Windows 7: HELP - Windows Defender cannot remove Trojan: JS/Redirector.JA

Mike Lynch · 07 Dec 2012

I run Windows-7 with Microsoft Security Essentials(MSE), both are current on Updates.

MSE indicated that I had not run a Scan in some time and the Icon turned Orange.

I ran Quick Scan and the Icon remained Orange after the Quick Scan completed.

I then ran a Full Scan and the Icon turned Green when the Scan Completed.

I was suspicious and ran a Full Malwarebytes Scan which found nothing.

I was about to call it a day but decided to run Windows Defender Offline overnight.

Defender found Trojan: JS/Redirector.JA. Severe

I selected the Remove Option and Defender started to do something.

After about seven or eight minutes Defender reported:

Remove - Error Encountered 0x800700de

The File Type being saved or retrived has been blocked.

Windows Defender could not apply the action you selected.

I am at a loss as how to proceed. MSE and the Windows Defender take +-Five Hours to complete on my System. I would like to Remove this Trojan but have no idea where to begin. Can the Forum make any suggestions?

Borg 386 · 07 Dec 2012

First, is there any chance you can do a system restore? If so, roll they system back 2 or preferably 3 points past the point of infection. (Some viruses embed themselves in the 1st restore point).

You can also try running Malwarebytes in Safe Mode.

Did you make the WDO disk on the infected computer? If so, WDO's integrity may have compromised. Try making the disk on a clean PC & then run it on your system. And make sure your net connect is shut off when you run it.

Second, if that doesn't work, you could try one of the following tools:

Norton Power Eraser

Quote:

Because Norton Power Eraser uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully. If you accidently remove a legitimate program, you can run Norton Power Eraser to review past repair sessions and undo them.

SuperAntiSpyware.

If these fail, it might be a good idea to delete Java from your system & then run another scan to see if this can ferret out the infection.

Quote:

Trojan:JS/Redirector.JA’s evil purpose is to compromise your security programs and steal your confidential data then send it to the internet hackers. Remove Trojan:JS/Redirector.JA as soon as possible once detected to ensure the safety of your system. Once installed, Trojan:JS/Redirector.JA will be configured to start automatically when you start Windows.

Quote:

Trojan:JS/Redirector.JA is a trojan, written in highly obfuscated JavaScript, that redirects users to websites that promote a male enhancement product.

Jacee · 07 Dec 2012

Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Double click combofix.exe and follow the prompts.
When finished, it will produce a log for you.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
***A guide and tutorial on "How to use Combofix" can be found here:
ComboFix: A guide and tutorial on using ComboFix

IF CF won't run:
During the download (before saving or running it), rename Combofix.exe to sVchost.exe

Mike Lynch · 08 Dec 2012

ComboFix 12-12-07.01 - Mike 12/08/2012 0:12.1.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3061.1306 [GMT -5:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\1354896677.bdinstall.bin
c:\programdata\1354909018.bdinstall.bin
c:\users\Camille\WINDOWS
c:\users\Charmaine\WINDOWS
c:\users\Chloe\WINDOWS
c:\users\Heather\WINDOWS
c:\users\Jennifer\WINDOWS
c:\users\Michelle\WINDOWS
c:\users\Mike\WINDOWS
c:\users\Simone\WINDOWS
c:\users\Terry\WINDOWS
c:\users\Tim\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2012-11-08 to 2012-12-08 )))))))))))))))))))))))))))))))
.
.
2012-12-08 00:37 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ADFFC7BA-22C5-42CB-9871-55FEC4F62F99}\mpengine.dll
2012-12-07 16:17 . 2012-12-07 16:17 -------- d-----w- c:\programdata\BitDefender
2012-12-07 16:16 . 2012-12-07 16:16 -------- d-----w- c:\programdata\BDLogging
2012-12-07 16:12 . 2012-12-07 16:12 -------- d-----w- c:\users\Mike\AppData\Roaming\QuickScan
2012-12-07 16:11 . 2012-12-07 19:43 -------- d-----w- c:\program files\Auslogics Software
2012-12-07 16:10 . 2012-12-07 19:41 -------- d-----w- c:\program files\Common Files\Auslogics Software
2012-12-07 16:09 . 2012-12-07 16:09 -------- d-----w- c:\program files (x86)\Common Files\Bitdefender
2012-12-07 02:45 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-28 23:29 . 2012-11-28 23:29 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FC1AE5D1-B926-4597-85BE-EC7CD64EC9CA}\gapaengine.dll
2012-11-28 14:18 . 2012-11-28 14:18 -------- d-----w- c:\programdata\Citrix
2012-11-28 14:18 . 2012-11-28 14:18 -------- d-----w- c:\program files (x86)\Common Files\Citrix
2012-11-22 06:14 . 2012-11-22 13:09 -------- d-----w- c:\users\Michelle\AppData\Local\Microsoft Games
2012-11-21 13:31 . 2012-12-02 05:59 -------- d-----w- c:\users\Bianca
2012-11-13 19:32 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-11-13 19:32 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-11-13 19:32 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-13 19:32 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-11-13 19:23 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-11-13 19:23 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-11-13 19:23 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-11-13 19:23 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-11-13 19:23 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2012-11-13 19:23 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2012-11-13 19:23 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-11-13 19:17 . 2012-10-09 18:17 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-11-13 19:17 . 2012-10-09 18:17 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-11-13 19:17 . 2012-10-09 17:40 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
2012-11-13 19:17 . 2012-10-09 17:40 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
2012-11-11 14:57 . 2012-11-11 14:57 -------- d-----w- c:\program files\Easy Duplicate Finder 4
2012-11-11 14:57 . 2012-11-11 14:57 -------- d-----w- c:\programdata\Ask
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-13 19:24 . 2011-02-11 23:03 66395536 ----a-w- c:\windows\system32\MRT.exe
2012-11-09 17:48 . 2012-04-03 21:24 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-09 17:48 . 2011-05-17 22:04 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-25 08:12 . 2012-10-25 08:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-10-25 08:12 . 2012-10-25 08:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-10-16 08:38 . 2012-11-27 22:33 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38 . 2012-11-27 22:33 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39 . 2012-11-27 22:33 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-09-29 02:32 . 2012-09-29 02:32 2177688 ----a-w- c:\windows\system32\coin92.dll
2012-09-27 21:31 . 2011-03-26 01:27 972192 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-09-25 03:16 . 2012-11-01 14:33 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-21 00:11 . 2012-08-31 00:22 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-09-21 00:00 . 2012-08-31 00:22 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-09-20 12:30 . 2012-09-20 12:30 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-09-20 12:24 . 2011-12-24 01:48 4278384 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-09-20 12:12 . 2011-12-24 01:48 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-09-20 12:12 . 2012-09-20 12:12 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-09-19 13:11 . 2012-09-19 13:23 2605400 ----a-w- c:\windows\system32\WavesGUILib.dll
2012-09-19 13:11 . 2012-09-19 13:23 1361336 ----a-w- c:\windows\system32\tosade.dll
2012-09-19 13:11 . 2012-09-19 13:23 65944 ----a-w- c:\windows\system32\tepeqapo64.dll
2012-09-19 13:11 . 2012-09-19 13:23 836544 ----a-w- c:\windows\system32\tadefxapo264.dll
2012-09-19 13:11 . 2012-09-19 13:23 518896 ----a-w- c:\windows\system32\SRSTSX64.dll
2012-09-19 13:11 . 2012-09-19 13:23 211184 ----a-w- c:\windows\system32\SRSTSH64.dll
2012-09-19 13:11 . 2012-09-19 13:23 198896 ----a-w- c:\windows\system32\SRSHP64.dll
2012-09-19 13:11 . 2012-09-19 13:23 155888 ----a-w- c:\windows\system32\SRSWOW64.dll
2012-09-19 13:11 . 2012-09-19 13:23 148416 ----a-w- c:\windows\system32\tadefxapo.dll
2012-09-19 13:11 . 2012-09-19 13:22 220776 ----a-w- c:\windows\system32\SFSS_APO.dll
2012-09-19 13:11 . 2012-09-19 13:22 81248 ----a-w- c:\windows\system32\SFCOM64.dll
2012-09-19 13:11 . 2012-09-19 13:22 78688 ----a-w- c:\windows\system32\SFAPO64.dll
2012-09-19 13:11 . 2012-09-19 13:22 74064 ----a-w- c:\windows\SysWow64\SFCOM.dll
2012-09-19 13:11 . 2012-09-19 13:22 221024 ----a-w- c:\windows\system32\SFNHK64.dll
2012-09-19 13:11 . 2012-09-19 13:22 2674320 ----a-w- c:\windows\system32\RtPgEx64.dll
2012-09-19 13:11 . 2012-09-19 13:22 1560168 ----a-w- c:\windows\system32\RTSnMg64.cpl
2012-09-19 13:11 . 2012-09-19 13:22 4065296 ----a-w- c:\windows\system32\drivers\RTKVHD64.sys
2012-09-19 13:11 . 2012-09-19 13:22 331880 ----a-w- c:\windows\system32\RtlCPAPI64.dll
2012-09-19 13:11 . 2012-09-19 13:22 149608 ----a-w- c:\windows\system32\RtkCfg64.dll
2012-09-19 13:11 . 2012-09-19 13:22 14952 ----a-w- c:\windows\system32\RtkCoLDR64.dll
2012-09-19 13:11 . 2012-09-19 13:22 3615888 ----a-w- c:\windows\system32\RtkAPO64.dll
2012-09-19 13:11 . 2012-09-19 13:22 869520 ----a-w- c:\windows\system32\RtkApi64.dll
2012-09-19 13:11 . 2012-09-19 13:22 375128 ----a-w- c:\windows\system32\RTEEP64A.dll
2012-09-19 13:11 . 2012-09-19 13:22 78680 ----a-w- c:\windows\system32\RTEEG64A.dll
2012-09-19 13:11 . 2012-09-19 13:22 204120 ----a-w- c:\windows\system32\RTEED64A.dll
2012-09-19 13:11 . 2012-09-19 13:22 101208 ----a-w- c:\windows\system32\RTEEL64A.dll
2012-09-19 13:11 . 2012-09-19 13:22 5096448 ----a-w- c:\windows\system32\RCoRes64.dat
2012-09-19 13:11 . 2012-09-19 13:22 310104 ----a-w- c:\windows\system32\RP3DHT64.dll
2012-09-19 13:11 . 2012-09-19 13:22 310104 ----a-w- c:\windows\system32\RP3DAA64.dll
2012-09-19 13:11 . 2012-09-19 13:22 1262696 ----a-w- c:\windows\system32\RTCOM64.dll
2012-09-19 13:11 . 2012-09-19 13:22 105616 ----a-w- c:\windows\system32\RCoInstII64.dll
2012-09-19 13:11 . 2012-09-19 13:22 7163744 ----a-w- c:\windows\system32\R4EEP64A.dll
2012-09-19 13:11 . 2012-09-19 13:22 74592 ----a-w- c:\windows\system32\R4EEG64A.dll
2012-09-19 13:11 . 2012-09-19 13:22 433504 ----a-w- c:\windows\system32\R4EED64A.dll
2012-09-19 13:11 . 2012-09-19 13:22 141152 ----a-w- c:\windows\system32\R4EEL64A.dll
2012-09-19 13:11 . 2012-09-19 13:22 123744 ----a-w- c:\windows\system32\R4EEA64A.dll
2012-09-19 13:11 . 2012-09-19 13:22 396632 ----a-w- c:\windows\system32\MaxxVolumeSDAPO.dll
2012-09-19 13:11 . 2012-09-19 13:22 1345368 ----a-w- c:\windows\system32\MaxxAudioRealtek264.dll
2012-09-19 13:11 . 2012-09-19 13:22 8363864 ----a-w- c:\windows\system32\MaxxAudioRealtek.dll
2012-09-19 13:11 . 2012-09-19 13:22 2131288 ----a-w- c:\windows\system32\MaxxAudioEQ.dll
2012-09-19 13:11 . 2012-09-19 13:22 341336 ----a-w- c:\windows\system32\MaxxAudioAPO30.dll
2012-09-19 13:11 . 2012-09-19 13:22 318808 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2012-09-19 13:11 . 2012-09-19 13:22 1015640 ----a-w- c:\windows\system32\MaxxAudioAPOShell64.dll
2012-09-19 13:11 . 2012-09-19 13:22 603984 ----a-w- c:\windows\system32\KAAPORT64.dll
2012-09-19 13:11 . 2012-09-19 13:22 693352 ----a-w- c:\windows\system32\DTSVoiceClarityDLL64.dll
2012-09-19 13:11 . 2012-09-19 13:22 2533952 ----a-w- c:\windows\system32\FMAPO64.dll
2012-09-19 13:11 . 2012-09-19 13:22 537456 ----a-w- c:\windows\system32\DTSU2PLFX64.dll
2012-09-19 13:11 . 2012-09-19 13:22 524656 ----a-w- c:\windows\system32\DTSU2PGFX64.dll
2012-09-19 13:11 . 2012-09-19 13:22 449392 ----a-w- c:\windows\system32\DTSU2PREC64.dll
2012-09-19 13:11 . 2012-09-19 13:22 712296 ----a-w- c:\windows\system32\DTSSymmetryDLL64.dll
2012-09-19 13:11 . 2012-09-19 13:22 1756264 ----a-w- c:\windows\system32\DTSS2SpeakerDLL64.dll
2012-09-19 13:11 . 2012-09-19 13:22 1568360 ----a-w- c:\windows\system32\DTSS2HeadphoneDLL64.dll
2012-09-19 13:11 . 2012-09-19 13:22 491112 ----a-w- c:\windows\system32\DTSNeoPCDLL64.dll
2012-09-19 13:11 . 2012-09-19 13:22 432744 ----a-w- c:\windows\system32\DTSLimiterDLL64.dll
2012-09-19 13:11 . 2012-09-19 13:22 728680 ----a-w- c:\windows\system32\DTSBassEnhancementDLL64.dll
2012-09-19 13:11 . 2012-09-19 13:22 428648 ----a-w- c:\windows\system32\DTSGainCompensatorDLL64.dll
2012-09-19 13:11 . 2012-09-19 13:22 242792 ----a-w- c:\windows\system32\DTSLFXAPO64.dll
2012-09-19 13:11 . 2012-09-19 13:22 242792 ----a-w- c:\windows\system32\DTSGFXAPO64.dll
2012-09-19 13:11 . 2012-09-19 13:22 241768 ----a-w- c:\windows\system32\DTSGFXAPONS64.dll
2012-09-19 13:11 . 2012-09-19 13:22 1486952 ----a-w- c:\windows\system32\DTSBoostDLL64.dll
2012-09-19 13:11 . 2012-09-19 13:22 202336 ----a-w- c:\windows\system32\AERTAC64.dll
2012-09-19 13:11 . 2012-09-19 13:22 108640 ----a-w- c:\windows\system32\AERTAR64.dll
2012-09-19 13:10 . 2011-02-15 13:35 1706640 ----a-w- c:\windows\RtlExUpd.dll
2012-09-19 13:06 . 2012-03-29 20:59 53248 ----a-w- c:\windows\SysWow64\CSVer.dll
2012-09-14 19:19 . 2012-10-09 17:07 2048 ----a-w- c:\windows\system32\tzres.dll
2012-09-14 18:28 . 2012-10-09 17:07 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2012-07-27 380088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [2009-07-14 281088]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [2009-06-10 15360]
R3 DisplayLinkUsbPort;DisplayLink USB Device; [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-12 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2012-04-25 93272]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 203776]
S2 BingDesktopUpdate;Bing Desktop Update service;c:\program files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [2012-03-30 151656]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2011-09-21 21992]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-11-09 189608]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-06-25 52320]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2007-05-11 70424]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-06-27 46176]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2011-01-19 20:06 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:48]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 363544]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]
"IntelliType Pro"="c:\program files\Microsoft Device Center\itype.exe" [2012-06-27 1464928]
"IntelliPoint"="c:\program files\Microsoft Device Center\ipoint.exe" [2012-06-27 2004584]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-09-19 12503184]
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: {{237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - c:\program files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
DPF: {10000000-1000-1000-1000-100000000000} - hxxp://cdn.betteradvertising.com/ghostery/addons/ie/WebInstall/ghostery.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Wow6432Node-HKLM-Run-CitrixReceiver - c:\programdata\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk
SafeBoot-14263120.sys
Toolbar-10 - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{D7E97865-918F-41E4-9CD0-25AB1C574CE8}"=hex:51,66,7a,6c,4c,1d,38,12,0b,7b,fa,
d3,bd,df,8a,04,e3,c6,66,eb,19,09,08,fc
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{237EB6DA-3FEA-4DD2-8A61-A901B5C489D7}"=hex:51,66,7a,6c,4c,1d,38,12,b4,b5,6d,
27,d8,71,bc,08,f5,77,ea,41,b0,9a,cd,c3
"{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}"=hex:51,66,7a,6c,4c,1d,38,12,5a,50,79,
6b,db,36,f5,08,fe,94,c8,01,ef,d2,7d,fb
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9FDDE16B-836F-4806-AB1F-1455CBEFF289}"=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,
9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d
"{CCB69577-088B-4004-9ED8-FF5BCC83A039}"=hex:51,66,7a,6c,4c,1d,38,12,19,96,a5,
c8,b9,46,6a,05,e1,ce,bc,1b,c9,dd,e4,2d
"{D3D233D5-9F6D-436C-B6C7-E63F77503B30}"=hex:51,66,7a,6c,4c,1d,38,12,bb,30,c1,
d7,5f,d1,02,06,c9,d1,a5,7f,72,0e,7f,24
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d0,68,83,83,d1,56,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c9,6c,67,a3,4f,76,aa,4e,88,74,44,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c9,6c,67,a3,4f,76,aa,4e,88,74,44,\
.
[HKEY_USERS\S-1-5-21-934717694-3192348872-3920661462-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-934717694-3192348872-3920661462-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-934717694-3192348872-3920661462-1000)
@Denied: (2) (LocalSystem)
"Progid"="Outlook.File.vcf"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe ,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe ,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\0a\05\07\12\18\0e?"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-12-08 00:25:40
ComboFix-quarantined-files.txt 2012-12-08 05:25
.
Pre-Run: 1,141,041,008,640 bytes free
Post-Run: 1,142,415,417,344 bytes free
.
- - End Of File - - DC4E422AC4A648D39895D9785F52C960

Jacee · 09 Dec 2012

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Next, Download AdWareCleaner AdwCleaner Download to your desktop
1.Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
2.Click on Delete button.
3.Confirm each time with OK.
4.Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
Note: You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

More instructions to follow after you've done the above.

Mike Lynch · 09 Dec 2012

# AdwCleaner v2.011 - Logfile created 12/09/2012 at 14:08:11
# Updated 02/12/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Mike - SEVENPRO64
# Boot Mode : Normal
# Running from : C:\Users\Mike\Desktop\AdwCleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Users\Mike\AppData\Local\Conduit
Folder Deleted : C:\Users\Mike\AppData\LocalLow\Conduit
***** [Registry] *****
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CCB69577-088B-4004-9ED8-FF5BCC83A039}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CC99A798-FD3D-4AB4-969E-6071612524F9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CCB69577-088B-4004-9ED8-FF5BCC83A039}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{D3D233D5-9F6D-436C-B6C7-E63F77503B30}]
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16455
[OK] Registry is clean.
*************************
AdwCleaner[S1].txt - [3120 octets] - [09/12/2012 14:08:11]
########## EOF - C:\AdwCleaner[S1].txt - [3180 octets] ##########

Jacee · 10 Dec 2012

How is your computer running now?

Mike Lynch · 11 Dec 2012

It appears to be running normally, as it did before the infection.

I would like to rerun the Windows Defender Offline once more.

Can I rerun it again at this time, without disturbing what you have been able to correct?

Best regards,

Mike Lynch

Jacee · 11 Dec 2012

Sure!

Mike Lynch · 12 Dec 2012

It ran to completion without any errors / trojans!

Thank you so much for your help.

Best regards,

Mike Lynch

Windows 7: HELP - Windows Defender cannot remove Trojan: JS/Redirector.JA

HELP - Windows Defender cannot remove Trojan: JS/Redirector.JA problems?