avast 7 logs show first found on Jul 19 on desktop. Did not realize issue until yesterday when researched name after it reappeared several times. I ran the three programs in the log listing. Malwarebites did not find anything on the quick run, reran in full mode and it found a file that has been around a long time before the infection that may have had some adware in it. Removed it as requested by Malwarebites. Recently bought a dell laptop and am using an older dell desktop. Added a wireless router to my system for the laptop and a visit from relatives using apple products for a week. I had put the same file removed on the laptop earlier. Only the desktop has shown the infection data files. Avast has found nothing on the laptop. Malwarebites has found the same file there and I removed it yesterday. The OTL file was run on the laptop before the desktop but without the script, just in fast scan for both computers. I noticed my error just now. I also ran the aswMBR program last night on the desktop. Because the laptop had been first used on an open hotspot in the condo I was visiting when bought, I was concerned it was the source of the infection. I ran combofix on it yesterday, which did not find any trojans, but did remove parts of DAP software and fixed a problem preventing spybot from fully immulizing the 32 bit internet explorer due to Kaspersky Anti-Virus being installed and removed from it. The program stopped internet connection due to incomplete installation which did not work with Windows firewall. I did not find the way to fix the firewall due to menu options open at the time. Found right menu options now, but have not reinstalled since only one year use anyway. I plan to attach the first OTL results and then run second time with script and post to this thread. The laptop is in a win7 home network and shared files and folders with the desktop. Do you want a OTL of the laptop as well. Both have Avast 7 installed.

Hi what is the file that Avast is reporting ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = https://search.blekko.com/ws/?source=5a76da41&tbp=rbox&toolbarid=searchcom_001&u=20120406ADE54559BC269A237CAC1C2D&q={searchTerms} O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

File name: c:\Users\White\AppData\Local\searchcom_001\data\120719034059-f.list, repeats with new date code when found again. Last clean full scan was Jul 5. Boot time scans do not find it. your script will be done as third time listed otl txt.

OK that is part of the Becko toolbar/search engine, I removed what I could find of it … So lets take this last bit out

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Files ipconfig /flushdns /c c:\Users\White\AppData\Local\searchcom_001

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

I just deleted the searchcom_001 path and contents. Hopefully that will not be a problem with the new script. Did that after running OTL. Scanned the folders first with Avast and it did not find any problems, although there were over 200 files in folder. None however with the f-list extension, but other list extensions. I did not remember installing seachcom intentionally. A lot of the host lists had sites I have not tried to visit either from the early OTL scans.

Another maybe unrelated issue. A few months back my keyboard and mouse (USB) stopped working about 3 to 5 seconds into boot and start again about 10 seconds later. The system frequently beeps with a message about them being gone during boot.

Here is the results after the second fix run.

Is this a laptop or desktop ?

all this has been on the older desktop. Do you want to see the laptop data?

Not unless the laptop has problems

A few months back my keyboard and mouse (USB) stopped working about 3 to 5 seconds into boot and start again about 10 seconds later. The system frequently beeps with a message about them being gone during boot.

Have 6 USB ports on desktop. Two are expanded with powered USB port expanders with 4 ports on each. I have tried moving keyboard and mouse to front usb ports which are normally not used, and both rear ports that have expanders on them. None seem to make a difference. One of the expanders has leds for active connections, and all lights on connections on it go off with this problem. Power light is not changing.

I believe this is a software problem.

I have not yet found the problem on the laptop, but will be checking for related search items soon.

I only see the same hosts issue on the laptop. I did not find an installed searchcom_001 location. I have attached the otl files.

on the usb issue, I have tried checking that the usb devices are checked for boot operations on device manager. They were.

One of the expanders has leds for active connections, and all lights on connections on it go off with this problem. Power light is not changing.

The laptop looks OK

Thanks for the check on the laptop and usb suggestions.

However, my last Avast scan came up with two locations for the infected data file for the virus. One was the remade seachcom_001 location, and another was in c:\Users\White\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FWQFBOHR\120729160120-f[1].zip|>120729160120-f.list . So far nothing has found the real virus location. Will comboxfix do anything for this?
Thanks,
John

It is a sledgehammer to crack a nut, but…

The temp IE files should be emptied when you close down the browser, do you know how to set that up ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I ran a new copy of combofix as directed. I have attached the log file. After restarting all virus protection programs have come here. I found virus file on seachcom_001 location after running fix. Deleted file and it was replaced within a minute, although the file shows 0 size. Deleted a second time. Will check it again later.

All I need to do now is try and determine where it is being created from

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

Folder:: c:\users\White\AppData\Local\searchcom_001

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

I did some roaming with regedit last night. Found left over references to Enigma software Group Spyhunter, which I had run and uninstalled. Files were left on the computer for that program, but none looked like active programs. However, combofix log noted a running process from spyhunter. There is also a anti-phishing program installed that I forgot about. I assume the list of bad web sites under P3P ZoneMap Domains are from Spybot immunization. I noticed several file extensions that bothered me, called: .zfsendtotarget, .z96, and .lst. Is it ok to run updated spybot immunizations? I will hope to hear from you soon.

I bought a new usb powered expander to try switching for each of the old ones to see if it changes the boot problem. However, it seems that problem would stop access to safe boot options, so might be virus created.
thanks

.zfsendtotarget, .z96, and .lst are all related to the windows zip function

As you are using USB keyboard and mouse are they set to active in the BIOS ?

Searchcom_001 path recreated since run. File there but zero bits long. Here is the run log.
Thanks,