Author Topic: [Resolved] Redirected searches, unexpected shutdowns, and Internet locked  (Read 14319 times)

Offline E310

  • Bronze Member
  • Posts: 75
Greetings! ... and THANK YOU for being available to assist with this! Below is the DDS log, as requested. I originally pasted in the ATTACH log as well, but it exceeded the maximum characters allowed in a message. Please let me know if I should attach it in another post.


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385  BrowserJavaVersion: 1.6.0_30
Run by ashley 2 at 19:25:26 on 2012-02-10
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.2047.1276 [GMT -5:00]
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngrUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\svchost.exe -k WerSvcGroup
============== Pseudo HJT Report ===============
uStart Page = hxxp://
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Searchqu Toolbar: {7ff99715-3016-4381-84ce-e4e4c9673020} - c:\progra~1\wia6eb~1\toolbar\SearchquDx.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Searchqu Toolbar: {7ff99715-3016-4381-84ce-e4e4c9673020} - c:\progra~1\wia6eb~1\toolbar\SearchquDx.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [1726765432] c:\users\ashley~1\appdata\local\temp\tmph7047515151046104399.tmp
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DATAMNGR] c:\progra~1\wia6eb~1\datamngr\DATAMN~1.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start ***Edited out long random character string for AVG uninstall survey - Hoov*** &"prod=90"&"ver=10.0.1416
dRun: [dplaysvr] c:\windows\system32\config\systemprofile\appdata\local\dplaysvr.exe
StartupFolder: c:\users\ashley~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\zooskm~1.lnk - c:\users\ashley 2\appdata\local\temp\ZooskMessenger.exe
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {108D3206-846A-4A93-BACB-F0572D043ED7} - hxxp://
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://
TCP: DhcpNameServer =
TCP: Interfaces\{4CE58C08-AF77-4064-89A0-46596F7EA748} : DhcpNameServer =
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\wia6eb~1\datamngr\datamngr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\ashley 2\appdata\roaming\mozilla\firefox\profiles\tyclpdf5.default\
FF - prefs.js: - hxxp://{searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20100920223427232&tb_oid=26-09-2010&tb_mrud=26-09-2010
FF - prefs.js: - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://
FF - prefs.js: keyword.URL - hxxp://
FF - prefs.js: network.proxy.http -
FF - prefs.js: network.proxy.http_port - 53535
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 dldn_device;dldn_device;c:\windows\system32\dldncoms.exe -service --> c:\windows\system32\dldncoms.exe -service [?]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-4-1 183560]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-8-15 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2011-8-17 137472]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2005-4-24 13225]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-5-13 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-5-13 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-5-13 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [2011-5-13 114280]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-1 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
=============== Created Last 30 ================
2012-02-08 05:55:58   56200   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{9379c69b-8fd4-424b-8574-e9c850ad123f}\offreg.dll
2012-02-08 05:13:44   6557240   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{9379c69b-8fd4-424b-8574-e9c850ad123f}\mpengine.dll
2012-02-08 04:50:56   --------   d-----w-   c:\users\ashley 2\appdata\roaming\Malwarebytes
2012-02-08 04:50:48   --------   d-----w-   c:\programdata\Malwarebytes
2012-02-08 04:50:47   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-02-08 04:50:47   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-01-30 00:23:00   703824   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{4112d6b4-df4d-4eea-bad9-c5d0c00b7564}\gapaengine.dll
2012-01-30 00:19:09   --------   d-----w-   c:\program files\Microsoft Security Client
2012-01-30 00:19:00   240008   ----a-w-   c:\windows\system32\drivers\netio.sys
2012-01-29 18:08:16   115   ----a-w-   c:\users\ashley 2\appdata\roaming\microsoft\de26\bl121009_64.bat
2012-01-29 18:07:56   --------   d-----w-   c:\users\ashley 2\appdata\local\{D0745F0C-52AF-4736-81BE-24079C26F7A4}
2012-01-29 18:07:51   --------   d-----w-   c:\users\ashley 2\appdata\local\{D355934F-4F00-40E8-B415-84773B584813}
2012-01-29 18:05:40   282112   ----a-w-   c:\users\ashley 2\appdata\roaming\microsoft\de26\40A7.exe
2012-01-28 00:39:53   --------   d-----w-   c:\users\ashley 2\2012-01-27
2012-01-27 21:10:22   115   ----a-w-   c:\users\ashley 2\appdata\roaming\microsoft\de26\bl270536_64.bat
2012-01-27 21:07:30   --------   d-----w-   c:\users\ashley 2\appdata\local\{D35A241C-517A-4A2D-98B4-F062F9148FEF}
2012-01-27 21:07:25   --------   d-----w-   c:\users\ashley 2\appdata\local\{A2EF0012-2392-44FC-8BEA-71E156BC6DC3}
2012-01-27 01:11:25   --------   d-----w-   c:\users\ashley 2\appdata\local\{4C91B96B-A05B-44D7-A99C-5E3D6298044E}
2012-01-27 01:11:14   --------   d-----w-   c:\users\ashley 2\appdata\local\{EC42DFA3-6370-4370-B480-0127CA09F38C}
2012-01-24 22:39:35   --------   d-----w-   c:\program files\C5978
2012-01-24 22:38:59   --------   d-----w-   c:\program files\LP
2012-01-23 23:30:31   --------   d-----w-   c:\users\ashley 2\appdata\local\{B1B92751-F928-42E6-9960-0D184960FC27}
2012-01-23 23:30:18   --------   d-----w-   c:\users\ashley 2\appdata\local\{CE12F178-F037-4F68-853D-AF0F5E43EF29}
2012-01-22 22:13:38   --------   d-----w-   c:\users\ashley 2\appdata\roaming\C5978
2012-01-22 22:13:07   --------   d-----w-   c:\users\ashley 2\appdata\roaming\66EC5
2012-01-22 22:12:50   --------   d-----w-   c:\users\ashley 2\appdata\local\SanctionedMedia
2012-01-22 20:49:35   --------   d-----w-   c:\users\ashley 2\appdata\local\{C52EC8B4-AE2D-4085-910B-2534E700CFCA}
2012-01-22 20:49:23   --------   d-----w-   c:\users\ashley 2\appdata\local\{33426785-7873-43BF-B055-282FAF605362}
2012-01-22 03:23:34   --------   d-----w-   c:\users\ashley 2\appdata\local\{8A683156-85F2-4855-BEC0-D5656323EED8}
2012-01-22 03:23:23   --------   d-----w-   c:\users\ashley 2\appdata\local\{818A8DCC-0F33-4DB6-AEFD-BF16D54984C4}
2012-01-21 02:55:47   --------   d-----w-   c:\users\ashley 2\appdata\local\{0A926ED6-7861-4B08-A916-BD10463D5CD4}
2012-01-21 02:55:36   --------   d-----w-   c:\users\ashley 2\appdata\local\{C0150E78-5A54-4404-84A0-A49F41877DF7}
2012-01-16 22:44:31   --------   d-----w-   c:\users\ashley 2\appdata\local\{88EEFE78-9489-4AAB-A7A2-E488D5111A23}
2012-01-16 10:44:02   --------   d-----w-   c:\users\ashley 2\appdata\local\{A93ED7E9-D41A-4AA1-9234-D92AE365E814}
2012-01-16 10:43:51   --------   d-----w-   c:\users\ashley 2\appdata\local\{A18E3D9E-EDAF-48F7-88F5-5DC384FCE969}
2012-01-15 18:40:44   --------   d-----w-   c:\users\ashley 2\appdata\local\{7BE3A5DB-FD15-4D10-9551-D9D8D69EA9D1}
2012-01-15 18:40:33   --------   d-----w-   c:\users\ashley 2\appdata\local\{A69EBABF-3BA2-4A59-90AE-26BAAEB96104}
2012-01-13 01:43:57   --------   d-----w-   c:\users\ashley 2\2012-01-12
2012-01-13 01:04:36   --------   d-----w-   c:\users\ashley 2\appdata\local\{13D01E1B-9206-458A-8EF6-2D6A46216EF4}
2012-01-12 02:47:55   --------   d-----w-   c:\users\ashley 2\appdata\local\{ED6A870B-8E56-4EE1-8A65-D90C6E899B2C}
==================== Find3M  ====================
2011-12-21 23:31:38   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
============= FINISH: 19:26:01.10 ===============

« Last Edit: March 20, 2012, 10:36:49 PM by Bear »

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2829
Hello and welcome.

I go by Bear, and I will be helping you with your problem. I understand that having malware on your system is disruptive, annoying and can even be frightening.  I also understand the urgency of getting your computer functioning again.  Working as a team, you and I will be able to confront this problem and hopefully bring it to a successful conclusion.  But you need to do a few things to help me understand your situation.

First, tell me everything and anything that you have already tried to fix this problem. 

Second, tell me the symptoms that of infection that you are seeing in your computer and when you first notice them.  If the symptoms were progressive, let me know that.

Third, please only use one forum to help resolve your problem. Posting on more than one forum or trying other things in between our procedures will confuse and lengthen the process and may even make a positive solution impossible.

Fourth, please follow my instructions exactly.   If you cannot follow them or don't understand something, let me know immediately and do NOTHING until you hear from me.  If for any reason you have deviated from my instructions, PLEASE let me know at once.

Fifth, Understand that malware gets into your computer system very easily but can be very, very difficult to remove.  It could take a while and we may have to try several processes to fix the problem.  So please "keep the faith".   I will do all I can to get your computer operating properly, and if I can't fix it we have many very bright individuals here who will help us.

Sixth, do not send anything to me as an attachment unless I specifically ask for it.  Please copy and paste all of your responses to me by replying to my post on this forum.  If the response is too long (the forum has size limits), please send it in portions, sequentially.

Seventh let me know of any software you have running that encrypts your hard drive, such as Windows BitLocker or any others.

Eighth If your PC is set to automatically update, DISABLE, this function and do not update until we have disinfected your PC.

And lastly, before we do anything else, please back up you data, if possible on an external media such as DVD's, CD's, memory sticks or external hard drives.

I will analyze your data and post instructions back to you. 

Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2829
Please past the Attach.txt into a new message.  I will analyze your data when I have it.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline E310

  • Bronze Member
  • Posts: 75
Good to meet you Bear, and thanks for taking this on!

Just to let you know, it isn't my computer that's infected, but my niece's. Currently, it cannot connect to the internet so I'll be working back and forth with flash drives. I *was* thinking of hooking up a wireless adapter to connect. What do you think?

As for what I saw, I saw a search redirected, and as I was trying to see if she had a virus I experienced the computer just shut down all by itself. The first thing I did was uninstall McAfee and installed Microsoft Security Essentials. Then I downloaded Malwarebytes and installed it from my flash drive to her PC, and ran it.

After Malwarebytes ran (asking me to restart so it could finish the cleaning), that's when internet connectivity was shut off.

The computer has a system level password (?). When you turn the computer on, Windows does not load until you type in a password. (This was to keep her brother from using the computer.)

I've attached the other log as requested.


Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2829
Hi Eddie

I would strongly recommend you NOT connect Ashley's PC to yours using a wireless network.  Initially you can download all the files you need to run on her machine on your clean machine.  Then transfer them using a memory stick.  Be careful not to load anything from her machine onto your machine or you might infect yours as well.  MSE is a good security suite, but unfortunately the log file is very hard to get, so we can't tell what it did.  I would like to see the mbam-log-(date) log file of the scan you ran on Ashley's machine.  We'll get your internet connectivity back as fast as we can to make the process easier.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline E310

  • Bronze Member
  • Posts: 75
Bear ... the Malwarebytes log is below. For MSE, I took screenshots of a few of the bugs it deleted, pasted them into a word doc and made a PDF. Would you like to see that PDF? Or just the screen shots?


Malwarebytes Anti-Malware

Database version: v2012.01.13.04

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
ashley 2 :: ADRIANA-PC [administrator]

2/7/2012 11:51:18 PM
mbam-log-2012-02-07 (23-51-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 223523
Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|winupd (Trojan.Agent) -> Data: \\?\globalroot\Device\HarddiskVolume2\Users\ASHLEY~1\AppData\Local\Temp:winupd.exe -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer (PUM.Bad.Proxy) -> Data: http= -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 14
C:\Users\ashley 2\AppData\Local\Temp\acxnomrwes.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Users\ashley 2\AppData\Local\Temp\rsamewncxo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\ashley 2\AppData\Local\Temp\cxeorsnwam.exe (Trojan.LVBP) -> Quarantined and deleted successfully.
C:\Users\ashley 2\AppData\Local\Temp\jucheck.exe (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Users\cici\AppData\Local\Temp\SE6B61.tmp.dll (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\Guest\AppData\Local\Temp\SE76A0.tmp.dll (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Windows\Temp\5728.sys (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\ashley 2\AppData\Local\Temp\notepad.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Windows\Temp\fka0.34756627945260565.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\Users\ashley 2\AppData\Local\Temp\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\ashley 2\AppData\Local\Temp\iexplore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\ashley 2\AppData\Local\Temp\msnmsgr.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.
C:\Users\Guest\AppData\Roaming\firefox.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\ashley 2\AppData\Local\Temp\.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2829
Hi Eddie

The screen shots would be fine.  Seems we have quite a bit of work to do, so let's get started.

1. On Ashley's PC please go to start/control panel/add or remove programs and completely uninstall the following programs:
Windows Searchqu Toolbar

2.  On your PC please download the following files and save them to your memory stick:



Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: Combofix use

Link 1
Link 2
Link 3

Download OTL from any of the following links and save to your Desktop.


3.  Now copy each of these programs onto Ashley's desktop.

4.  Now quit all running programs.  Double click RogueKiller.exe to run it.  For Vista/Seven, right click and select run as administrator, for XP simply run RogueKiller.exe.   When prompted, type 1 and hit Enter.
A RKreport.txt should appear on your desktop.

Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .

Please read carefully and follow these steps:
Close all open browsers.

5.  Disable all of your Anti-Virus, Anti-Spyware programs.  If you need help to disable them go to Disable Anti Malware, be sure to re-enable them before posting your reply.

6.  Double click combofix.exe.  For XP, if ComboFix offers to install a Recovery Console, you must permit it to do so. It is very dangerous to permit ComboFix to run unless the Recovery Console is installed.

7.  Copy the code in the code box below.  Then click Start/Run and paste it into the input box.  Click OK.

Code: [Select]

cmd "netsh winsock reset"

Now reboot.

When finished, it will produce a report for you at C:\ComboFix.txt.

Please always check to be sure Word Wrap is NOT turned on in any Notepad  files you post.  This is done by opening the Notepad file and clicking on Format to be sure Word Wrap is not checked.

Note:  This site has size limits on posts.  Please be sure to check that all the data you entered was posted.  If not, use multiple posts.

Now please post the following to me as a reply to this post:
Let me know how your computer is operating
Let me know if you can connect to the internet
If you have any questions or problems, let me know that as well

Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline E310

  • Bronze Member
  • Posts: 75
Good morning Bear ... the Roguekiller link is not working. I was able to download the others and will attempt this later in the day.


Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2829
Hi Eddie

It's working for me.  Try the link again. 
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline E310

  • Bronze Member
  • Posts: 75
No go, Bear. When I click on it, it tries to open "http://roguekiller.exe." When I "Save Target As ... " it gives me this error: Internet Explorer cannot download / from roguekiller.exe.


Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2829
Hi Eddie

My bad!  Use this address:  RogueKiller.  Just click on the hyperlink.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline E310

  • Bronze Member
  • Posts: 75
Howdy Bear ... update:

I ran RogueKiller three times. It kept getting stuck on the MBR scan. I changed the name to winlogon and it kept getting stuck in the same place. I ran the scan with "Scan MBR" (or whatever) unchecked to be able to get a log.

I then ran combofix. It was warning me about AVG scanners. AVG is not really installed, not in the program list anyway. I did a search for AVG, deleted everything that showed up, rebooted, ran combofix, and this time it went straight through. Combofix discovered a root kit, and "asked me" to let it reboot the computer.

... that was 40 minutes ago, and the screen still says "shutting down."

I probably won't be able to get back to it until Wednesday after work. Please let me know how I should proceed.


Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2829
Hi Eddie
Please post the logs.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2829
Hi Eddie
You will have to do a hard shutdown.  Also try running RK in safe mode.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2829
Hi Eddie
If CF did not leave a log, you will need to rename it to explorer.exe and run it again.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte


Click Here