| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 136395 | 2014-02-25 05:23:00 | URLs being misdirected | GrahamB (750) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1368664 | 2014-02-27 08:31:00 | I have checked and i still get a misdirection, although this time to another site. I had a look at Junk removal and saw about a program call Scorpion Saver. I went through the check list and do not have it installed as a program, nor do I have it in Tools/Extensions on any of the three Browsers [IE,Firefox and Chrome-Default] I do recall having installed a download program like 1Click (not sure if it was that or something similar) suggested, I think. through YouTube, but I deleted it because it was too stupid for words! I wonder if I have a residual trace of this in Registry? I took a Screen Dump of the Inspect Element Screen for one of these events (from Chrome History). I have this saved as a PDF file (so no problems with contagion) if anyone knows enough to determine the problem from that source? If so I can email it to you, or attach it to a post? Again TFYOH |
GrahamB (750) | ||
| 1368665 | 2014-02-27 08:43:00 | It wont be helping ( Scorpion Saver) its malware. Do you have Nod setup fully ?? If its set fully it should have stopped it, unless any warning was ignored. Nod should have detected a PUP ( but again it has to be set fully other wise it may not.) Have a read of the following removal instructions: www.2-spyware.com and www.bleepingcomputer.com Make sure you run ALL the programs as instructed, dont skimp as it may fail. At the end of the article are the files and reg keys to manually check and remove if there. One thing about that article DONT run a quick scan, run the FULL. The quick scan will often miss lots. |
wainuitech (129) | ||
| 1368666 | 2014-02-27 18:50:00 | One other thing to check, go into the control panel/ Internet Options / Connections / Lan Settings, make sure theres no proxy Server setting been added. | wainuitech (129) | ||
| 1368667 | 2014-02-28 10:14:00 | I'm sure it is not Scorpion Saver, but the problem still exists. I checked the Internet options and there are no Proxy Server setting added. And yes, I'm sure ESET is working correctly. | GrahamB (750) | ||
| 1368668 | 2014-02-28 10:33:00 | So did you do a full scan with malwarebytes? | Speedy Gonzales (78) | ||
| 1368669 | 2014-02-28 10:58:00 | Try a scan with Hitman Pro | Agent_24 (57) | ||
| 1368670 | 2014-03-01 21:27:00 | Download Combofix from any of the links below, and save it to your desktop. Link 1 ('download.bleepingcomputer.com) Link 2 ('subs.geekstogo.com) To prevent your anti-virus application interfering with ComboFix we need to disable it. See here ('www.pchelpforum.com) for a tutorial regarding how to do so if you are unsure. Close any open windows and double click ComboFix.exe to run it. You will see the following image: img.photobucket.com Click I Agree to start the program. ComboFix will then extract the necessary files and you will see this: img.photobucket.com As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7 It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If you did not have it installed, you will see the prompt below. Choose YES. img.photobucket.com Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: img.photobucket.com Click on Yes, to continue scanning for malware. When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt). Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so. Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall. |
Pancake (6359) | ||
| 1368671 | 2014-03-02 07:31:00 | Yes I downloaded a WinZip program from Tucows -AFTER the problem was discovered. It was an app to try to catch the culprit and was, in my opinion, a joke! t |
GrahamB (750) | ||
| 1368672 | 2014-03-02 07:35:00 | Hi Agent_24,, I got notification of your reply and Pancake's at the same time. I have just tried ComboFix first. Will try Hitman Pro if ComboFix doesn't! TFYH |
GrahamB (750) | ||
| 1368673 | 2014-03-02 07:52:00 | Hi Pancake I have tried ComboFix . Had to shag around a bit to get rid of Spybot - deleted it eventually as I did not seem to be able to suspend it . I have attached here the ComboFix . txt file . I am about to reboot, and reset ESET, and then will check to see if the problem continues, and will come back . Will appreciate your comments/guidance . If it does continue then I will try Hitman Pro See previous posting from Agent_24 . -I am unable to download the file, either as . txt or . pdf . Systems says invalid file . I hope I don"t upset anyone by pasting the content below . if it does not come through, feel frr to email me at graham(at)ariel . co . nz ************ ComboFix 14-02-24 . 02 - user 02/03/2014 19:34:19 . 2 . 2 - x86 Microsoft Windows 7 Professional 6 . 1 . 7601 . 1 . 1252 . 64 . 1033 . 18 . 3839 . 2486 [GMT 13:00] Running from: c:\users\user\Downloads\ComboFix . exe AV: ESET NOD32 Antivirus 7 . 0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289} SP: ESET NOD32 Antivirus 7 . 0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834} SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\user\g2mdlhlpx . exe E:\install . exe . . ((((((((((((((((((((((((( Files Created from 2014-02-02 to 2014-03-02 ))))))))))))))))))))))))))))))) . . 2014-03-02 06:39 . 2014-03-02 06:39 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2014-03-02 06:39 . 2014-03-02 06:39 -------- d-----w- c:\users\Public\AppData\Local\temp 2014-03-02 06:39 . 2014-03-02 06:39 -------- d-----w- c:\users\Graham\AppData\Local\temp 2014-03-02 06:39 . 2014-03-02 06:39 -------- d-----w- c:\users\Default\AppData\Local\temp 2014-02-25 09:58 . 2014-02-25 09:58 -------- d-----w- c:\windows\ERUNT 2014-02-25 07:43 . 2014-02-25 07:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2014-02-25 07:43 . 2013-04-04 01:50 22856 ----a-w- c:\windows\system32\drivers\mbam . sys 2014-02-25 07:09 . 2014-02-26 05:51 -------- d-----w- c:\users\user\AppData\Roaming\Nico Mak Computing 2014-02-16 06:41 . 2013-12-15 12:54 7760024 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7745776F-00A6-4098-8B88-8E9EFBDAFC01}\mpengine . dll 2014-02-16 06:40 . 2013-12-21 07:56 523776 ----a-w- c:\windows\system32\vbscript . dll 2014-02-16 06:35 . 2014-02-16 06:35 -------- d-----w- c:\windows\Migration 2014-02-16 06:19 . 2013-12-04 01:54 594944 ----a-w- c:\windows\system32\RMActivate_isv . exe 2014-02-16 06:19 . 2013-12-04 01:54 572416 ----a-w- c:\windows\system32\RMActivate . exe 2014-02-16 06:19 . 2013-12-04 01:54 508928 ----a-w- c:\windows\system32\RMActivate_ssp_isv . exe 2014-02-16 06:19 . 2013-12-04 02:03 87040 ----a-w- c:\windows\system32\secproc_ssp_isv . dll 2014-02-16 06:19 . 2013-12-04 02:03 87040 ----a-w- c:\windows\system32\secproc_ssp . dll 2014-02-16 06:19 . 2013-12-04 02:03 423936 ----a-w- c:\windows\system32\secproc_isv . dll 2014-02-16 06:19 . 2013-12-04 02:03 428032 ----a-w- c:\windows\system32\secproc . dll 2014-02-16 06:19 . 2013-12-04 02:02 390144 ----a-w- c:\windows\system32\msdrm . dll 2014-02-16 06:19 . 2013-12-04 01:54 510976 ----a-w- c:\windows\system32\RMActivate_ssp . exe 2014-02-03 01:47 . 2014-02-03 02:29 -------- d-----w- C:\MT4-Master File Repository 2014-02-02 05:41 . 2014-02-02 05:45 -------- d-----w- c:\users\user\AppData\Roaming\DeepBurner . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2014-02-21 08:16 . 2012-05-07 07:39 692616 ----a-w- c:\windows\system32\FlashPlayerApp . exe 2014-02-21 08:16 . 2012-02-27 21:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp . cpl 2014-01-19 09:29 . 2014-01-19 09:29 94632 ----a-w- c:\windows\system32\WindowsAccessBridge . dll 2014-01-15 20:59 . 2012-02-20 21:57 231584 ------w- c:\windows\system32\MpSigStub . exe 2012-02-27 19:04 . 2012-02-27 19:04 36069 ----a-w- c:\program files\uninstall . exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\00 01IDriveSyncExt4] @="{A30768B3-9C38-4810-AAC3-422B73A0B25C}" [HKEY_CLASSES_ROOT\CLSID\{A30768B3-9C38-4810-AAC3-422B73A0B25C}] 2013-11-20 13:04 1102904 ----a-w- c:\programdata\Application Data\IDriveSync\IDSyncIcon . dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\00 1IDriveSyncExt2] @="{AE0642D6-F6D4-4443-9654-FE7252EDBC0C}" [HKEY_CLASSES_ROOT\CLSID\{AE0642D6-F6D4-4443-9654-FE7252EDBC0C}] 2013-11-20 13:04 1102904 ----a-w- c:\programdata\Application Data\IDriveSync\IDSyncIcon . dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\00 1IDriveSyncExt3] @="{B5C11BA5-C82C-4D1F-A0B0-3E161B3F9E47}" [HKEY_CLASSES_ROOT\CLSID\{B5C11BA5-C82C-4D1F-A0B0-3E161B3F9E47}] 2013-11-20 13:04 1102904 ----a-w- c:\programdata\Application Data\IDriveSync\IDSyncIcon . dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\00 1IDriveSyncExt4] @="{906E4756-73EC-4A58-A3B1-461B759D8F7B}" [HKEY_CLASSES_ROOT\CLSID\{906E4756-73EC-4A58-A3B1-461B759D8F7B}] 2013-11-20 13:04 1102904 ----a-w- c:\programdata\Application Data\IDriveSync\IDSyncIcon . dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\00 1IDriveSyncExt5] @="{5DF1669E-DBBC-4C36-918E-8E470774D7AF}" [HKEY_CLASSES_ROOT\CLSID\{5DF1669E-DBBC-4C36-918E-8E470774D7AF}] 2013-11-20 13:04 1102904 ----a-w- c:\programdata\Application Data\IDriveSync\IDSyncIcon . dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "HP Officejet 7610 series (NET)"="c:\program files\HP\HP Officejet 7610 series\Bin\ScanToPCActivationApp . exe" [2012-10-20 1877608] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui . exe" [2013-09-11 5110672] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched . exe" [2013-07-01 254336] "CNAP2 Launcher"="c:\windows\system32\spool\DRIVERS\W32X86\3\CNAP2LA K . EXE" [2010-01-11 226784] . c:\users\user\AppData\Roaming\Microsoft\Windows\St art Menu\Programs\Startup\ Monitor Ink Alerts - HP Officejet 7610 series (Network) . lnk - c:\windows\system32\RunDll32 . exe "c:\program files\HP\HP Officejet 7610 series\bin\HPStatusBL . dll",RunDLLEntry SERIALNUMBER=CN37Q2KG5N05SP;CONNECTION=NW;MONITOR= 1; [2009-7-14 44544] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0sdnclean . exe . [HKLM\~\startupfolder\C:^Users^user^AppData^Roaming ^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice . org 3 . 3 . lnk] path=c:\users\user\AppData\Roaming\Microsoft\Windo ws\Start Menu\Programs\Startup\OpenOffice . org 3 . 3 . lnk backup=c:\windows\pss\OpenOffice . org 3 . 3 . lnk . Startup backupExtension= . Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ashampoo HDD-Control 2 Guard] 2012-07-29 20:48 3783592 ----a-w- c:\program files\Ashampoo\Ashampoo HDD Control 2\AHDDC2_Guard . exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CNAP2 Launcher] 2010-01-11 15:00 226784 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\CNAP2LA K . EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck] 2009-09-21 10:40 1681408 ----a-r- c:\program files\VIA\VIAudioi\VDeck\VDeck . exe . R3 AsrCDDrv;AsrCDDrv;c:\windows\system32\Drivers\AsrC DDrv . sys [x] R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athur . sys [2010-01-04 1500160] R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb . sys [2010-07-28 25112] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominipor t . sys [2012-08-23 14848] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsus bflt . sys [2012-08-23 49664] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc . exe [2012-03-04 1343400] S1 AsrAppCharger;AsrAppCharger;c:\windows\system32\DR IVERS\AsrAppCharger . sys [2010-06-11 13832] S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm . s ys [2013-09-17 188808] S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv . sys [2013-09-17 134248] S2 AHDDC2;Ashampoo HDD Control 2 Service;c:\program files\Ashampoo\Ashampoo HDD Control 2\AHDDC2_Service . exe [2012-07-29 1518504] S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdate Svc . exe [2014-01-02 1363616] S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc . exe [2014-01-02 1748640] S2 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo HDD Control 2\DfSdkS . exe [2009-08-24 406016] S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn . exe [2013-09-11 1337752] S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfw wfpr . sys [2013-09-17 122376] S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler . exe [2013-04-04 418376] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice . exe [2013-04-04 701512] S2 NitroReaderDriverReadSpool3;NitroPDFReaderDriverCr eatorReadSpool3;c:\program files\Nitro\Reader 3\NitroPDFReaderDriverService3 . exe [2013-03-26 196624] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr . exe [2013-10-22 414496] S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv . exe [2012-01-17 450848] S3 MBAMProtector;MBAMProtector;c:\windows\system32\dr ivers\mbam . sys [2013-04-04 22856] S3 RTL8192cu;%RTL8192cu . DeviceDesc . DispName%;c:\windo ws\system32\DRIVERS\RTL8192cu . sys [2011-04-08 801896] S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa . sys [2009-09-17 1086976] . . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2014-02-21 05:31 1150280 ----a-w- c:\program files\Google\Chrome\Application\33 . 0 . 1750 . 117\Inst aller\chrmstp . exe . Contents of the 'Scheduled Tasks' folder . 2014-03-02 c:\windows\Tasks\Adobe Flash Player Updater . job - c:\windows\system32\Macromed\Flash\FlashPlayerUpda teService . exe [2012-05-07 08:16] . 2014-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cf289 5296bfb27 . job - c:\program files\Google\Update\GoogleUpdate . exe [2012-02-27 21:23] . 2014-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA . job - c:\program files\Google\Update\GoogleUpdate . exe [2012-02-27 21:23] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyServer = localhost:8080 uInternet Settings,ProxyOverride = <local> TCP: DhcpNameServer = 192 . 168 . 1 . 1 192 . 168 . 1 . 1 FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Prof iles\htfvuzuo . default\ . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH . DLL MSConfigStartUp-E72B1338A84FAC5B92E5F250E30E2E866E45CA98 - c:\users\user\AppData\Local\Google\Chrome\Applicat ion\chrome . exe MSConfigStartUp-Google Update - c:\users\user\AppData\Local\Google\Update\GoogleUp date . exe MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype . exe . . . Completion time: 2014-03-02 19:41:23 ComboFix-quarantined-files . txt 2014-03-02 06:41 ComboFix2 . txt 2013-10-31 00:28 . Pre-Run: 23,605,440,512 bytes free Post-Run: 23,573,401,600 bytes free . - - End Of File - - 387C07E61E1AB8F8AA786FB97657AE5B A36C5E4F47E84449FF07ED3517B43A31 **************** TFYH |
GrahamB (750) | ||
| 1 2 3 | |||||