google search results are redirected

Tags:

chirag8 September 5, 2011 at 20:52:22
Specs: Windows 7

hi when i search something on google. and click on the results they are redirected to some other sites. This is happening on my IE9 ,Mozilla also. I have windows 7. Please help

See More: google search results are redirected

Report •

AmThreat September 5, 2011 at 21:31:18

Hi,
It might be the virus infection.
To remove the infection completely follow the below procedure step by step-
1.Delete Temporary Internet files,Cookies,Cache & History of all the browsers present in your system.
2.Check the internet settings of your browser for any unwanted Proxy settings.If it is there then remove it & set it to 'Automatically Detect Settings'.It might be as below - IP Address - 127.0.0.1 Port No - 80
3.Check if unnecessary DNS IP's are present in 'Local Area Connection Properties'.
4.Open command prompt & run the below commands - ipconfig /flushdns.
5.Now download the TDSSKiller from below link & follow the instructions:
http://support.kaspersky.com/downlo...
http://support.kaspersky.com/viruse...
Hope it will help you.Find more info at my blog.

Report •

chirag8 September 5, 2011 at 21:47:28

Hi AmThreat
Thanks for such prompt help. I have tried above all suggested solutions But problem dint go. In face before posting this proble, i have run already Malwayebytes Anti Malware, Trojan Remover, ComboFix. MBAM and Trojan Remover both found some files infected and removed them. IF you want i can post there logs. But prolem stil dint go though those infected files i guess are no more in my system as when i tried MBAM again it dint find anything. Also TDSSKiller dint find any file infected.

Report •

aaflac44 September 6, 2011 at 06:11:42

chirag8,
Windows 7 has some unique characteristics that may have not been picked up by the scans already run.
Please run the following tool, it will give information to work with:
Download DDS from one of these locations:
http://download.bleepingcomputer.co...
http://download.bleepingcomputer.co...
Save it to your Desktop
Right-click the dds file, and select: Run as Administrator
When done, DDS opens two logs:
-DDS.txt
-Attach.txt
Save both reports to your Desktop.
Since these reports are large, please go to the Uploading website:
http://uploading.com/files/upload/
In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the DDS.txt, and click on 'Open'
You will see the following:
Your file has been uploaded successfully: (Name and size of the file)
Please copy the 'Download link'.
Do the same uploading for the Attach.txt.
Please copy the 'Download link', for each report, and provide them in your reply.
Thanks!
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

Related Solutions

See More ↓

chirag8 September 6, 2011 at 15:07:48

hi aaflac44
thanks for providing your help. I have uploaded the files below are the links
DDS.txt
http://uploading.com/files/b62219a4...
attach.txt
http://uploading.com/files/9m2f2982...
Thanks

Report •

aaflac44 September 6, 2011 at 19:11:36

chirag8,
Thanks for providing the reports.
Will take a look at them to check for a redirection cause, and will get back with you tomorrow.
Was rather busy today.
In the meantime, please disable your AntiVirus program and any AntiSpyware programs while performing the following scan. It will preclude conflicts, and will speed up scan time.
However, don't go surfing while your protection is disabled! Once we are done running some programs, you can re-enable protection.
Now, run an ESET Online Scanner
Since you are using Windows Seven to perform this scan, go to the 'Start' button, look for the browser icon, right-click it, and select: 'Run as administrator.
In the browser address bar, copy paste the following:
http://www.eset.com/us/online-scanner
Press the 'ESET Online Scanner' button
[*]In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
[*]Allow the ActiveX to download, and click: 'Install'
http://www.eset.com/us/online-scann...
[*]In the next screen, make sure the option Remove found threats is unchecked, and press the Start button again.
[*]ESET downloads its updates, installs, and begins scanning your computer.
[*]When the scan is done, press: 'List of found threats'
[*]Press 'Export to text file...', and save the file to your desktop as: ESET Scan.
[*]Press the 'Back' button.
[*]Press: Finish
Please provide the contents of the 'ESET Scan' report in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

chirag8 September 7, 2011 at 07:58:17

Hi aaflac44
below are the ESET scan file contents
C:\Users\Chirag\AppData\Local\Google\Chrome\User Data\Default\Default\cglmhekaidjdlclhnhbccdhodaafcdnh\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\Users\Chirag\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Chirag\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\cglmhekaidjdlclhnhbccdhodaafcdnh\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\Users\Chirag\AppData\Roaming\Mozilla\Firefox\Profiles\x88x7j10.default\extensions\{08eaae9a-a93d-4c69-9e3a-2f6bc31c8196}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Users\Chirag\AppData\Roaming\Mozilla\Firefox\Profiles\x88x7j10.default\extensions\{cfb04ea8-b37e-4982-af4a-d15b3d305707}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Users\Chirag\Downloads\cnet_wordweb6_exe.exe a variant of Win32/InstallCore.C application
C:\Users\Chirag\Downloads\cnet_wrar401_exe.exe a variant of Win32/InstallCore.C application
C:\Users\Chirag\Downloads\registrybooster.exe Win32/RegistryBooster application

Thanks

Report •

aaflac44 September 7, 2011 at 16:46:03

chirag8,
Run ESET once again as per the instructions in Post #5, however, this time make sure the option Remove found threats is checked, and press the Start button.
Let the program get rid of the entries it found.
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

chirag8 September 7, 2011 at 18:59:03

Hi aaflac44,
i have cleaned the problem it found but problem hasnt gone yet.

Thanks

Report •

aaflac44 September 7, 2011 at 20:18:13

chirag8,
We need to dig deeper...
Please download SystemLook from one of the links below:
http://jpshortstuff.247Fixes.com/Sy...
http://images.malwareremoval.com/jp...
Save the file to the Desktop
[*]Double-click SystemLook.exe to run it.
[*]Copy the following into the open textfield:
:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems /sub
:filefind
consrv.dll
winsrv.dll

[*]Click the Look button to start the scan.
[*]When finished, a Notepad window opens with the results of the scan.
Please post the SystemLook.txt in your reply.
Also, do the following:
Click the Start globe, type System in the Start Search box
In the list that shows above, under Control Panel, click: System
The operating system is displayed as follows:
System Type > System: '64-bit Operating System'
System Type > System: '32-bit Operating System'
Which one is displaying? 32-bit, or, 64-bit?

Thanks!
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#10

chirag8 September 7, 2011 at 21:30:55

Hi aaflac44,
below are the results of SystemLook
SystemLook 30.07.11 by jpshortstuff
Log created at 00:28 on 08/09/2011 by Chirag
Administrator - Elevation successful
========== reg ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Debug"=""
@="mnmsrvc"
"Kmode"="\SystemRoot\System32\win32k.sys"
"Optional"="Posix"
"Posix"="%SystemRoot%\system32\psxss.exe"
"Required"="Debug Windows"
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16"

========== filefind ==========
Searching for "consrv.dll"
No files found.
Searching for "winsrv.dll"
C:\Windows\System32\winsrv.dll --a---- 214528 bytes [12:37 23/08/2011] [05:34 24/06/2011] EB6A48CC998E1090E44E8E7F1009A640
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16385_none_12738849b6063c52\winsrv.dll --a---- 214016 bytes [23:38 13/07/2009] [01:41 14/07/2009] 457B44AB6D502E55F64A867D4F35C76C
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16723_none_12b26ed5b5d7569a\winsrv.dll --a---- 214016 bytes [11:26 26/04/2011] [06:16 21/12/2010] B200DECA2186858595A97FBE63E896CC
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16850_none_128f0019b5f25b8f\winsrv.dll --a---- 214528 bytes [12:37 23/08/2011] [05:26 16/07/2011] 0CB6EBF4B461A6043353C570BD72A1E1
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20864_none_1311cc3acf147f7f\winsrv.dll --a---- 214016 bytes [11:26 26/04/2011] [07:15 22/12/2010] 571543B93AE0319185970848024C9E04
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20995_none_12f25ea6cf2be9d0\winsrv.dll --a---- 214528 bytes [12:37 23/08/2011] [05:26 24/06/2011] 6D408ABD60A995A2DAB4BAAE38BCA04F
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17514_none_14a49c11b2f4bfec\winsrv.dll --a---- 214016 bytes [13:42 24/08/2011] [13:27 20/11/2010] E0406AEF04B088D1C49FC78D0546F689
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17527_none_149ccd03b2fa27e2\winsrv.dll --a---- 214016 bytes [11:26 26/04/2011] [11:42 17/12/2010] 15822E7206C7A0A893395CB07A63C7E1
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17641_none_14812d55b30fc4e1\winsrv.dll --a---- 214528 bytes [12:37 23/08/2011] [05:34 24/06/2011] EB6A48CC998E1090E44E8E7F1009A640
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21624_none_152368f0cc1a7ba7\winsrv.dll --a---- 214016 bytes [11:26 26/04/2011] [08:52 18/12/2010] A199CC08A13EEB667412423F712FE817
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21756_none_1504fba6cc30ff4f\winsrv.dll --a---- 214528 bytes [12:37 23/08/2011] [05:27 24/06/2011] C13D05A015346DED3D722BE285814495
-= EOF =-

and my operating system is 64 bit.
Thanks.

Report •

#11

aaflac44 September 8, 2011 at 17:44:39

If you have ComboFix (CF) already on your Desktop, please remove it! We'll download an updated version. It has been updated to deal with the ZeroAccess Rootkit.
ComboFix download:
http://download.bleepingcomputer.co...
Save ComboFix.exe to your Desktop!!
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of CF.
Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through these links: http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/sec...
Windows 7 - Right-click on ComboFix.exe and select: Run as Administrator
Follow the prompts.
Click on ‘Yes‘, to continue scanning for malware.
When finished, CF produces a report.
Since this report can be quite large, please go to the ‘Uploading’ website:
http://uploading.com/files/upload/
In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the ComboFix report, and click on 'Open'
You will see the following:
“Your file has been uploaded successfully: (Name and size of the file)”
Please copy the 'Download link', and provide it in your reply.

Notes:
1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#12

chirag8 September 8, 2011 at 23:57:29

Hi aaflac44,
Thanks for bearing with me so much. Below is the link of ComboFix report.
http://uploading.com/files/337a25dd...
Though it showed me some reading exception error two times.

Report •

#13

aaflac44 September 9, 2011 at 08:42:39

chirag8,
Please download aswMBR.exe and save it to your Desktop:
http://public.avast.com/~gmerek/asw...
Right-click aswMBR.exe and selet: Run as Administrator
Click 'Scan'
Upon completion of the scan, click 'Save log' and save it to your Desktop.
Please post the log in your reply for review.
Note - Please do NOT attempt to fix anything!!

You will also notice another file created on the Desktop. It is named MBR.dat. Please save the file to the C:\ drive fo now.
Thanks
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#14

chirag8 September 9, 2011 at 08:49:44

hi,
below is the log
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-09 11:50:32
-----------------------------
11:50:32.443 OS Version: Windows x64 6.1.7601 Service Pack 1
11:50:32.443 Number of processors: 4 586 0x2A07
11:50:32.443 ComputerName: CHIRAG-PC UserName: Chirag
11:50:36.250 Initialize success
11:50:39.904 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
11:50:39.905 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
11:50:39.940 Disk 0 MBR read successfully
11:50:39.945 Disk 0 MBR scan
11:50:39.950 Disk 0 Windows 7 default MBR code
11:50:39.958 Service scanning
11:50:41.113 Modules scanning
11:50:41.121 Disk 0 trace - called modules:
11:50:41.130 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
11:50:41.133 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800787b060]
11:50:41.135 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa80058e2270]
11:50:41.138 5 ACPI.sys[fffff88000f987a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80058e8050]
11:50:41.140 Scan finished successfully
11:50:47.044 Disk 0 MBR has been saved successfully to "C:\Users\Chirag\Desktop\MBR.dat"
11:50:47.051 The log file has been saved successfully to "C:\Users\Chirag\Desktop\aswMBR.txt"

Thanks

Report •

#15

aaflac44 September 9, 2011 at 11:58:40

Please download GooredFix from one of the locations below and save it to your Desktop:
Download Mirror #1
http://jpshortstuff.247fixes.com/Go...
Download Mirror #2
http://downloads.securitycadets.com...
Ensure all Firefox windows are closed.
To run the tool, right-click and select: 'Run As Administrator'
When prompted to run the scan, click: 'Ye's.
It doesn't take long to run.
Once it is finished, please post the GooredFix log.

After running the last ComboFix and GooredFix, are you still getting redirected?
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#16

chirag8 September 9, 2011 at 13:08:45

Hi aaflac44
below is the report of GooredFix
GooredFix by jpshortstuff (03.07.10.1)
Log created at 16:06 on 09/09/2011 (Chirag)
Firefox version 6.0.2 (en-US)
========== GooredScan ==========

========== GooredLog ==========
C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:19 05/09/2011]
C:\Users\Chirag\Application Data\Mozilla\Firefox\Profiles\x88x7j10.default\extensions\
{e001c731-5e37-4538-a5cb-8168736a2360} [00:22 06/09/2011]
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"msntoolbar@msn.com"="C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\Firefox" [05:31 23/06/2011]
"{27182e60-b5f3-411c-b545-b44205977502}"="C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\" [05:31 23/06/2011]
"{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}"="C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\" [05:31 23/06/2011]
-=E.O.F=-

and i checked the problem and now i guess i am nt getting redirected :) Thanks a lot for your help. I dint have any other option to format my system if you dint help.. I thank u again. Highly appreciate it.
Thanks.

Report •

#17

aaflac44 September 9, 2011 at 14:59:53

chirag8,
Thanks for the kind words. I enjoy solving malware problems, although sometimes they get rather hairy!

GooredFix reported legitimate entries. :-)
Bear with me a little longer so we can do a couple of maintenance tasks:
Please download TFC (Temporary File Cleaner):
http://oldtimer.geekstogo.com/TFC.exe
Save to your Desktop.
Save any work in progress!! TFC closes open applications, and removes unsaved work!
Right-click TFC.exe and select: 'Run as Administrator'
If prompted, click 'Yes' to reboot.
Now, download Security Check:
http://screen317.changelog.fr/Secur...
Save it to the Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions (in the black box.)
When done, a Notepad document opens automatically: checkup.txt
Please post the contents of checkup.txt in your reply.
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#18

chirag8 September 10, 2011 at 23:37:18

Hi aaflac44
sorry for late reply. Below is the content of checkup.txt file
Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
[b]``````````````````````````````
[u]Antivirus/Firewall Check:[/u][/b]
Windows Firewall Enabled!
ESET Online Scanner v3
McAfee SecurityCenter
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
[b]```````````````````````````````
[u]Anti-malware/Other Utilities Check:[/u][/b]
Malwarebytes' Anti-Malware
Java(TM) 6 Update 22
Adobe Flash Player
Adobe Reader X (10.1.0) MUI
Mozilla Firefox (x86 en-US..) [color=red][b]Firefox Out of Date![/b][/color]
[b]````````````````````````````````
Process Check:
[u]objlist.exe by Laurent[/u][/b]
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
[b]``````````End of Log````````````[/b]

I already installed Malware Byte Anti Malware. Its still keep showing that it has blocked access to some site as there were potentially malicious. and this is happening when i am searching something on google and open the result. Means problem is still there but its just MBAM do not let that site open, :(

Thanks

Report •

#19

aaflac44 September 11, 2011 at 17:19:37

chirag8,
Please uninstall/remove Malwarebytes' Anti-Malware, and install an updated version.
Download Malwarebytes' Anti-Malware:
http://www.bleepingcomputer.com/dow...
Save it to your Desktop.
Make sure you are connected to the Internet.
Right-click on mbam-setup.exe and select: ‘Run as Administrator’
When the installation begins, follow the prompts and do not make changes to the settings.
When the installation is finished, leave both of these checked:
-Update Malwarebytes' Anti-Malware
-Launch Malwarebytes' Anti-Malware
Then click Finish
MBAM automatically starts, and you are asked to update the program.
If an update is found, the program automatically updates. Press the 'OK' button to close the box and continue.
On the Scanner tab:
Select the Perform Full Scan option.
Then, click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
When the scan is finished, a message appears "The scan completed successfully. Click 'Show Results' to display all entries found".
Click 'OK' to close the message, and continue with the removal process.
Back at the main Scanner screen:
Click on Show Results button to see a list of any malware found.
Make sure everything is checked, and click Remove Selected
When removal is completed, a log report opens in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab.
Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer. Please do so immediately. Failure to reboot prevents MBAM from removing the malware.
Please copy/paste the contents of the MBAM report in your reply, and exit MBAM.

Thanks!
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#20

chirag8 September 11, 2011 at 21:29:42

Hi aaflac44,
below is the log
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7697
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
9/12/2011 12:28:51 AM
mbam-log-2011-09-12 (00-28-51).txt
Scan type: Full scan (C:\|D:\|F:\|Q:\|)
Objects scanned: 362576
Time elapsed: 1 hour(s), 3 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Thanks

Report •

#21

aaflac44 September 12, 2011 at 16:10:30

Please download MiniToolBox:
http://download.bleepingcomputer.co...
Save it to your Desktop and run it.
Checkmark the following boxes:
[*]Flush DNS
[*]Report IE Proxy Settings
[*]Report FF Proxy Settings
[*]List content of Hosts
[*]List IP configuration
[*]List Winsock Entries
Click Go and post the Result.txt in your reply.
(A copy of Result.txt is saved in the same directory where the tool is run.)
Thanks!
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#22

chirag8 September 12, 2011 at 16:28:21

Hi aaflac44,
Below is the content of Result.txt
MiniToolBox by Farbar
Ran by Chirag (administrator) on 12-09-2011 at 19:27:08
Windows 7 Home Premium Service Pack 1 (X64)
***************************************************************************
========================= Flush DNS: ===================================
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
========================= FF Proxy Settings: ==============================
"network.proxy.type", 0
========================= Hosts content: =================================
127.0.0.1 localhost
========================= IP Configuration: ================================
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
reset
set global

popd
# End of IPv4 configuration
Windows IP Configuration
Host Name . . . . . . . . . . . . : Chirag-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Centrino(R) WiMAX 6150
Physical Address. . . . . . . . . : 64-D4-DA-58-68-4A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wireless Network Connection 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #2
Physical Address. . . . . . . . . : AC-72-89-06-FF-FF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wireless Network Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : AC-72-89-06-FF-FF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 1030
Physical Address. . . . . . . . . : AC-72-89-06-FF-FE
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::84d9:ca39:220e:426b%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, September 12, 2011 2:20:54 PM
Lease Expires . . . . . . . . . . : Tuesday, September 13, 2011 2:20:54 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 380400265
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-94-83-0E-78-2B-CB-F6-88-05
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : 78-2B-CB-F6-88-05
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : AC-72-89-07-00-02
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 12:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:20e8:3f28:9d4b:d8ec(Preferred)
Link-local IPv6 Address . . . . . : fe80::20e8:3f28:9d4b:d8ec%19(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.{582C4A22-E37D-4557-86F8-BA3DAB7CDEE1}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{E27EBE66-EE13-42AE-A956-08E062856C3C}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{D4A06EA3-D6D6-4679-9FEF-5FEB9A2322A5}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{40705107-B835-4A04-A60D-1E816FF37C70}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{261424E1-BAE8-48B3-AF52-4C9A22ACB735}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{7B066336-7FDB-4237-BE04-5F0A7AE0422D}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.1.1
Name: google.com
Addresses: 74.125.73.103
74.125.73.104
74.125.73.105
74.125.73.106
74.125.73.147
74.125.73.99

Pinging google.com [74.125.73.147] with 32 bytes of data:
Reply from 74.125.73.147: bytes=32 time=69ms TTL=53
Reply from 74.125.73.147: bytes=32 time=78ms TTL=53
Ping statistics for 74.125.73.147:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 69ms, Maximum = 78ms, Average = 73ms
Server: UnKnown
Address: 192.168.1.1
Name: yahoo.com
Addresses: 72.30.2.43
98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=86ms TTL=56
Reply from 98.137.149.56: bytes=32 time=264ms TTL=56
Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 86ms, Maximum = 264ms, Average = 175ms
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=2ms TTL=128
Reply from 127.0.0.1: bytes=32 time=2ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
===========================================================================
Interface List
17...64 d4 da 58 68 4a ......Intel(R) Centrino(R) WiMAX 6150
16...ac 72 89 06 ff ff ......Microsoft Virtual WiFi Miniport Adapter #2
15...ac 72 89 06 ff ff ......Microsoft Virtual WiFi Miniport Adapter
14...ac 72 89 06 ff fe ......Intel(R) Centrino(R) Wireless-N 1030
12...78 2b cb f6 88 05 ......Realtek PCIe FE Family Controller
11...ac 72 89 07 00 02 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
19...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
32...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.3 286
192.168.1.3 255.255.255.255 On-link 192.168.1.3 286
192.168.1.255 255.255.255.255 On-link 192.168.1.3 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.3 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.3 286
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
19 58 ::/0 On-link
1 306 ::1/128 On-link
19 58 2001::/32 On-link
19 306 2001:0:4137:9e76:20e8:3f28:9d4b:d8ec/128
On-link
14 286 fe80::/64 On-link
19 306 fe80::/64 On-link
19 306 fe80::20e8:3f28:9d4b:d8ec/128
On-link
14 286 fe80::84d9:ca39:220e:426b/128
On-link
1 306 ff00::/8 On-link
19 306 ff00::/8 On-link
14 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog5 06 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 09 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog5 06 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 09 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
**** End of log ****
Thanks

Report •

#23

aaflac44 September 12, 2011 at 19:10:40

chirag8,
Does MBAM give a name for that website it blocks access to, as it is potentially malicious according to MBAM?

Also, please double-click SystemLook.exe to run it again.
Copy the following into the open textfield:
:reg
HKEY_CLASSES_ROOT\.fsharproj

:filefind
.fsharproj
Click the 'Look' button to start the scan.
When finished, a Notepad window opens with the results of the scan.
Please post the SystemLook.txt in your reply.
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#24

chirag8 September 12, 2011 at 19:21:10

Hi aaflac44,
it shows the IP address of the site it blocks. Also below is the result of SystemLook.txt
SystemLook 30.07.11 by jpshortstuff
Log created at 22:19 on 12/09/2011 by Chirag
Administrator - Elevation successful
========== reg ==========
[HKEY_CLASSES_ROOT\.fsharproj]
(Unable to open key - key not found)
========== filefind ==========
Searching for ".fsharproj"
No files found.
-= EOF =-
Thanks

Report •

#25

aaflac44 September 12, 2011 at 20:39:26

chirag8,
Double-click my name above yours (in blue), and then, double click it again to get the Personal Message window.
Then, please send the IP address that MBAM is reporting.
Do not post the IP address here, where it is visible. If it is malicious, we do not want someone using it for the wrong purposes.
Thanks.
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#26

aaflac44 September 14, 2011 at 20:13:21

chirag8
The IP address provided belongs to Oversee.net, and it has a large group of domains.
My understanding of the problem is that a Malwarebytes' Anti Malware Window pops up saying "Successfully blocked access to a potentially malicious website:"
The set of numbers that changes may include: 208.87.33.151, 208.87.32.69 and 208.73.210.48.
Does the notification also state: "Type: outgoing"?

If so, this notification means that an IP address has been blocked, but does not necessarily mean you are infected. It means a program on your computer (e.g. your browser, IM program, P2P program etc), tried accessing a malicious IP address.
The IM program or P2P program are good candidates for culprits.
Need to look at a MBAM Registry setting.
Please double-click SystemLook.exe to run it again.
Copy the following into the open textfield:
:reg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Malwarebytes' Anti-Malware
Click the 'Look' button to start the scan.
When finished, a Notepad window opens with the results of the scan.
Please post the SystemLook.txt in your reply.
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#27

chirag8 September 14, 2011 at 20:42:32

Hi aaflac44,
The address i provided you was just one IP address. below are the list of all blocks which MBAM has blocked
00:44:34 Chirag IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 62270, Process: firefox.exe)
01:44:34 Chirag IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 50940, Process: firefox.exe)
02:07:10 Chirag IP-BLOCK 67.29.139.153 (Type: outgoing, Port: 51381, Process: firefox.exe)
02:07:10 Chirag IP-BLOCK 67.29.139.153 (Type: outgoing, Port: 51383, Process: firefox.exe)
02:07:10 Chirag IP-BLOCK 67.29.139.153 (Type: outgoing, Port: 51385, Process: firefox.exe)
02:07:10 Chirag IP-BLOCK 67.29.139.153 (Type: outgoing, Port: 51387, Process: firefox.exe)
02:10:23 Chirag IP-BLOCK 67.29.139.153 (Type: outgoing, Port: 51566, Process: firefox.exe)
02:44:29 Chirag IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 52158, Process: firefox.exe)
11:10:47 Chirag IP-BLOCK 208.73.210.48 (Type: outgoing, Port: 53277, Process: firefox.exe)
11:10:47 Chirag IP-BLOCK 208.73.210.48 (Type: outgoing, Port: 53279, Process: firefox.exe)
11:10:47 Chirag IP-BLOCK 208.73.210.48 (Type: outgoing, Port: 53281, Process: firefox.exe)
11:10:47 Chirag IP-BLOCK 208.73.210.48 (Type: outgoing, Port: 53283, Process: firefox.exe)
11:10:47 Chirag IP-BLOCK 67.29.139.153 (Type: outgoing, Port: 53290, Process: firefox.exe)
11:10:47 Chirag IP-BLOCK 67.29.139.153 (Type: outgoing, Port: 53291, Process: firefox.exe)
11:10:47 Chirag IP-BLOCK 64.111.196.121 (Type: outgoing, Port: 53297, Process: firefox.exe)
11:10:47 Chirag IP-BLOCK 64.111.196.121 (Type: outgoing, Port: 53299, Process: firefox.exe)
11:10:47 Chirag IP-BLOCK 64.111.196.121 (Type: outgoing, Port: 53301, Process: firefox.exe)
11:10:47 Chirag IP-BLOCK 64.111.196.121 (Type: outgoing, Port: 53303, Process: firefox.exe)
11:11:27 Chirag IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 53386, Process: firefox.exe)
15:56:06 Chirag IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 62980, Process: firefox.exe)
16:56:04 Chirag IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 63171, Process: firefox.exe)
17:56:01 Chirag IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 63430, Process: firefox.exe)
18:56:07 Chirag IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 64221, Process: firefox.exe)
19:56:02 Chirag IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 49371, Process: firefox.exe)
20:56:07 Chirag IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 51090, Process: firefox.exe)
21:56:05 Chirag IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 52834, Process: firefox.exe)
22:56:06 Chirag IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 53610, Process: firefox.exe)
23:39:50 Chirag IP-BLOCK 208.73.210.48 (Type: outgoing, Port: 54632, Process: firefox.exe)
23:39:50 Chirag IP-BLOCK 208.73.210.48 (Type: outgoing, Port: 54634, Process: firefox.exe)
23:39:50 Chirag IP-BLOCK 208.73.210.48 (Type: outgoing, Port: 54636, Process: firefox.exe)
23:39:50 Chirag IP-BLOCK 208.73.210.48 (Type: outgoing, Port: 54638, Process: firefox.exe)

and the SystemLook.txt content is below
SystemLook 30.07.11 by jpshortstuff
Log created at 23:37 on 14/09/2011 by Chirag
Administrator - Elevation successful
========== reg ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Malwarebytes' Anti-Malware]
"InstallPath"="C:\Program Files (x86)\Malwarebytes' Anti-Malware"
"dbdate"="9/11/2011"
"dbversion"="7697"
"programversion"="1.51.1.1800"
"advancedheuristics"= 0x0000000001 (1)
"downloadprogram"= 0x0000000001 (1)
"hidereg"= 0x0000000000 (0)
"detectp2p"= 0x0000000000 (0)
"detectpum"= 0x0000000001 (1)
"detectpup"= 0x0000000002 (2)
"updatewarn"= 0x0000000001 (1)
"updatewarndays"= 0x0000000007 (7)
"useproxy"= 0x0000000000 (0)
"useauthentication"= 0x0000000000 (0)
"startipdisabled"= 0x0000000000 (0)
"notifyinstallprogram"= 0x0000000001 (1)
"trialended"= 0x0000000000 (0)
"SchedulerQueue"="6148, 30174095, 1986592880, 1, 23 | 30175939, 2066899055"
"scanreboot"= 0x0000000000 (0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Malwarebytes' Anti-Malware\UUID]

-= EOF =-
Thanks

Report •

#28

aaflac44 September 15, 2011 at 18:17:39

Have not been able to see where those outgoing requests are coming from, so let's get more detail, and run the following:
Download OTL:
http://oldtimer.geekstogo.com/OTL.exe
Save to the Desktop
Windows 7/Vista - Right-click the icon and select: Run as Administrator
XP - Double click on the icon to run the program.
Make sure all other windows are closed and let it run uninterrupted.
Select All Users
Under the Custom Scan box, copy/paste the following:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
Click the Quick Scan button, and do not change any settings.
The scan wont take long.
When the scan completes, it opens two notepad reports: OTL.Txt and Extras.Txt.
These are saved in the same location as OTL.
Please upload both logs, and provide their link in your reply.
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#29

chirag8 September 15, 2011 at 18:30:28

Hi aaflac44,
My mcafee antivirus i guess detecting this program as trojan. Do i need to disable my antivirus before i run this scan

Thanks

Report •

#30

aaflac44 September 15, 2011 at 20:29:58

Either do that, or set McAfee to allow it.
Disabling McAfee would be best, though. Then there will be no conflict with OTL
BTW, the moderator (Justin Weber) reset the Best Answer/Solved issue for you.
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#31

chirag8 September 16, 2011 at 12:46:55

HI aaflac44,
below are the links to the files
http://uploading.com/files/m31dcbbb...
http://uploading.com/files/5619a611...

Thanks

Report •

#32

aaflac44 September 17, 2011 at 19:58:01

chirag8,
Please download and install an updated copy of FireFox:
http://www.mozilla.org/en-US/firefo...
Next, go back to Post #11, and follow its instructions to remove ComboFix, get a new copy, run it, and upload its results.
Last, open Malwarebytes' Anti-Malware (MBAM) once again, make sure you update it, perform a full scan, and post its results.

After doing all of the above, use FireFox and do some web surfing, as you normally do.
Post back on whether you are still getting blocks from MBAM.
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

#33

chirag8 September 18, 2011 at 09:29:22

Hi,
below is the link for combo fix report
http://uploading.com/files/448fbeb8...
and below is MBAM result
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7743
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
9/18/2011 12:22:50 PM
mbam-log-2011-09-18 (12-22-50).txt
Scan type: Full scan (C:\|D:\|F:\|Q:\|)
Objects scanned: 343747
Time elapsed: 33 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I jst did some search on firefox i dint see that problem. Thanks a lot for your help.
Its been a great help. May be i disturb u again when i see this problem :)
Thanks

Report •

#34

aaflac44 September 18, 2011 at 21:08:52

Excellent job, chirag8!
There was something in the outdated Mozilla FireFox that apparently kept "calling home".
If you select a post as Best Amswer, this topic will be marked as Solved.
Safe surfing, and Good Luck!!
~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

Start a discussion

Ask Your Question

Weekly Poll

Do you think iOS 7's radical new design will slow the growth of Android?

Poll Finishes In 2 Days.
Discuss in The Lounge
Poll History