Hello,
I have this malware hxxp://fla15.maxexp.com/tag1.html that keeps popping up. It started a few days ago. Until yesterday, it only happened once or twice a day. Now it literally happens every two clicks. I think it showed up at least a hundred times today. >:(
I did the following, as suggested in another topic:
Here the results:
17:42:30.0407 1940 ============================================================
17:42:30.0407 1940 Scan finished
17:42:30.0407 1940 ============================================================
17:42:30.0438 3412 Detected object count: 4
17:42:30.0438 3412 Actual detected object count: 4
17:43:21.0965 3412 ANIWConnService ( UnsignedFile.Multi.Generic ) - skipped by user
17:43:21.0965 3412 ANIWConnService ( UnsignedFile.Multi.Generic ) - User select action: Skip
17:43:21.0965 3412 Hotkey ( UnsignedFile.Multi.Generic ) - skipped by user
17:43:21.0965 3412 Hotkey ( UnsignedFile.Multi.Generic ) - User select action: Skip
17:43:21.0981 3412 TestHandler ( UnsignedFile.Multi.Generic ) - skipped by user
17:43:21.0981 3412 TestHandler ( UnsignedFile.Multi.Generic ) - User select action: Skip
17:43:21.0981 3412 WisLMSvc ( UnsignedFile.Multi.Generic ) - skipped by user
17:43:21.0981 3412 WisLMSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
17:43:31.0559 1540 Deinitialize success
Can someone help me, please?
EDIT: I forgot I was supposed to attach the log, here it is.
Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKLM\..\URLSearchHook: {08d495ab-a86c-47b0-82ef-da87bf92f730} - SOFTWARE\Classes\CLSID\{08d495ab-a86c-47b0-82ef-da87bf92f730}\InprocServer32 File not found
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-637377415-51184105-838349931-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?FORM=IEFM1&q={searchTerms}
FF - prefs.js..extensions.enabledItems: {08d495ab-a86c-47b0-82ef-da87bf92f730}:3.3.3.2
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..extensions.enabledItems: ClickPotatoLite@ClickPotatoLite.com:10.0.668.0
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
[2011/08/07 13.58.34 | 000,000,000 | ---D | M] (Messenger Plus Live Italy Community Toolbar) -- C:\Users\Federico\AppData\Roaming\mozilla\Firefox\Profiles\skkjpaj2.default\extensions\{08d495ab-a86c-47b0-82ef-da87bf92f730}(90)
[2011/03/22 20.49.16 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Federico\AppData\Roaming\mozilla\Firefox\Profiles\skkjpaj2.default\extensions\engine@conduit.com
O2 - BHO: (Messenger Plus Live Italy Toolbar) - {08d495ab-a86c-47b0-82ef-da87bf92f730} - C:\Program Files\Messenger_Plus_Live_Italy\tbMess.dll File not found
O3 - HKLM\..\Toolbar: (Messenger Plus Live Italy Toolbar) - {08d495ab-a86c-47b0-82ef-da87bf92f730} - C:\Program Files\Messenger_Plus_Live_Italy\tbMess.dll File not found
O3 - HKU\S-1-5-21-637377415-51184105-838349931-1000\..\Toolbar\WebBrowser: (Messenger Plus Live Italy Toolbar) - {08D495AB-A86C-47B0-82EF-DA87BF92F730} - C:\Program Files\Messenger_Plus_Live_Italy\tbMess.dll File not found
O15 - HKU\S-1-5-21-637377415-51184105-838349931-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-637377415-51184105-838349931-1000\..Trusted Ranges: GD ([http] in Local intranet)
O33 - MountPoints2\{c3e5889d-aad1-11de-a87c-000ae4cdbc4d}\Shell\AutoRun\command - "" = F:\StartPortableApps.exe
[2012/04/11 01.01.08 | 000,131,072 | ---- | M] () -- C:\Users\Federico\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/14 23.25.05 | 000,000,000 | ---D | M] -- C:\Users\Federico\AppData\Roaming\GetRightToGo
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )