GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Trojan: mydomainadvisor.com

View previous topic View next topic Go down

Trojan: mydomainadvisor.com

Post by orangered on Thu Apr 26, 2012 5:37 pm

Hello!

My notebook (Windows Vista Home Premium) seems to have caught the "mydomainadvisor" virus/trojan. It (occasionally, without any recognisable system) redirects to a fake search page from almost any website I want to visit - and I suppose that's only the obvious part of what it does.

I've scanned my computer with SUPERAntiSpyware and deleted everything it listed as suspicious, then I rebooted and did the same with Malwarebytes (logs below).

Now I'm unsure what to do next. Any help would be very much appreciated! (Since I'm neither a computer expert nor a native speaker of English, I'd be grateful for the simplest possible instructions.) Thank you for your attention!

***********
SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 04/26/2012 at 03:14 PM

Application Version : 5.0.1136

Core Rules Database Version : 8514
Trace Rules Database Version: 6326

Scan type : Quick Scan
Total Scan Time : 00:08:36

Operating System Information
Windows Vista Home Premium 32-bit, Service Pack 2 (Build 6.00.6002)
UAC Off - Administrator

Memory items scanned : 781
Memory threats detected : 0
Registry items scanned : 15748
Registry threats detected : 0
File items scanned : 10810
File threats detected : 104

Adware.Tracking Cookie
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\[MyName]@counter.hitslink[1].txt [ /counter.hitslink ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\LPULI3H9.txt [ /apmebf.com ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\VY6GQ2WM.txt [ /fl01.ct2.comclick.com ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\BEGREE1B.txt [ /c.atdmt.com ]
.meta.wikimedia.org [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\EAHVBVMV.txt [ /doubleclick.net ]
.meta.wikimedia.org [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
.mediawiki.org [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
.mediawiki.org [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
incubator.wikimedia.org [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
incubator.wikimedia.org [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
species.wikimedia.org [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
species.wikimedia.org [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
.commons.wikimedia.org [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
.commons.wikimedia.org [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\CUV0TLHM.txt [ /ad.yieldmanager.com ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\3QX2PMDD.txt [ /smartadserver.com ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\H65TYLW1.txt [ /tracking.quisma.com ]
statse.webtrendslive.com [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\1BCLQWA4.txt [ /mediaplex.com ]
.statcounter.com [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\B8PUJA9D.txt [ /adfarm1.adition.com ]
.liveperson.net [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
server.iad.liveperson.net [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
.liveperson.net [ C:\USERS\[MyName]\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\03AP52NO.DEFAULT\COOKIES.SQLITE ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\MA9HKQ38.txt [ /interclick.com ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\DUFCU3DK.txt [ /atdmt.com ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\8SYITEJ4.txt [ /fastclick.net ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\LT85HO05.txt [ /dyntracker.com ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\X680917E.txt [ /zanox.com ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\5LL89P64.txt [ /ads.creative-serving.com ]
C:\Users\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\40Y4OQCX.txt [ /ad.zanox.com ]
C:\USERS\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\Low\[MyName]@apmebf[1].txt [ Cookie:[MyName]@apmebf.com/ ]
C:\USERS\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\Low\[MyName]@doubleclick[1].txt [ Cookie:[MyName]@doubleclick.net/ ]
C:\USERS\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\Low\[MyName]@statse.webtrendslive[1].txt [ Cookie:[MyName]@statse.webtrendslive.com/ ]
C:\USERS\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\Low\[MyName]@ad2.adfarm1.adition[1].txt [ Cookie:[MyName]@ad2.adfarm1.adition.com/ ]
C:\USERS\[MyName]\AppData\Roaming\Microsoft\Windows\Cookies\Low\[MyName]@adfarm1.adition[1].txt [ Cookie:[MyName]@adfarm1.adition.com/ ]

C:\USERS\[MyName]\Cookies\LPULI3H9.txt [ Cookie:[MyName]@apmebf.com/ ]

C:\USERS\[MyName]\Cookies\VY6GQ2WM.txt [ Cookie:[MyName]@fl01.ct2.comclick.com/ ]

C:\USERS\[MyName]\Cookies\EAHVBVMV.txt [ Cookie:[MyName]@doubleclick.net/ ]

C:\USERS\[MyName]\Cookies\CUV0TLHM.txt [ Cookie:[MyName]@ad.yieldmanager.com/ ]

C:\USERS\[MyName]\Cookies\3QX2PMDD.txt [ Cookie:[MyName]@smartadserver.com/ ]

C:\USERS\[MyName]\Cookies\H65TYLW1.txt [ Cookie:[MyName]@tracking.quisma.com/ ]

C:\USERS\[MyName]\Cookies\B8PUJA9D.txt [ Cookie:[MyName]@adfarm1.adition.com/ ]

C:\USERS\[MyName]\Cookies\MA9HKQ38.txt [ Cookie:[MyName]@interclick.com/ ]

C:\USERS\[MyName]\Cookies\DUFCU3DK.txt [ Cookie:[MyName]@atdmt.com/ ]

C:\USERS\[MyName]\Cookies\8SYITEJ4.txt [ Cookie:[MyName]@fastclick.net/ ]

C:\USERS\[MyName]\Cookies\LT85HO05.txt [ Cookie:[MyName]@dyntracker.com/ ]

C:\USERS\[MyName]\Cookies\[MyName]@counter.hitslink[1].txt [ Cookie:[MyName]@counter.hitslink.com/ ]

C:\USERS\[MyName]\Cookies\40Y4OQCX.txt [ Cookie:[MyName]@ad.zanox.com/ ]
.doubleclick.net [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.webmasterplan.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.tradedoubler.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
[You must be registered and logged in to see this link.] [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
de.sitestat.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.tradedoubler.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.tradedoubler.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.traffictrack.de [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
[You must be registered and logged in to see this link.] [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
[You must be registered and logged in to see this link.] [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
[You must be registered and logged in to see this link.] [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.elitepvpers.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.elitepvpers.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.elitepvpers.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.elitepvpers.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad3.adfarm1.adition.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.unister-adservices.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.unister-adservices.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.meta.wikimedia.org [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.mediawiki.org [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
species.wikimedia.org [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
incubator.wikimedia.org [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.zanox.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.webmasterplan.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.webmasterplan.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.webmasterplan.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.zanox.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.apmebf.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.mediaplex.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.mediaplex.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adxvalue.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adfarm1.adition.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.doubleclick.net [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
adx.chip.de [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
adx.chip.de [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
adx.chip.de [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
adx.chip.de [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adfarm1.adition.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adfarm1.adition.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad2.adfarm1.adition.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adfarm1.adition.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.getclicky.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.static.getclicky.com [ C:\USERS\[MyName]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]


***********
Malwarebytes (sorry it's in German - the very last bit says "successfully deleted and isolated"):

Malwarebytes Anti-Malware 1.61.0.1400
[You must be registered and logged in to see this link.]

Datenbank Version: v2012.04.26.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
[MyName] :: VISTA-PC [Administrator]

26.04.2012 15:21:10
mbam-log-2012-04-26 (15-21-10).txt

Art des Suchlaufs: Vollständiger Suchlauf
Aktivierte Suchlaufeinstellungen: Speicher |

Autostart | Registrierung | Dateisystem |

Heuristiks/Extra | HeuristiKs/Shuriken | PUP

| PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 440496
Laufzeit: 2 Stunde(n), 33 Minute(n), 35

Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
C:\Users\[MyName]\AppData\Local\TempDIR\Bett

erInstaller.exe (PUP.BundleInstaller.Somoto)

-> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by Superdave on Thu Apr 26, 2012 6:03 pm

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

You may want to consider [You must be registered and logged in to see this link.] to protect against viruses and other threats.
Additionally, purchasing an effective antivirus program is a good idea. This will protect your identity and your computer against all types of viruses and other malware. [You must be registered and logged in to see this link.]
*****************************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
********************************************************
Download Combofix from any of the links below, and save it to your DESKTOP.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [You must be registered and logged in to see this link.] for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3
Points : 83141
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by orangered on Thu Apr 26, 2012 9:02 pm

Hello Dave!

Thank you for your quick response! I did what you told me to, and here are the results:

Results of screen317's Security Check version 0.99.32
Windows Vista Service Pack 2 x86 (UAC is disabled!)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Avira Free Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware
Java(TM) 6 Update 30
Java(TM) 6 Update 6
Java version out of date!
Adobe Flash Player 11.1.102.62
Adobe Reader X (10.1.3)
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSASCui.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Windows Defender MSASCui.exe
``````````End of Log````````````


********************************************

ComboFix 12-04-26.01 - [MyName] 26.04.2012 22:32:37.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.1915.1140 [GMT 2]
ausgeführt von:: c:\users\[MyName]\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\[MyName]\AppData\Local\lame_enc.dll
c:\users\[MyName]\AppData\Local\no23xwrapper.dll
c:\users\[MyName]\AppData\Local\ogg.dll
c:\users\[MyName]\AppData\Local\TempDIR
c:\users\[MyName]\AppData\Local\vorbis.dll
c:\users\[MyName]\AppData\Local\vorbisenc.dll
c:\users\[MyName]\AppData\Local\vorbisfile.dll
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-03-26 bis 2012-04-26 ))))))))))))))))))))))))))))))
.
.
2012-04-26 20:43 . 2012-04-26 20:44 -------- d-----w- c:\users\[MyName]\AppData\Local\temp
2012-04-26 20:43 . 2012-04-26 20:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-26 13:12 . 2012-04-26 13:12 -------- d-----w- c:\users\[MyName]\AppData\Local\blekkotb
2012-04-26 13:01 . 2012-04-26 13:01 -------- d-----w- c:\users\[MyName]\AppData\Roaming\SUPERAntiSpyware.com
2012-04-26 13:00 . 2012-04-26 13:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-26 13:00 . 2012-04-26 13:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-04-26 11:55 . 2012-04-26 13:18 -------- d-----w- c:\program files\Common Files\PC Tools
2012-04-26 11:54 . 2012-04-26 11:54 -------- d-----w- c:\users\[MyName]\AppData\Roaming\TestApp
2012-04-26 11:54 . 2012-04-26 11:54 -------- d-----w- c:\programdata\PC Tools
2012-04-26 11:53 . 2012-04-26 11:53 -------- d-----w- c:\users\[MyName]\AppData\Roaming\Malwarebytes
2012-04-26 11:53 . 2012-04-26 11:53 -------- d-----w- c:\programdata\Malwarebytes
2012-04-26 11:53 . 2012-04-26 11:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-26 11:53 . 2012-04-04 13:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-24 22:15 . 2012-04-24 22:15 -------- d-----w- c:\program files\No23 Recorder
2012-04-24 09:33 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{53AC2A45-E7FA-4944-A5FC-48DF49C39D7F}\mpengine.dll
2012-04-11 13:43 . 2012-04-11 13:43 -------- d-----w- c:\program files\Kml Builder
2012-04-11 13:37 . 2012-04-11 13:43 -------- d-----w- c:\users\[MyName]\AppData\Local\NorthGates_Systems
2012-04-11 13:37 . 2012-04-11 13:43 -------- d-----w- c:\programdata\NorthGates Systems
2012-04-11 13:37 . 2012-04-11 13:43 -------- d-----w- c:\users\[MyName]\AppData\Roaming\NorthGates Systems
2012-04-11 13:36 . 2012-04-11 13:37 -------- d-----w- c:\program files\KML Editor
2012-04-11 13:36 . 2012-04-11 13:36 -------- d-----w- c:\program files\Common Files\KML Editor
2012-04-11 13:27 . 2012-04-26 12:04 -------- d-----w- c:\program files\KML Generator
2012-04-11 08:59 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2012-03-28 20:56 . 2012-03-28 20:56 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-28 08:04 . 2012-01-30 21:16 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 09:33 . 2012-02-23 09:33 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-02-23 09:33 . 2012-02-23 09:33 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-02-23 09:33 . 2012-02-23 09:33 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-02-23 09:33 . 2012-02-23 09:33 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-02-23 09:33 . 2012-02-23 09:33 161792 ----a-w- c:\windows\system32\msls31.dll
2012-02-23 09:33 . 2012-02-23 09:33 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-02-23 09:33 . 2012-02-23 09:33 367104 ----a-w- c:\windows\system32\html.iec
2012-02-23 09:33 . 2012-02-23 09:33 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-02-23 09:33 . 2012-02-23 09:33 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-02-23 09:33 . 2012-02-23 09:33 152064 ----a-w- c:\windows\system32\wextract.exe
2012-02-23 09:33 . 2012-02-23 09:33 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-02-23 09:33 . 2012-02-23 09:33 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-02-23 09:33 . 2012-02-23 09:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-02-23 09:33 . 2012-02-23 09:33 11776 ----a-w- c:\windows\system32\mshta.exe
2012-02-23 09:33 . 2012-02-23 09:33 101888 ----a-w- c:\windows\system32\admparse.dll
2012-02-23 09:33 . 2012-02-23 09:33 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-02-23 09:33 . 2012-02-23 09:33 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-02-23 08:18 . 2012-01-30 22:31 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 10:08 . 2012-01-30 21:05 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-02-15 10:01 . 2012-02-15 10:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 10:01 . 2012-02-15 10:01 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-14 15:45 . 2012-03-14 09:47 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-14 09:47 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-13 14:12 . 2012-03-14 09:47 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47 . 2012-03-14 09:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44 . 2012-03-14 09:47 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-02 15:16 . 2012-03-14 09:47 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 19:51 . 2012-01-31 19:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-31 11:57 . 2012-01-31 11:57 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-01-31 11:57 . 2012-01-31 11:57 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-01-30 18:55 . 2012-01-30 18:55 319456 ----a-w- c:\windows\DIFxAPI.dll
2012-01-30 18:55 . 2012-01-30 18:55 315392 ----a-w- c:\windows\HideWin.exe
2012-03-13 04:38 . 2012-04-02 08:36 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\[MyName]\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\[MyName]\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\[MyName]\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\[MyName]\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"Toshiba TEMPO"="c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe" [2008-04-24 103824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-24 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-12-15 258512]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-01-31 296056]
.
c:\users\[MyName]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\[MyName]\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-15 24246216]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico [2012-2-6 6144]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-20 20:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4400 Series]
2007-03-01 05:01 180736 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATICAE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2011-11-05 11:17 980368 ----a-w- c:\progra~1\Eraser\Eraser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google EULA Launcher]
2008-05-28 11:40 20480 ----a-w- c:\program files\Google\Google EULA\GoogleEULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 03:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-10-13 10:45 19550344 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-01-31 11:57 296056 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Registration]
2008-01-11 02:07 574864 ----a-w- c:\program files\TOSHIBA\Registration\ToshibaRegistration.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Inhalt des "geplante Tasks" Ordners
.
2012-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-11 13:44]
.
2012-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-11 13:44]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\users\[MyName]\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\users\[MyName]\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\[MyName]\AppData\Roaming\Mozilla\Firefox\Profiles\03ap52no.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
URLSearchHooks-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
HKLM-Run-Freecorder FLV Service - c:\program files\Freecorder\FLVSrvc.exe
MSConfigStartUp-Freecorder FLV Service - c:\program files\Freecorder\FLVSrvc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-04-26 22:43
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????F?E?i??P?u?x?u???u???u??
.
Scanne versteckte Dateien...
.
.
c:\users\[MyName]\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 1
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2012-04-26 22:53:50
ComboFix-quarantined-files.txt 2012-04-26 20:53
.
Vor Suchlauf: 8 Verzeichnis(se), 38.739.218.432 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 39.279.972.352 Bytes frei
.
- - End Of File - - D6C55925F94D28172A2E7A6F62154386


***************************************

Is it potentially dangerous to reboot my computer now? Should I leave it on all night?


Last edited by orangered on Thu Apr 26, 2012 10:08 pm; edited 1 time in total

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by orangered on Thu Apr 26, 2012 9:07 pm

Also, may I re-enable my virus scanner now?

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by Superdave on Fri Apr 27, 2012 5:23 pm

Also, may I re-enable my virus scanner now?
Yes

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First [You must be registered and logged in to see this link.]

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the [You must be registered and logged in to see this link.].

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download [You must be registered and logged in to see this link.] and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: [You must be registered and logged in to see this link.] adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
****************************************************
Let's run a few more scans to see what turns up.

Please download [You must be registered and logged in to see this link.] ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3
Points : 83141
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by orangered on Fri Apr 27, 2012 5:52 pm

Before starting the scan, I was asked: "Would you like to download latest Avast! virus definitions?" - I clicked no - should I have clicked yes and downloaded it?
Here's the scan log without it:

***************************

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-27 19:46:07
-----------------------------
19:46:07.952 OS Version: Windows 6.0.6002 Service Pack 2
19:46:07.952 Number of processors: 2 586 0xF0D
19:46:07.952 ComputerName: VISTA-PC UserName: [MyName]
19:46:11.181 Initialize success
19:47:53.318 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:47:53.318 Disk 0 Vendor: TOSHIBA_ LV01 Size: 238475MB BusType: 3
19:47:53.349 Disk 0 MBR read successfully
19:47:53.349 Disk 0 MBR scan
19:47:53.349 Disk 0 Windows VISTA default MBR code
19:47:53.365 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
19:47:53.396 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 119000 MB offset 3074048
19:47:53.427 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 117973 MB offset 246786048
19:47:53.427 Disk 0 scanning sectors +488394752
19:47:53.521 Disk 0 scanning C:\Windows\system32\drivers
19:48:03.848 Service scanning
19:48:27.576 Modules scanning
19:48:43.113 Disk 0 trace - called modules:
19:48:43.145 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
19:48:43.659 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x859e8620]
19:48:43.659 3 CLASSPNP.SYS[879138b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x83fa4028]
19:48:43.675 Scan finished successfully
19:49:20.553 Disk 0 MBR has been saved successfully to "C:\Users\[MyName]\Desktop\MBR.dat"
19:49:20.585 The log file has been saved successfully to "C:\Users\[MyName]\Desktop\aswMBR.txt"

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by Superdave on Fri Apr 27, 2012 10:19 pm

Would you like to download latest Avast! virus definitions?" - I clicked no - should I have clicked yes and downloaded it?
Yes, it's part of the scanner but that's ok I got what I wanted.
Is your computer working any better?


SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

[You must be registered and logged in to see this link.]

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

  • At the bottom of the page

    • Hidden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3
Points : 83141
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by orangered on Sat Apr 28, 2012 8:49 am

[You must be registered and logged in to see this link.] wrote:Is your computer working any better?

Difficult to say. It actually worked okay, except that I once had trouble booting, and when using the internet, I kept being redirected to that "mydomainadvisor" site. That hasn't happend for a while now, but it happened irregularly before, so I'm not entirely sure it has stopped...

Here comes the new log:


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: 8DE00000
Module End: 8DECE000
Hidden: Yes

Module Name: \??\C:\Windows\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: AF1AE000
Module End: AF1B0000
Hidden: Yes

Module Name: \??\C:\Users\[MyName]\AppData\Local\Temp\catchme.sys
Service Name: catchme
Module Base: AF1B0000
Module End: AF1B8000
Hidden: Yes

Module Name: \??\C:\Users\[MyName]\AppData\Local\Temp\aswMBR.sys
Service Name: aswMBR
Module Base: AF1BF000
Module End: AF1CB000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateSection
Address: 89AACBCE
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwRequestWaitReplyPort
Address: 89AACBD8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetContextThread
Address: 89AACBD3
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetSecurityObject
Address: 89AACBDD
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSystemDebugControl
Address: 89AACBE2
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 89AACB6F
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\01 ? ?G??? ????? ???? (deleted 4a4fbe50-3b95ef-ae896d26).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\02 ?? G????? (deleted 4a4fbe70-349c26-1504bff4).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\05 ???S ??? ??S??? ?? ???????S (deleted 4a4fbee6-382e93-6b48e89c).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\06 F??FO (deleted 4a4fbf08-3613a1-d2de69c6).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\07 ?????O??? (deleted 4a4fbf34-470a84-6c205970).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\09 ?? ??G??S ??? ???????? ??? (deleted 4a4fbf80-366fa1-5557e3da).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-01 ??? ß?ad?? st? ????? (deleted 4aae28fd-3fb95c-077c7f25).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-02 ?e??e ?p?? ?s???a (deleted 4aae2916-45dece-0cac0841).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-03 S??µa ????? (deleted 4aae293c-7355ac-a218b416).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-04 ?? ?a???a????? (deleted 4aae294d-37cece-259366b3).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-05 ????ts?a t?? s????µ?? (deleted 4aae2966-57a7e4-33a37f6a).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-06 ???t?se ???ta (deleted 4aae2978-41ad4c-ee35f634).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-07 ?a ??a?? (deleted 4aae298d-52c6c3-e08b1ce5).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-08 ??ß (deleted 4aae29a3-5976f8-f2b8bbe4).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-09 G????? t?? p??te? µ?? st? µ???? (deleted 4aae29b3-4256d7-8f51e5ff).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-10 ??t?? µ???? (deleted 4aae29c6-5a09dc-e38c7648).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-11 ??d??µ? (deleted 4aae29d6-462426-c1ab3fb9).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-12 ?????? t?? ??add???? (deleted 4aae29e4-43f31b-20dfc563).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-13 Tessa?????? (deleted 4aae29ef-34cf82-73662465).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-14 ? p???t?? Nagel (deleted 4aae29fc-413d30-dae5dfa0).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\1-15 ?????a (deleted 4aae2a09-4287bb-327c44b9).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\10 ? ?????S (deleted 4a4fbfa4-393bd1-84e7a4c5).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\11 ??? ????? ? ??S?? (deleted 4a4fbfc8-3b95ee-561403d2).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\12 ?? ??T???? ??? ?G??? (deleted 4a4fbfee-408538-547613bb).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\13 ????? ??? ??S?? (deleted 4a4fc012-38801e-2a7ce119).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\14 ???S ???S???????S (deleted 4a4fc03c-4359af-b4600e87).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\17 ??O???? (deleted 4a4fc0be-547d5c-b4726139).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\18 ??? S? T??????? (deleted 4a4fc0e8-470c9b-490ee3d8).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-01 ?a??s???sµa (deleted 4aae2abb-5673cd-6314d124).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-02 ?? ?p???e? ????? (deleted 4aae2acf-39e372-ef7d6add).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-03 ?a???ts?? ?a? ? ??st?? (deleted 4aae2ae7-485fc8-d8a8da88).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-04 G??a p???? µ?? (deleted 4aae2af8-3797bd-c921dc1c).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-05 ?????p??? (deleted 4aae2b12-59423b-4fd8775f).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-06 ????te? a??pe? (deleted 4aae2b28-51cffc-c5671401).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-07 ????e? ?a? ?????? (deleted 4aae2b3e-555802-76dd0862).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-08 ?ts? ?? a????? se pe??µ??? (deleted 4aae2b51-49879b-32b11c6c).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-09 St?? ????? t?? 2000 (deleted 4aae2b61-436447-55a4886a).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-10 ??µata (deleted 4aae2b72-4d7fce-f48b18b0).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-11 ?a s????? t?? ???ta? (deleted 4aae2b7f-39f5e3-a0c22f80).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-12 ???ase ??p??a ?a? f????se t' ?? (deleted 4aae2cee-43be22-68673217).mp3
Status: Hidden

Object: C:\Users\[MyName]\Dropbox\.dropbox.cache\2012-04-24\2-13 ??????d? t?? d?s??? (deleted 4aae304b-44c326-087719c0).mp3
Status: Hidden

Object: C:\Users\[MyName]\Pictures\[FolderName1]\[FolderName2]\?? ???a??? ??a?µa 2008 - µe d????. ?e???te?
Status: Hidden

Object: C:\Users\[MyName]\Searches\Documents\[FolderName3]\[FolderName4]\[FolderName5]\[FolderName6]\[FolderName7]\[FolderName8]\[FileName1]
Status: Hidden

Object: C:\Users\[MyName]\Searches\Documents\[FolderName3]\[FolderName4]\[FolderName5]\[FolderName6]\[FolderName7]\[FolderName8]\[FileName2]
Status: Hidden

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by Superdave on Sat Apr 28, 2012 7:08 pm

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
[You must be registered and logged in to see this link.]
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3
Points : 83141
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by orangered on Sun Apr 29, 2012 9:33 am

It feels horrible to post so much extra information about myself... Anyway, here it is:

*******************

C:\Program Files\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe Win32/Toolbar.Widgi application

C:\Users\[MyName]\Desktop\Einordnen\Setup Files\PDFCreator-1_2_3_setup.exe Win32/Toolbar.Widgi application

*******************

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=1f28f428f1cd084cb649e6b7e642d500
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-04-29 01:51:27
# local_time=2012-04-29 03:51:27 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1792 16777215 100 0 7700511 7700511 0 0
# compatibility_mode=5892 16776573 100 100 140599 173187179 0 0
# compatibility_mode=8192 67108863 100 0 582 582 0 0
# scanned=220986
# found=2
# cleaned=0
# scan_time=9834
C:\Program Files\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I
C:\Users\[MyName]\Desktop\Einordnen\Setup Files\PDFCreator-1_2_3_setup.exe Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I

*******************

The "pdfforge Toolbar" is interesting: I've never heard of it before and certainly haven't installed it on purpose, but it must have come with PDFCreator (which I've been using for a long time and which never caused any trouble as far as I know). A quick search showed me that other people are having trouble with it as well. Could that be (one of) my problem(s)?
(I have never used that toolbar, and I can't find it under "add-ons" (I use Firefox 11.0.)

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by Superdave on Sun Apr 29, 2012 6:23 pm

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First [You must be registered and logged in to see this link.]

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the [You must be registered and logged in to see this link.].

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download [You must be registered and logged in to see this link.] and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: [You must be registered and logged in to see this link.] adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
***************************************************
Please download: [You must be registered and logged in to see this link.] to your Desktop.

  • Double Click the HijackThis icon, located on your Desktop.
  • By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
  • Accept the license agreement.
  • Click the Open the Misc Tools section button.
  • Click on the Open Uninstall Manager button.
    •Click on the Save list... button and specify where you would like to save this file. When you press Save button a Notepad will open with the contents of that file. Save the file to your desktop.
    Copy and paste this file in your next reply.

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3
Points : 83141
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by orangered on Sun Apr 29, 2012 7:01 pm

I thought I had already updated Java - what did I do wrong?

I'll be doing the HijackThis scan in a moment.

Didn't any of those scans tell you anything helpful yet?

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by orangered on Sun Apr 29, 2012 7:06 pm

This is what HijackThis found:

Adobe Flash Player 11 Plugin
Adobe Flash Player ActiveX
Adobe Reader X (10.1.3) - Deutsch
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Avira Free Antivirus
Bonjour
CD/DVD Drive Acoustic Silencer
Cisco Systems VPN Client 5.0.07.0410
DVD MovieFactory for TOSHIBA
EndNote X5
EPSON Scan
EPSON-Drucker-Software
Eraser 6.0.9.2343
ESET Online Scanner v3
FLVPlayer4Free Free FLV Player 4.6.0.0
Free M4a to MP3 Converter 7.0
Free Studio version 5.3.3
Free WMA to MP3 Converter 1.16
GIMP 2.6.11
Google Earth Plug-in
Google Update Helper
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
IrfanView (remove only)
iTunes
Java(TM) 6 Update 31
Java(TM) 6 Update 6
Kml Builder
KML Editor
LibreOffice 3.3
Malwarebytes Anti-Malware Version 1.61.0.1400
Microsoft .NET Framework 3.5 Language Pack SP1 - deu
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile DEU Language Pack
Microsoft .NET Framework 4 Client Profile DEU Language Pack
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Extended
Microsoft Entertainment Pack: The Puzzle Collection
Microsoft Office PowerPoint Viewer 2007 (German)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Works
Mozilla Firefox 11.0 (x86 de)
Mp3tag v2.49b
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
No23 Recorder
PDFCreator
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
REALTEK RTL8187B Wireless LAN Driver
Realtek USB 2.0 Card Reader
Realtek WiFi Protected Setup Library
RealUpgrade 1.1
ResearchSoft Direct Export Helper
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2518870)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Windows Media Encoder (KB2447961)
Skype™ 5.5
SUPERAntiSpyware
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA Benutzerhandbücher
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Hardware Setup
TOSHIBA Recovery Disc Creator
TOSHIBA Supervisor Password
Toshiba TEMPRO
TOSHIBA Value Added Package
TRDCReminder
TRORDCLauncher
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VLC media player 1.1.11
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by Superdave on Sun Apr 29, 2012 10:28 pm

I thought I had already updated Java - what did I do wrong?
Sorry, my error.
Didn't any of those scans tell you anything helpful yet?
That's all that's left are those two items in ESET that were not removed.

You can uninstall Java(TM) 6 Update 6. No longer needed.

Copy and paste the text in the code box below into Notepad.
Code:

@echo off

del C:\Program Files\PDFCreator\Toolbar
del C:\Users\[MyName]\Desktop\Einordnen\Setup Files\PDFCreator-1_2_3_setup.exe
exit

Then click File > Save as
Save to the Desktop as blackpudding.bat
And Save as type: All Files.

Double-click on blackpudding.bat to run it.

Please run ESET again after doing the above and post the log.

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3
Points : 83141
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by orangered on Mon Apr 30, 2012 12:35 pm

Hmmm... It seems like I haven't been very successful, although followed your instructions... ESET still found the same two "threats":

********************

C:\Program Files\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe Win32/Toolbar.Widgi application
C:\Users\[MyName]\Desktop\Einordnen\Setup Files\PDFCreator-1_2_3_setup.exe Win32/Toolbar.Widgi application

(Unfortunately, no new file was saved automatically in the ESET folder.)

********************

PDFCreator seems "broken", however. It is still displayed as one of my printers (because that's what it's supposed to do: pretend to be a printer), but doesn't work any more.
(Do you by any chance know any (free) software that works similarly? I used to like PDFCreator a lot, before it started to install dubious toolbars.)

By the way, my browser is behaving very well now. Is it possible that we have fixed the issues (although I have no idea what might have done it)?

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by Superdave on Mon Apr 30, 2012 7:01 pm

PDFCreator seems "broken",
Why not reinstall it?

Save these instructions so you can have access to them while in Safe Mode.

Please click [You must be registered and logged in to see this link.] to download AVP Tool by Kaspersky.

  • Save it to your desktop.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Double click the setup file to run it.
  • Click Next to continue.
  • Accept the License agreement and click on next.
  • It will, by default, install it to your desktop folder. Click Next.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • Hidden Startup Objects
  • System Memory
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3
Points : 83141
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by orangered on Tue May 01, 2012 6:37 pm

[You must be registered and logged in to see this link.] wrote:Why not reinstall it?
Because it looks like it won't come without that unnecessary and annoying toolbar.

My Kaspersky log refuses to open (which I've never seen before with a notepad file) but I suppose that doesn't matter much because it didn't find anything it didn't like.

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by orangered on Tue May 01, 2012 6:39 pm

(Just for your information, the Kaspersky tool seems to have changed its appearance a bit, because some of the buttons to click weren't in the place you decribed them. Not that it mattered, I found everything I needed, but I thought you might want to know for the future.)

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by orangered on Tue May 01, 2012 10:04 pm

Oh no, I seem to have missed you today... Are we done scanning now? (Can you hear the hopeful tone?)

I've got another question: What do you advise me to do with all those programs I have installed over the past few days? Keep all of them, uninstall some of them (like ComboFix, maybe)?

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by Superdave on Tue May 01, 2012 10:23 pm

Because it looks like it won't come without that unnecessary and annoying toolbar.
Usually when a toolbar comes with a program you have the option of installing or not installing it. I would suggest re-installing PDF Creator. As for the tools, we'll do some cleanup and if anything is left over you can uninstall them. I would suggest you keep
SAS and MBAM. Update them and run them on a regular basis.


To uninstall ComboFix


  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall




(Note: Make sure there's a space between the word ComboFix and the forward-slash.)


  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

*********************************************
Clean out your temporary internet files and temp files.

Download [You must be registered and logged in to see this link.] to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
**********************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) [You must be registered and logged in to see this link.] (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) [You must be registered and logged in to see this link.]
3) [You must be registered and logged in to see this link.]
4) [You must be registered and logged in to see this link.]

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
***************************************************************
Use the [You must be registered and logged in to see this link.] to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to [You must be registered and logged in to see this link.] and get all critical updates.

----------

I suggest using [You must be registered and logged in to see this link.]. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

[You must be registered and logged in to see this link.]- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* [You must be registered and logged in to see this link.] from Spyware and Malware
* If you don't know what ActiveX controls are, see [You must be registered and logged in to see this link.]

Protect yourself against spyware using the Immunize feature in [You must be registered and logged in to see this link.] Guide: [You must be registered and logged in to see this link.] to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. [You must be registered and logged in to see this link.]

Check out [You must be registered and logged in to see this link.] for tips and free tools to help keep you safe in the future.

Also see [You must be registered and logged in to see this link.] for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3
Points : 83141
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by orangered on Thu May 03, 2012 9:52 am

Whatever it was that got rid of my problems in the end, you definitley helped me a lot! I think it's absolutely amazing that people like you dedicate their time and energy to this! Thank you very much!

orangered
Novice
Novice

Status :
Online
Offline

Posts : 13
Joined : 2012-04-26
OS : Vista Home Premium
Points : 16993
# Likes : 0

View user profile

Back to top Go down

Re: Trojan: mydomainadvisor.com

Post by Superdave on Thu May 03, 2012 7:17 pm

You're welcome. Stay safe.

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3
Points : 83141
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum