MSConfigStartUp-XSECVA - c:\users\gothalls\AppData\Roaming\xsecva\xsecva.exe

[HellHoundian]

TY i realized i had a virus for a few weeks started working on it today to save my 500 movies on my pc hehe. my wife downloaded the wrong file it was that nasty root kit virus changes ip redirects your browser.


Well what i posted in the title i found it before my antivirus did so TY for the tools to remove i posted the logs in case i missed something.

I tend to fix computers and build them so it was fun i try never to use system restore

[Kestrel13!]

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

Now do not stop, please continue on with the below instructions too!
v
V
V
V
READ & RUN ME FIRST. Malware Removal Guide

[HellHoundian]

OK the next 2 sets scans are now uploaded.

1) ! thing i have not solved yet if a random sound my pc makes for no reason like a usb being unpluged and pluged back in .

After all this is done i think i will upgrade to windows 7 i here it is faster ?

[Kestrel13!]

Continue on with the other instructions! (Look where I typed, "do not stop! continue on with the other instructions") I still need more logs from you.

Hmm, yes the usb sound happens for me too with my laptop, it's whenever I move the lid. Don't know what it is in your case however it probably aint malware. Attach the rest of the logs and what malware does exist we'll sort out.

[HellHoundian]

OK fixTDSS say's no back door sevc found. could not find logs for that scan just that 1 pop up.

more logs to come yet

[HellHoundian]

Well i posted logs i could find the last few scans removed more stuff.

My web browser no longer gets redirected since i started on day 1

is windows 7 less of a resorce hog than vista ?

I was considering upgrading depending if it's better resorce wise.

I know i had to go into SCVHOST shut down some widows programs cause used to much cpu on me.

i have a compacted form pc cooling not that good thinking i should buy an ATX cause put it in there and increase power supply get a good graphics card for gamming.maybe cpu and heat sink need new paste as well from all times i cleaned the system

[Kestrel13!]

You have not attached the correct logs. Check the instructions! It tells you what I need.

[HellHoundian]

just let me know what logs you need i'll do a new scan i'm not sure what logs you need atm

[Kestrel13!]

Logs from running:

• HitmanPro
• MGTools

[HellHoundian]

the other logs in a .XML format i had change it to a .txt format to upload it.

[Kestrel13!]

Quote:

the other logs in a .XML format i had change it to a .txt format to upload it.

It should have been zipped/compressed as the instructions say. Nevermind. I have seen it now.


STOPzilla! <--- Uninstall this

Now we need to use ComboFix by sUBs

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

DirLook::
c:\windows\scoped_dir_25712_13704
File::
c:\windows\Tasks\ParetoLogic Registration3.job
c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe
Folder::
c:\program files\Common Files\ParetoLogic
Firefox::
FF - ProfilePath - c:\users\gothalls\AppData\Roaming\Mozilla\Firefox\Profiles\qtfwvxyu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3131886&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Vgrabber1 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?babsrc=HP_Prot
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3131886&SearchSource=2&q=
FF - user.js: extensions.searchya_i.hmpg - true
FF - user.js: extensions.searchya_i.hmpgUrl - hxxp://searchya.com/?chnl=ft-100&s=0&cr=1429807498&cd=2XzutAtN2Y1L1QzutDtDtC0DyBtB0AyB0BzztCtDzytAzzyByDtN0D0TzutBtDtCtBtDtBtCyB
FF - user.js: extensions.searchya_i.dfltSrch - true
FF - user.js: extensions.searchya_i.srchPrvdr - SearchYa!
FF - user.js: extensions.searchya_i.dnsErr - true
FF - user.js: extensions.searchya_i.newTab - true
FF - user.js: extensions.searchya_i.newTabUrl - hxxp://searchya.com/?chnl=ft-100&s=2&cr=1429807498&cd=2XzutAtN2Y1L1QzutDtDtC0DyBtB0AyB0BzztCtDzytAzzyByDtN0D0TzutBtDtCtBtDtBtCyB
FF - user.js: extensions.searchya_i.tlbrSrchUrl - hxxp://searchya.com/?chnl=ft-100&s=3&cr=1429807498&cd=2XzutAtN2Y1L1QzutDtDtC0DyBtB0AyB0BzztCtDzytAzzyByDtN0D0TzutBtDtCtBtDtBtCyB&q=
FF - user.js: extensions.searchya_i.id - 24a93875000000000000001644f3b1b5
FF - user.js: extensions.searchya_i.instlDay - 15387
FF - user.js: extensions.searchya_i.vrsn - 1.5.13.0
FF - user.js: extensions.searchya_i.vrsni - 1.5.13.0
FF - user.js: extensions.searchya_i.vrsnTs - 1.5.13.09:50
FF - user.js: extensions.searchya_i.prtnrId - ironsrc
FF - user.js: extensions.searchya_i.prdct - searchya
FF - user.js: extensions.searchya_i.aflt - foxtab
FF - user.js: extensions.searchya_i.smplGrp - none
FF - user.js: extensions.searchya_i.tlbrId - base
FF - user.js: extensions.searchya_i.instlRef - ft-100
FF - user.js: extensions.searchya_i.dfltLng - 
FF - user.js: extensions.searchya_i.excTlbr - false
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6PQsyzPQtt&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - 24a93875000000000000001644f3b1b5
FF - user.js: extensions.incredibar_i.instlDay - 15426
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.144:39
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef - 
FF - user.js: extensions.incredibar_i.dfltLng - 
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id - 
FF - user.js: extensions.incredibar_i.upn2 - 6PQsyzPQtt
FF - user.js: extensions.incredibar_i.upn2n - 92542610706574667
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10606
FF - user.js: extensions.incredibar_i.ppd - 68%5F5
FF - user.js: extensions.BabylonToolbar_i.id - 24a93875000000000000001644f3b1b5
FF - user.js: extensions.BabylonToolbar_i.hardId - 24a93875000000000000001644f3b1b5
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15438
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1721:08
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110001
FF - user.js: extensions.BabylonToolbar_i.babExt - 
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!