53:22 PM »
Greetings,

Unable to clear my sister's machine (again)...
DDS logs herein...
Looking forward to working with experts again... :b
Thanx...

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer:   BrowserJavaVersion: 11.31.2
Run by Cathy at 19:40:54 on 2015-11-10
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2047.1158 [GMT -6:00]
.
AV: Avira Antivirus *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Antivirus *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe
C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler64.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\GWX\GWX.exe
C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
mStart Page = about:blank
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
uRun: [Advanced SystemCare 8] "C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe" /auto
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [IObit Malware Fighter] "C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe" /autostart
dRun: [Advanced SystemCare 8] "C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe" /Auto
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_31-windows-i586.cab
DPF: {CAFEEFAC-0018-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_31-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{37AF2796-50F3-4F84-AB40-1EAFD05F7C29} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{9045BA95-9DAD-403E-846F-B53F55515667} : NameServer = 192.168.2.1
TCP: Interfaces\{9045BA95-9DAD-403E-846F-B53F55515667} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
mASetup: {A6EADE66-0000-0000-484E-7E8A45000000} - "C:\Windows\SysWOW64\Rundll32.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll",CreateReaderUserSettings
x64-Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
x64-Run: [RTHDVCPL] "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Cathy\AppData\Roaming\Mozilla\Firefox\Profiles\90cfdm9g.default-1425000905695\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Stamps.com Web Postage Plug-in\npsdcwc.dll
FF - plugin: C:\Users\Cathy\AppData\Roaming\Mozilla\Firefox\Profiles\90cfdm9g.default-1425000905695\extensions\coralietab@mozdev.org\plugins\npCoralIETab.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1215155.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_257.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\System32\drivers\SmartDefragDriver.sys [2015-11-10 21184]
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2014-4-15 28600]
R1 HWiNFO32;HWiNFO32/64 Kernel Driver;C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [2015-1-9 26528]
R2 AdvancedSystemCareService8;Advanced SystemCare Service 8;C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCService.exe [2015-1-9 821024]
R2 AntiVirMailService;Avira Mail Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [2014-4-15 932912]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2014-4-15 461672]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2014-4-15 461672]
R2 AntiVirWebService;Avira Web Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [2014-4-15 1147720]
R2 Apple Mobile Device Service;Apple Mobile Device Service;C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2015-10-7 77104]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2014-4-15 163544]
R2 avnetflt;avnetflt;C:\Windows\System32\drivers\avnetflt.sys [2014-4-15 74952]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-13 27136]
R2 IMFservice;IMF Service;C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [2015-3-20 882464]
R2 TeamViewer;TeamViewer 10;C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [2015-3-7 5436176]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-4-16 25816]
R3 RegFilter;RegFilter;C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\RegFilter.sys [2015-11-9 34848]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2014-4-11 103608]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2014-4-11 124088]
S2 LiveUpdateSvc;LiveUpdate;C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2014-1-24 2909472]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-4-16 1135416]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2015-10-13 114688]
S3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-4-16 63704]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-4-20 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-5-6 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2014-4-20 30208]
S3 UrlFilter;UrlFilter;C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\UrlFilter.sys [2015-11-9 23016]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2015-6-10 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2014-4-15 1255736]
S4 FileMonitor;FileMonitor;C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [2015-11-9 23048]
.
=============== Created Last 30 ================
.
2015-11-10 21:45:45   388096   ----a-r-   C:\Users\Cathy\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2015-11-10 21:45:45   --------   d-----w-   C:\Program Files (x86)\Trend Micro
2015-11-10 21:03:33   --------   d-----w-   C:\Program Files\HitmanPro
2015-11-10 21:00:06   --------   d-----w-   C:\ProgramData\HitmanPro
2015-11-10 13:35:39   15416   ----a-w-   C:\Windows\System32\drivers\ASACPI.sys
2015-11-10 13:30:43   45416   ----a-w-   C:\Windows\System32\drivers\point64.sys
2015-11-10 13:30:43   1721576   ----a-w-   C:\Windows\System32\wdfcoinstaller01009.dll
2015-11-10 13:21:54   --------   d-----w-   C:\Windows\System32\DAX2
2015-11-10 13:21:43   --------   d-----w-   C:\Windows\SysWow64\RTCOM
2015-11-10 13:21:43   --------   d-----w-   C:\Program Files\Realtek
2015-11-10 12:44:48   7639952   ----a-w-   C:\Windows\System32\nvopencl.dll
2015-11-10 12:35:22   128288   ----a-w-   C:\Windows\SysWow64\IObitSmartDefragExtension.dll
2015-11-10 12:35:19   21184   ----a-w-   C:\Windows\System32\drivers\SmartDefragDriver.sys
2015-11-10 05:30:46   3210240   ----a-w-   C:\Windows\System32\win32k.sys
2015-11-05 00:54:44   --------   d-----w-   C:\Users\Cathy\AppData\Local\CEF
2015-11-04 20:14:25   --------   d-----w-   C:\Program Files\iPod
2015-11-04 20:14:24   --------   d-----w-   C:\Program Files\iTunes
2015-11-04 20:11:38   --------   d-----w-   C:\Program Files\Bonjour
2015-11-04 20:10:21   159744   ----a-w-   C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll
2015-11-04 20:10:21   159744   ----a-w-   C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll
2015-11-04 20:10:21   159744   ----a-w-   C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll
2015-11-04 20:10:21   159744   ----a-w-   C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll
2015-11-04 20:10:21   159744   ----a-w-   C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll
2015-10-17 17:11:48   766464   ----a-w-   C:\Windows\System32\generaltel.dll
2015-10-17 17:11:48   73216   ----a-w-   C:\Windows\System32\acmigration.dll
2015-10-17 17:11:48   700416   ----a-w-   C:\Windows\System32\invagent.dll
2015-10-17 17:11:48   503808   ----a-w-   C:\Windows\System32\devinv.dll
2015-10-17 17:11:48   25432   ----a-w-   C:\Windows\System32\CompatTelRunner.exe
2015-10-17 17:11:48   1291264   ----a-w-   C:\Windows\System32\appraiser.dll
2015-10-17 17:11:48   1163776   ----a-w-   C:\Windows\System32\aeinv.dll
2015-10-13 18:36:59   968704   ----a-w-   C:\Windows\System32\MsSpellCheckingFacility.exe
2015-10-13 18:35:22   616360   ----a-w-   C:\Windows\System32\winresume.efi
2015-10-13 18:35:21   692672   ----a-w-   C:\Windows\System32\winload.efi
2015-10-13 18:35:18   63488   ----a-w-   C:\Windows\System32\setbcdlocale.dll
2015-10-13 18:35:18   61440   ----a-w-   C:\Windows\System32\drivers\appid.sys
2015-10-13 18:35:18   59392   ----a-w-   C:\Windows\System32\appidapi.dll
2015-10-13 18:35:18   50688   ----a-w-   C:\Windows\SysWow64\appidapi.dll
2015-10-13 18:35:18   32768   ----a-w-   C:\Windows\System32\appidsvc.dll
2015-10-13 18:35:18   17920   ----a-w-   C:\Windows\System32\appidcertstorecheck.exe
2015-10-13 18:35:18   147456   ----a-w-   C:\Windows\System32\appidpolicyconverter.exe
.
==================== Find3M  ====================
.
2015-11-10 20:08:10   780488   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2015-11-10 20:08:10   142536   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-11-10 19:20:53   192216   ----a-w-   C:\Windows\System32\drivers\MBAMSwissArmy.sys
2015-11-10 12:44:48   6295288   ----a-w-   C:\Windows\SysWow64\nvopencl.dll
2015-10-20 18:42:14   98816   ----a-w-   C:\Windows\System32\wudriver.dll
2015-10-20 18:42:14   3168768   ----a-w-   C:\Windows\System32\wucltux.dll
2015-10-20 18:42:14   192512   ----a-w-   C:\Windows\System32\wuwebv.dll
2015-10-20 18:41:36   91136   ----a-w-   C:\Windows\System32\WinSetupUI.dll
2015-10-20 18:41:25   12288   ----a-w-   C:\Windows\System32\wu.upgrade.ps.dll
2015-10-20 18:41:22   37888   ----a-w-   C:\Windows\System32\wuapp.exe
2015-10-20 17:46:02   93696   ----a-w-   C:\Windows\SysWow64\wudriver.dll
2015-10-20 17:46:02   174080   ----a-w-   C:\Windows\SysWow64\wuwebv.dll
2015-10-20 17:45:08   35328   ----a-w-   C:\Windows\SysWow64\wuapp.exe
2015-10-05 15:50:18   63704   ----a-w-   C:\Windows\System32\drivers\mwac.sys
2015-10-05 15:50:10   109272   ----a-w-   C:\Windows\System32\drivers\mbamchameleon.sys
2015-10-05 15:50:06   25816   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2015-09-29 03:16:51   5569472   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2015-09-29 03:13:50   1730496   ----a-w-   C:\Windows\System32\ntdll.dll
2015-09-29 03:11:19   362496   ----a-w-   C:\Windows\System32\wow64win.dll
2015-09-29 03:11:19   243712   ----a-w-   C:\Windows\System32\wow64.dll
2015-09-29 03:11:19   215040   ----a-w-   C:\Windows\System32\winsrv.dll
2015-09-29 03:11:19   13312   ----a-w-   C:\Windows\System32\wow64cpu.dll
2015-09-29 03:11:06   210944   ----a-w-   C:\Windows\System32\wdigest.dll
2015-09-29 03:11:03   86528   ----a-w-   C:\Windows\System32\TSpkg.dll
2015-09-29 03:11:01   503808   ----a-w-   C:\Windows\System32\srcore.dll
2015-09-29 03:11:01   50176   ----a-w-   C:\Windows\System32\srclient.dll
2015-09-29 03:10:59   1216512   ----a-w-   C:\Windows\System32\rpcrt4.dll
2015-09-29 03:10:56   16384   ----a-w-   C:\Windows\System32\ntvdm64.dll
2015-09-29 03:10:55   315392   ----a-w-   C:\Windows\System32\msv1_0.dll
2015-09-29 03:10:53   729088   ----a-w-   C:\Windows\System32\kerberos.dll
2015-09-29 03:10:53   424960   ----a-w-   C:\Windows\System32\KernelBase.dll
2015-09-29 03:10:47   44032   ----a-w-   C:\Windows\System32\cryptbase.dll
2015-09-29 03:10:47   43520   ----a-w-   C:\Windows\System32\csrsrv.dll
2015-09-29 03:10:47   22016   ----a-w-   C:\Windows\System32\credssp.dll
2015-09-29 03:10:30   112640   ----a-w-   C:\Windows\System32\smss.exe
2015-09-29 03:10:25   296960   ----a-w-   C:\Windows\System32\rstrui.exe
2015-09-29 03:09:59   338432   ----a-w-   C:\Windows\System32\conhost.exe
2015-09-29 03:09:53   64000   ----a-w-   C:\Windows\System32\auditpol.exe
2015-09-29 03:05:56   60416   ----a-w-   C:\Windows\System32\msobjs.dll
2015-09-29 03:05:36   146432   ----a-w-   C:\Windows\System32\msaudite.dll
2015-09-29 03:05:01   3990976   ----a-w-   C:\Windows\SysWow64\ntkrnlpa.exe
2015-09-29 03:05:01   3936192   ----a-w-   C:\Windows\SysWow64\ntoskrnl.exe
2015-09-29 03:02:09   1311768   ----a-w-   C:\Windows\SysWow64\ntdll.dll
2015-09-29 02:59:20   172032   ----a-w-   C:\Windows\SysWow64\wdigest.dll
2015-09-29 02:59:17   65536   ----a-w-   C:\Windows\SysWow64\TSpkg.dll
2015-09-29 02:59:16   43008   ----a-w-   C:\Windows\SysWow64\srclient.dll
2015-09-29 02:59:10   14336   ----a-w-   C:\Windows\SysWow64\ntvdm64.dll
2015-09-29 02:59:08   259584   ----a-w-   C:\Windows\SysWow64\msv1_0.dll
2015-09-29 02:59:04   552960   ----a-w-   C:\Windows\SysWow64\kerberos.dll
2015-09-29 02:58:57   36864   ----a-w-   C:\Windows\SysWow64\cryptbase.dll
2015-09-29 02:58:57   17408   ----a-w-   C:\Windows\SysWow64\credssp.dll
2015-09-29 02:58:52   44032   ----a-w-   C:\Windows\apppatch\acwow64.dll
2015-09-29 02:58:36   25600   ----a-w-   C:\Windows\SysWow64\setup16.exe
2015-09-29 02:58:05   50176   ----a-w-   C:\Windows\SysWow64\auditpol.exe
2015-09-29 02:57:53   665088   ----a-w-   C:\Windows\SysWow64\rpcrt4.dll
2015-09-29 02:57:53   5120   ----a-w-   C:\Windows\SysWow64\wow32.dll
2015-09-29 02:57:52   274944   ----a-w-   C:\Windows\SysWow64\KernelBase.dll
2015-09-29 02:53:44   60416   ----a-w-   C:\Windows\SysWow64\msobjs.dll
2015-09-29 02:53:28   146432   ----a-w-   C:\Windows\SysWow64\msaudite.dll
2015-09-29 01:50:29   159232   ----a-w-   C:\Windows\System32\drivers\mrxsmb.sys
2015-09-29 01:49:43   290816   ----a-w-   C:\Windows\System32\drivers\mrxsmb10.sys
2015-09-29 01:49:31   129024   ----a-w-   C:\Windows\System32\drivers\mrxsmb20.sys
2015-09-29 01:43:29   7680   ----a-w-   C:\Windows\SysWow64\instnm.exe
2015-09-29 01:43:27   2048   ----a-w-   C:\Windows\SysWow64\user.exe
2015-09-29 01:40:57   6144   ---ha-w-   C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2015-09-29 01:40:57   4608   ---ha-w-   C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2015-09-29 01:40:57   3584   ---ha-w-   C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2015-09-29 01:40:57   3072   ---ha-w-   C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2015-09-24 22:47:55   74952   ----a-w-   C:\Windows\System32\drivers\avnetflt.sys
2015-09-24 22:47:55   163544   ----a-w-   C:\Windows\System32\drivers\avgntflt.sys
2015-09-22 02:07:33   39936   ----a-w-   C:\Windows\System32\drivers\tssecsrv.sys
2015-09-22 02:07:33   22528   ----a-w-   C:\Windows\System32\icaapi.dll
2015-09-16 04:36:53   2724864   ----a-w-   C:\Windows\System32\mshtml.tlb
2015-09-16 04:36:43   4096   ----a-w-   C:\Windows\System32\ieetwcollectorres.dll
2015-09-16 04:22:21   66560   ----a-w-   C:\Windows\System32\iesetup.dll
2015-09-16 04:21:39   48640   ----a-w-   C:\Windows\System32\ieetwproxystub.dll
2015-09-16 04:21:33   417792   ----a-w-   C:\Windows\System32\html.iec
2015-09-16 04:21:27   585728   ----a-w-   C:\Windows\System32\vbscript.dll
2015-09-16 04:21:17   88064   ----a-w-   C:\Windows\System32\MshtmlDac.dll
2015-09-16 04:09:30   5990912   ----a-w-   C:\Windows\System32\jscript9.dll
2015-09-16 04:08:40   114688   ----a-w-   C:\Windows\System32\ieetwcollector.exe
2015-09-16 04:08:38   144384   ----a-w-   C:\Windows\System32\ieUnatt.exe
2015-09-16 04:08:23   814080   ----a-w-   C:\Windows\System32\jscript9diag.dll
2015-09-16 03:50:29   77824   ----a-w-   C:\Windows\System32\JavaScriptCollectionAgent.dll
2015-09-16 03:45:19   2724864   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2015-09-16 03:33:26   504832   ----a-w-   C:\Windows\SysWow64\vbscript.dll
2015-09-16 03:33:07   62464   ----a-w-   C:\Windows\SysWow64\iesetup.dll
2015-09-16 03:32:33   47616   ----a-w-   C:\Windows\SysWow64\ieetwproxystub.dll
2015-09-16 03:32:24   341504   ----a-w-   C:\Windows\SysWow64\html.iec
2015-09-16 03:31:57   64000   ----a-w-   C:\Windows\SysWow64\MshtmlDac.dll
2015-09-16 03:28:33   1359360   ----a-w-   C:\Windows\System32\mshtmlmedia.dll
2015-09-16 03:26:47   2126336   ----a-w-   C:\Windows\System32\inetcpl.cpl
2015-09-16 03:23:01   115712   ----a-w-   C:\Windows\SysWow64\ieUnatt.exe
2015-09-16 03:22:43   620032   ----a-w-   C:\Windows\SysWow64\jscript9diag.dll
2015-09-16 03:11:12   2487808   ----a-w-   C:\Windows\System32\wininet.dll
2015-09-16 03:10:46   60416   ----a-w-   C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2015-09-16 03:05:51   4527616   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2015-09-16 02:55:49   1155072   ----a-w-   C:\Windows\SysWow64\mshtmlmedia.dll
2015-09-16 02:55:45   2052608   ----a-w-   C:\Windows\SysWow64\inetcpl.cpl
2015-09-16 02:37:26   2011136   ----a-w-   C:\Windows\SysWow64\wininet.dll
.
============= FINISH: 19:41:29.88 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 4/15/2014 8:24:30 PM
System Uptime: 11/10/2015 6:21:25 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | M2N68-AM
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ | AM2 | 2300/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 373 GiB total, 290.081 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: zgjhmzj2mxm4bgj
Device ID: ROOT\LEGACY_ZGJHMZJ2MXM4BGJ\0000
Manufacturer:
Name: zgjhmzj2mxm4bgj
PNP Device ID: ROOT\LEGACY_ZGJHMZJ2MXM4BGJ\0000
Service: zgjhmzj2mxm4bgj
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
4500_G510af_Help
4500G510af
4500G510af_Software_Min
64 Bit HP CIO Components Installer
Adobe Acrobat Reader DC
Adobe AIR
Adobe Flash Player 19 ActiveX
Adobe Flash Player 19 NPAPI
Adobe Refresh Manager
Adobe Shockwave Player 12.1
Advanced SystemCare 8
Apple Application Support (32-bit)
Apple Application Support (64-bit)
Apple Mobile Device Support
Apple Software Update
ASUSUpdate
Avira Antivirus
Bonjour
BufferChm
CutePDF Writer 2.8
Destinations
DeviceDiscovery
DocMgr
DocProc
Driver Booster 3.0
Fax
Google Drive
Google Earth
Google Update Helper
GPBaseService2
HiJackThis
HP Customer Participation Program 13.0
HP Document Manager 2.0
HP Imaging Device Functions 13.0
HP Officejet 4500 G510a-f
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HPDiagnosticAlert
HPProductAssistant
HPSSupply
IObit Malware Fighter 3
IObit Uninstaller
iTunes
Java 7 Update 72
Java 8 Update 31
Java Auto Updater
Malwarebytes Anti-Malware version 2.2.0.1024
MarketResearch
Microsoft .NET Framework 4.5.2
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mozilla Firefox 42.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Control Panel 309.08
NVIDIA Install Application
NVIDIA Update 1.10.8
NVIDIA Update Components
OCR Software by I.R.I.S. 13.0
OpenOffice.org 3.3
QuickTime 7
Realtek 8136 8168 8169 Ethernet Driver
Realtek High Definition Audio Driver
Scan
Shop for HP Supplies
Smart Defrag 4
SmartWebPrinting
SolutionCenter
SpywareBlaster 5.2
Stamps.com Web Postage Plug-in
Status
Surfing Protection
swMSM
TeamViewer 10
Toolbox
TrayApp
WebReg
WinZip
.
==== Event Viewer Messages From Past Week ========
.
11/9/2015 9:09:33 PM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
11/9/2015 9:09:05 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
11/9/2015 9:09:05 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
11/9/2015 9:08:53 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AsIO AsUpIO avipbb avkmgr DfsC discache HWiNFO32 mwiynzm4ndy1yjz NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf zgjhmzj2mxm4bgj
11/9/2015 9:08:53 PM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/9/2015 9:08:53 PM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
11/9/2015 9:08:53 PM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
11/9/2015 9:08:53 PM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
11/9/2015 9:08:53 PM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
11/9/2015 9:08:53 PM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.
11/9/2015 9:08:53 PM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/9/2015 9:08:53 PM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
11/9/2015 9:08:53 PM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
11/9/2015 6:38:29 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service lltdsvc with arguments "" in order to run the server: {5BF9AA75-D7FF-4AEE-AA2C-96810586456D}
11/9/2015 6:36:51 PM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
11/9/2015 6:36:38 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AsIO AsUpIO avipbb avkmgr discache HWiNFO32 mwiynzm4ndy1yjz spldr Wanarpv6 zgjhmzj2mxm4bgj
11/9/2015 6:35:27 PM, Error: Service Control Manager [7043]  - The Diagnostics Tracking Service service did not shut down properly after receiving a preshutdown control.
11/9/2015 6:34:02 PM, Error: volmgr [46]  - Crash dump initialization failed!
11/9/2015 5:48:53 PM, Error: Microsoft-Windows-WHEA-Logger [18]  - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Internal Unclassified Error Processor ID: 1 The details view of this entry contains further information.
11/9/2015 5:48:53 PM, Error: Microsoft-Windows-WHEA-Logger [18]  - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Cache Hierarchy Error Processor ID: 1 The details view of this entry contains further information.
11/9/2015 11:35:15 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  mwiynzm4ndy1yjz zgjhmzj2mxm4bgj
11/9/2015 11:22:18 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:  An instance of the service is already running.
11/9/2015 11:21:49 PM, Error: Service Control Manager [7034]  - The Advanced SystemCare Service 8 service terminated unexpectedly.  It has done this 2 time(s).
11/6/2015 8:07:07 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001]  - The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000050 (0xfffff8a001f51fc0, 0x0000000000000000, 0xfffff880039b06f3, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 110615-37346-01.
11/10/2015 6:24:44 PM, Error: Service Control Manager [7038]  - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
11/10/2015 6:24:44 PM, Error: Service Control Manager [7000]  - The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.
11/10/2015 6:22:42 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  zgjhmzj2mxm4bgj
11/10/2015 5:33:22 PM, Error: Microsoft-Windows-WHEA-Logger [18]  - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Unknown Error Processor ID: 1 The details view of this entry contains further information.
11/10/2015 3:29:36 PM, Error: Service Control Manager [7031]  - The Windows Modules Installer service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/10/2015 3:24:30 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
11/10/2015 3:18:38 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {0B5A2C52-3EB9-470A-96E2-6C6D4570E40F}
11/10/2015 3:18:31 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
11/10/2015 3:08:00 PM, Error: Service Control Manager [7001]  - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
11/10/2015 3:07:43 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
11/10/2015 3:07:43 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
11/10/2015 3:07:32 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
11/10/2015 3:07:32 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
11/10/2015 3:07:30 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/10/2015 3:07:25 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
11/10/2015 3:06:00 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AsIO AsUpIO avipbb avkmgr discache HWiNFO32 spldr Wanarpv6 zgjhmzj2mxm4bgj
11/10/2015 12:52:09 PM, Error: Microsoft-Windows-WHEA-Logger [18]  - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Bus/Interconnect Error Processor ID: 1 The details view of this entry contains further information.
11/10/2015 1:12:44 PM, Error: Service Control Manager [7031]  - The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
11/10/2015 1:12:43 PM, Error: Service Control Manager [7034]  - The iPod Service service terminated unexpectedly.  It has done this 1 time(s).
11/10/2015 1:12:42 PM, Error: Service Control Manager [7031]  - The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
11/10/2015 1:12:39 PM, Error: Service Control Manager [7034]  - The IMF Service service terminated unexpectedly.  It has done this 1 time(s).
11/10/2015 1:12:39 PM, Error: Service Control Manager [7034]  - The Bonjour Service service terminated unexpectedly.  It has done this 1 time(s).
11/10/2015 1:12:39 PM, Error: Service Control Manager [7034]  - The Adobe Acrobat Update Service service terminated unexpectedly.  It has done this 1 time(s).
11/10/2015 1:12:39 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/10/2015 1:12:38 PM, Error: Service Control Manager [7031]  - The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/10/2015 1:12:37 PM, Error: Service Control Manager [7034]  - The NVIDIA Display Driver Service service terminated unexpectedly.  It has done this 1 time(s).
11/10/2015 1:12:37 PM, Error: Service Control Manager [7034]  - The Advanced SystemCare Service 8 service terminated unexpectedly.  It has done this 1 time(s).
.
==== End Of File ===========================



 
« Last Edit: November 10, 2015, 08:58:10 PM by Hoov »



Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27043
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
« Reply #1 on: November 10, 2015, 08:57:52 PM »
I believe I helped you the last time, so I will skip the preliminaries unless you need me to go over them again.

From the partial event viewer logs it does look like there are all kinds of problems here. But can you tell me what is going on with the computer while I look over the above logs. Also can you get me a copy of the event viewer logs using the instructions below.

I need you to go to the administration tools in Vista / Windows 7. They are in the Control Panel. Open the Admin tools, then open the event viewer. Over on the left hand side expand the window category and then click on  System. Then up at the top click on Action and then click on Save Events As, type in system as the file name,  make sure file type EVTX is selected, and then navigate so it will save the file to your desktop, then click save. Over on the left hand side and click on Application. Then up at the top click on Action and then click on Save Events As, type in application as the file name,  make sure file type EVTX is selected, and then navigate so it will save the file to your desktop, then click save. Zip them both up into a single zip file, post them back here in your next reply as attachments.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline BunnySlave

  • Bronze Member
  • Posts: 27
Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
« Reply #2 on: November 10, 2015, 09:54:17 PM »
Sir Hoov,
Both files zip to 4.5Mb.
Individually to 896Kb and 3.5Mb...
Together or separate, they are all too big and bounced....
Please advise on alternates...
Thanx

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27043
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
« Reply #3 on: November 10, 2015, 10:31:54 PM »
I have sent you a PM with a link where you can get me the log files.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27043
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
« Reply #4 on: November 11, 2015, 12:53:35 PM »
Can you tell me the symptoms of the computer?

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline BunnySlave

  • Bronze Member
  • Posts: 27
Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
« Reply #5 on: November 11, 2015, 01:44:08 PM »
Sir Hoov,
by the time I hear about issues, it is usually very dysfunctional.

The browsers have a redirect append on the execution line, that re-inserts itself if corrected.
Simple clean/scan does not remove this.  complaint was difficulty accessing internet consistently, which may have been a function of redirecting and/or built-in LAN failing.  LAN card is now installed, and trying to clear browser(s) of hijack...
This machine is protected by Avira Security Suite, and firefox script blockers...

Sorry I do not have more.  The logs may be able to tell you more than I, or the owner of the PC....
Hope this helps in your considerations....

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27043
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
« Reply #6 on: November 11, 2015, 01:57:40 PM »
Please follow these steps:

1.- Download AdwCleaner by Xplode onto your Desktop.
  •   Please close all open programs and internet browsers.
  •   Double click on Adwcleaner.exe to run the tool.
  •   Click on the Scan button..
  •   Please be patient as this can take a while to complete.
  •   You will get a prompt asking to close all programs. Click OK.
  •   Click OK again to reboot your computer. A text file will open after the restart.
  •   Please post the content of that logfile in your reply.
  •   You can find the logfile at C:\AdwCleaner[Sn].txt.
2.- Download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.
3.- Please download RogueKiller and Save to the desktop.
  • Close all windows and browsers
  • Double click on RogueKiller.exe to run the tool.
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline BunnySlave

  • Bronze Member
  • Posts: 27
Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
« Reply #7 on: November 11, 2015, 04:33:38 PM »
# AdwCleaner v5.019 - Logfile created 11/11/2015 at 14:40:57
# Updated 08/11/2015 by Xplode
# Database : 2015-11-09.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Cathy - CATHY-PC
# Running from : C:\System Components\Scan PC\Download\adwcleaner_5.019.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


########## EOF - C:\AdwCleaner\AdwCleaner[S10].txt - [603 bytes] ##########


==============================================================================


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 7 Home Premium x64
Ran by Cathy on Wed 11/11/2015 at 15:13:39.86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully deleted: [Service] zgjhmzj2mxm4bgj [Reboot required]



~~~ Tasks

Successfully deleted: [Task] C:\Windows\system32\tasks\Driver Booster Scheduler
Successfully deleted: [Task] C:\Windows\system32\tasks\Driver Booster SkipUAC (Cathy)
Successfully deleted: [Task] C:\Windows\system32\tasks\Driver Booster SkipUAC (SYSTEM)
Successfully deleted: [Task] C:\Windows\system32\tasks\SmartDefrag4_Startup
Successfully deleted: [Task] C:\Windows\system32\tasks\Uninstaller_SkipUac_Administrator
Successfully deleted: [Task] C:\Windows\system32\tasks\Uninstaller_SkipUac_Cathy



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] C:\Program Files (x86)\iobit\driver booster
Successfully deleted: [Folder] C:\ProgramData\iobit\driver booster
Successfully deleted: [Folder] C:\ProgramData\productdata
Successfully deleted: [Folder] C:\Users\Cathy\AppData\Roaming\iobit\driver booster
Successfully deleted: [Folder] C:\Users\Cathy\AppData\Roaming\productdata



~~~ FireFox

Successfully deleted: [Folder] C:\Users\Cathy\AppData\Roaming\mozilla\firefox\profiles\90cfdm9g.default-1425000905695\extensions\iobitascsurfingprotection@iobit.com
Successfully deleted the following from C:\Users\Cathy\AppData\Roaming\mozilla\firefox\profiles\90cfdm9g.default-1425000905695\prefs.js

user_pref(extensions.xpiState, {\app-profile\:{\coralietab@mozdev.org\:{\d\:\C:\\\\Users\\\\Cathy\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\90cfdm9g
Emptied folder: C:\Users\Cathy\AppData\Roaming\mozilla\firefox\profiles\90cfdm9g.default-1425000905695\minidumps [1 files]



~~~ Chrome


[C:\Users\Cathy\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Cathy\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Cathy\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Cathy\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 11/11/2015 at 15:18:06.13
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


=================================================================================

RogueKiller V10.11.5.0 [Nov  9 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Cathy [Administrator]
Started from : C:\Users\Cathy\Desktop\RogueKiller.exe
Mode : Scan -- Date : 11/11/2015 15:37:23

Processes : 0

Registry : 2
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2996338038-1004654043-2043957801-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2996338038-1004654043-2043957801-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

Tasks : 0

Files : 3
[PUP][Folder] C:\ProgramData\{365C1C9F-0E26-4EC6-ACFD-F9BF88B767BF} -> Found
[PUP][Folder] C:\ProgramData\{3C5CBD7B-3D1D-411E-96C2-513FFCA84D2D} -> Found
[PUP][Folder] C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} -> Found

Hosts File : 0

Antirootkit : 0 (Driver: Not loaded [0xc000036b])

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] b7bd23ecc85301caedf590895eb6d321
[BSP] 188192e2939dcc6e5fdc4b7443e957b8 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 381452 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


 :ty

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27043
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
« Reply #8 on: November 11, 2015, 06:51:30 PM »
Uninstall anything from IoBit, I have not been to impressed with their products, and they have a bit of a shady past. Not sure it is contributing to the problem, but some of it is being marked as malware so go ahead and remove it all.

Also run Roguekiller again and click the scan button. This time when it is done go thru the tabs and check everything that is listed and then click the delete button.

Post the resulting log.

Now start up Malwarebytes' Anti-Malware and update it and then run a threat scan. If it finds anything, go ahead and fix it and then post the resulting log. If it finds nothing, post that log instead.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline BunnySlave

  • Bronze Member
  • Posts: 27
Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
« Reply #9 on: November 11, 2015, 10:56:48 PM »
Sir Hoov,

Attached are the logs from the last run.
I noticed it removed Firefox Adblock, NoScript and IE Tab...
I have used these for years, and thought they did a great deal for security (not IE tab).  Mostly the reason I use/recommend FireFox.  Could you enlighten me on browser security and addons?  I thought this machine was reasonably secure.  Any speculation on this infection that you could share?

-------------------------------------------------------------------------------------------
RogueKiller V10.11.5.0 [Nov  9 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Cathy [Administrator]
Started from : C:\Users\Cathy\Desktop\RogueKiller.exe
Mode : Delete -- Date : 11/11/2015 21:58:38

Processes : 0

Registry : 2
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2996338038-1004654043-2043957801-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2996338038-1004654043-2043957801-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)

Tasks : 0

Files : 3
[PUP][Folder] C:\ProgramData\{365C1C9F-0E26-4EC6-ACFD-F9BF88B767BF} -> Deleted
[PUP][File] C:\ProgramData\{365C1C9F-0E26-4EC6-ACFD-F9BF88B767BF}\instance.dat -> Deleted
[PUP][File] C:\ProgramData\{365C1C9F-0E26-4EC6-ACFD-F9BF88B767BF}\mia.dll -> Deleted
[PUP][File] C:\ProgramData\{365C1C9F-0E26-4EC6-ACFD-F9BF88B767BF}\stamps.com.plugin.dat -> Deleted
[PUP][File] C:\ProgramData\{365C1C9F-0E26-4EC6-ACFD-F9BF88B767BF}\stamps.com.plugin.exe -> Deleted
[PUP][File] C:\ProgramData\{365C1C9F-0E26-4EC6-ACFD-F9BF88B767BF}\stamps.com.plugin.msi -> Deleted
[PUP][File] C:\ProgramData\{365C1C9F-0E26-4EC6-ACFD-F9BF88B767BF}\stamps.com.plugin.par -> Deleted
[PUP][File] C:\ProgramData\{365C1C9F-0E26-4EC6-ACFD-F9BF88B767BF}\stamps.com.plugin.res -> Deleted
[PUP][Folder] C:\ProgramData\{3C5CBD7B-3D1D-411E-96C2-513FFCA84D2D} -> Deleted
[PUP][Folder] C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} -> Deleted

Hosts File : 0

Antirootkit : 0 (Driver: Not loaded [0xc000036b])

Web browsers : 4
[FIREFX:Addon] 90cfdm9g.default-1425000905695 : IE Tab + (FF 8+, 7, 6, 5, 4, 3.6, 3.5, SeaMonkey) [coralietab@mozdev.org] -> Deleted
[FIREFX:Addon] 90cfdm9g.default-1425000905695 : NoScript Security Suite [{73a6fe31-595d-460b-a920-fcc0f8843232}] -> Deleted
[FIREFX:Addon] 90cfdm9g.default-1425000905695 : Adblock Plus [{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}] -> Deleted
[FIREFX:Addon] 90cfdm9g.default-1425000905695 : HP Smart Web Printing [smartwebprinting@hp.com] -> Deleted

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] b7bd23ecc85301caedf590895eb6d321
[BSP] 188192e2939dcc6e5fdc4b7443e957b8 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 381452 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

==============================================================================

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/11/2015
Scan Time: 10:02 PM
Logfile: MalwarebytesReport111115.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.11.10.07
Rootkit Database: v2015.11.04.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Cathy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 466946
Time Elapsed: 22 min, 25 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27043
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
« Reply #10 on: November 11, 2015, 11:11:30 PM »
As far as what you are using, it is fine if that is what you are used to. They may have gotten removed because there was an issue with them. Once we get the system cleaned up, you can reinstall them.

How is the system running now?

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline BunnySlave

  • Bronze Member
  • Posts: 27
Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
« Reply #11 on: November 11, 2015, 11:54:26 PM »
After I cleaned up and after reboot the machine, I did double click on FireFox browser; its still open "hxxp://www-search.info/?src=us". When I clicked on the homepage(button);it's go to "Google.com" {which is suppose to be) and it still can go any of website. Then, I opened IE; and it's open "Google.com"
It looks no probelm for IE. but FireFox still have problem. What next?  ???

P.s. I did uninstall all ioBit software.
« Last Edit: November 12, 2015, 06:56:18 PM by Hoov »

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27043
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
« Reply #12 on: November 12, 2015, 06:58:38 PM »
Firefox starting on that page is no big deal easily changed. Open up Firefox and click on the three lines on the right side (some people are calling it a hamburger button) . Now click on options. On the left side make sure that General is selected. Now in the homepage area, type in the webaddress of whatever page you want, or you can go to the page in the other tab and then come back to the options tab and click the Use Current Pages button.


1.Download and scan with CCleaner
When you get to the website, there is a dark grey box on the left side with two tabs along the top. Inside this Dark Grey box is a light grey box. Below that light grey box is where the download links are at. The pay amount is for paid support.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

    • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
    • Clean all the entries in the "Windows Explorer" section.
    • Clean all entries in the "System" section.
    • Clean all entries in the "Advanced" section.
    • Clean any others that you choose.


    In the Applications Tab
      • Clean all except cookies in the Firefox/Mozilla section if you use it.
      • Clean all in the Opera section if you use it.
      • Clean Sun Java in the Internet Section.
      • Clean any others that you choose.


      4. Click the "Run Cleaner" button.
      5. A pop up box will appear advising this process will permanently delete files from your system.
      6. Click "OK" and it will scan and clean your system.
      7. Click "exit" when done.


      Now please save a new set of eventviewer logs using the instructions from before and upload them to the same link as before.

      Other than the browsers, how is the computer running? Windows working OK, does the computer shutdown and startup normally?

      Former Consumer Security MVP
      2011-2014

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

      Offline BunnySlave

      • Bronze Member
      • Posts: 27
      Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
      « Reply #13 on: November 12, 2015, 09:11:53 PM »
      Sir Hoov,

      The event logs are uploaded for your review.
      The Firefox Browser still redirects, regardless of what the homepage is set to (many times), each time the browser is re-opened, it redirects twice, ending up n some search page...."hxxp://www-search.info/?src=us"....   :h
      IE appears to be ok, and the machine appears to be restarting/shudown properly.

      Offline Hoov

      • Malware Removal Mentors
      • Administrator
      • Diamond Member
      • Posts: 27043
      • Unwilling part owner of Gov't. Motors and Chrysler
        • Hoov's Personal Site
      Re: [In Progress] Browser Hijacked... Avira & MBAM ineffective....
      « Reply #14 on: November 12, 2015, 10:32:35 PM »
      Sorry, I misunderstood what you meant.
      Please download Extension List Dumper and install it. It is a Firefox extension.

      Restart Firefox and then go to the addons list. There should now be a button in the upper right corner labeled Dump List Click it. Make sure all the checkboxes are checked, and the first drop down menu reads All and the second drop down list says HTML .

      Now click the save button, save it to your desktop. Zip the file up and attach it to your next post.


      Open Ccleaner and scroll down to the bottom of the system options in the left panel. Place a mark in the box next to Windows Error Reporting then run the analyze scan and then once that is done click the Run Cleaner button. Once it has cleaned your system again, go back and uncheck that box.

      Former Consumer Security MVP
      2011-2014

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!