Broadband Tech → Security → Security Cleanup > [Adware] Win 7 laptop infected w/ backup ads, browser redirects,

Re: [Adware] Win 7 laptop infected w/ backup ads, browser redire

It almost seems like the bing search tool (in the box to the right of the url box) is corrupt. I was using that to bring me results for pdf exchange free download.

edale ..I'm going to ask you to please not post live links of a questionable nature, as they will be removed like the ones above.

We don't want any viewers clicking on them inadvertently

Thanks for understanding.

Sorry, inadvertent (ignorant actually) error on my part-- I did not realize it was a verified baddie. Now I know what not to do in the future, thanks!

Would it be better to list it as "b-a-d.u-r-l.c-o-m" (for example) or not at all?

..any way you like - as long as it's not "clickable"

Refreshing this page (by clicking on the 2 of the [page : 1 2] at the right margin displayed a blank page-- url was www.google.(insert alphabet soup here). Deleted the tab and was able to refresh this page correctly, 2nd try.

Understood.

Duplicate posting, removed.

For uninstalling program, you might want to try Revo Uninstaller at »www.revouninstaller.com/revo_uni···oad.html

Please run AdwCleaner again and post a new log.

Please also run MBAR, update it, and run a new scan and post both the logs.
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010

# AdwCleaner v2.300 - Logfile created 05/02/2013 at 08:20:58
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : ROLLIEA - ROLLIEA-PC
# Boot Mode : Normal
# Running from : C:\Users\ROLLIEA\Desktop\adwcleaner.exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Found : HKCU\Software\Softonic

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\ROLLIEA\AppData\Roaming\Mozilla\Firefox\Profiles\s2m5tjo3.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\ROLLIEA\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1232 octets] - [30/04/2013 19:28:11]
AdwCleaner[R2].txt - [1292 octets] - [30/04/2013 20:13:39]
AdwCleaner[R3].txt - [977 octets] - [02/05/2013 08:20:58]
AdwCleaner[S1].txt - [33562 octets] - [29/04/2013 22:47:54]
AdwCleaner[S2].txt - [1358 octets] - [30/04/2013 20:16:32]

########## EOF - C:\AdwCleaner[R3].txt - [1157 octets] ##########

After Delete:

# AdwCleaner v2.300 - Logfile created 05/02/2013 at 08:22:48
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : ROLLIEA - ROLLIEA-PC
# Boot Mode : Normal
# Running from : C:\Users\ROLLIEA\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\Softonic

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\ROLLIEA\AppData\Roaming\Mozilla\Firefox\Profiles\s2m5tjo3.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\ROLLIEA\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1232 octets] - [30/04/2013 19:28:11]
AdwCleaner[R2].txt - [1292 octets] - [30/04/2013 20:13:39]
AdwCleaner[R3].txt - [1226 octets] - [02/05/2013 08:20:58]
AdwCleaner[S1].txt - [33562 octets] - [29/04/2013 22:47:54]
AdwCleaner[S2].txt - [1358 octets] - [30/04/2013 20:16:32]
AdwCleaner[S3].txt - [1160 octets] - [02/05/2013 08:22:48]

########## EOF - C:\AdwCleaner[S3].txt - [1220 octets] ##########

Malwarebytes Anti-Rootkit BETA 1.05.0.1001
www.malwarebytes.org

Database version: v2013.05.02.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16540
ROLLIEA :: ROLLIEA-PC [administrator]

5/2/2013 8:39:10 AM
mbar-log-2013-05-02 (08-39-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 28172
Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Nothing found w/ updated MBAR scan.

BUT:

During posting the ADwCleaner log (after delete/reboot) FF took me to another google.com.(insert alphabet soup) page. Page was blank again. I clicked to update the current page, not open in a new tab, but the google.com.(insert alphabet soup) page displayed in a new tab, similar to the previous occurances.

Ctrl+clicking on another listing from a bing search displayed url (I put hyphens in-- don't nobody try to click this or otherwise try this page):
b-i-n-g.i-e-b-z.c-o-m
in the URL, page was blank.

I have the laptop with me at another location where there is wi-fi (public library)(where it has connected easily before) but it is not able to connect to the wi-fi network here. Might have to wait until I get back to a hardwired connection.

First response by Virus total said:
"This file was already analyzed by Virus Total on 2013-04-02 13:03:40
Detection ration 0/46
You can take a look at the last analysis or analyze it again right now.

I chose Reanalyze.

Response:

(the devil/angel meter had devil 1, angel 0.)

SHA256: deef30e052eaa8220a8c9868aa45cc3532d6b5a4b34e439421d55c6a4d207f21
File name: _IsIcoRes.exe
Detection ratio: 0 / 46
Analysis date: 2013-05-03 00:59:16 UTC ( 0 minutes ago )

(the following list had green checkmarks between the two columns)

Agnitum 20130502
AhnLab-V3 20130502
AntiVir 20130503
Antiy-AVL 20130502
Avast 20130503
AVG 20130502
BitDefender 20130503
ByteHero 20130430
CAT-QuickHeal 20130502
ClamAV 20130503
Commtouch 20130503
Comodo 20130503
DrWeb 20130503
Emsisoft 20130503
eSafe 20130501
ESET-NOD32 20130502
F-Prot 20130502
F-Secure 20130503
Fortinet 20130503
GData 20130503
Ikarus 20130503
Jiangmin 20130502
K7AntiVirus 20130502
K7GW 20130502
Kaspersky 20130503
Kingsoft 20130502
Malwarebytes 20130503
McAfee 20130503
McAfee-GW-Edition 20130502
Microsoft 20130503
MicroWorld-eScan 20130503
NANO-Antivirus 20130503
Norman 20130502
nProtect 20130502
Panda 20130502
PCTools 20130502
Sophos 20130503
SUPERAntiSpyware 20130503
Symantec 20130503
TheHacker 20130502
TotalDefense 20130502
TrendMicro 20130503
TrendMicro-HouseCall 20130503
VBA32 20130502
VIPRE 20130503
ViRobot 20130503

from the Additional info tab:

ssdeep
768:SMAyAdTmPJbgqcnDccThMsBmsmBaEX3bsvL7cxjKcL9d:SdU81cc9MmIFXya9d
TrID
Win32 Executable MS Visual C++ (generic) (64.5%)
Win32 Dynamic Link Library (generic) (13.6%)
Win32 Executable (generic) (13.4%)
Generic Win/DOS Executable (4.1%)
DOS Executable Generic (4.1%)
PEiD packer identifier
Armadillo v1.71
ExifTool

SubsystemVersion.........: 4.0
InitializedDataSize......: 53248
ImageVersion.............: 0.0
ProductName..............: InstallShield
FileVersionNumber........: 12.0.0.58849
UninitializedDataSize....: 0
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
CharacterSet.............: Unicode
LinkerVersion............: 6.0
OriginalFilename.........: _IsIcoRes.exe
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 12.0.58849
TimeStamp................: 2007:01:20 07:15:38+01:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: _IsIcoRes.exe
FileAccessDate...........: 2013:05:03 01:59:41+01:00
ProductVersion...........: 12.0
FileDescription..........: InstallShield
OSVersion................: 4.0
FileCreateDate...........: 2013:05:03 01:59:41+01:00
FileOS...................: Windows NT 32-bit
LegalCopyright...........: Copyright (C) 2006 Macrovision Corporation
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Macrovision Corporation
CodeSize.................: 16384
FileSubtype..............: 0
ProductVersionNumber.....: 12.0.0.0
EntryPoint...............: 0x1005
ObjectFileType...........: Executable application

Sigcheck

publisher................: Macrovision Corporation
product..................: InstallShield
internal name............: _IsIcoRes.exe
copyright................: Copyright (C) 2006 Macrovision Corporation
original name............: _IsIcoRes.exe
file version.............: 12.0.58849
description..............: InstallShield

Portable Executable structural information

Compilation timedatestamp.....: 2007-01-20 06:15:38
Target machine................: Intel 386 or later processors and compatible processors
Entry point address...........: 0x00001005

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 13742 16384 5.95 125d4361997b933c25cdfaa441c403f6
.rdata 20480 1952 4096 3.17 15e13969f0737bb4ec50592b029c02f2
.data 24576 10716 12288 0.36 9b57a8510b2e985a48115bbaee120bb5
.rsrc 36864 36676 36864 5.39 4ba0d276eb6299f76d3bfa93dc0a4dba

PE Imports....................:

[[KERNEL32.dll]]
HeapFree, GetStdHandle, LCMapStringW, SetHandleCount, GetOEMCP, LCMapStringA, HeapDestroy, ExitProcess, GetEnvironmentStringsW, GetVersionExA, GetModuleFileNameA, RtlUnwind, LoadLibraryA, FreeEnvironmentStringsA, GetStartupInfoA, GetEnvironmentStrings, GetCPInfo, UnhandledExceptionFilter, MultiByteToWideChar, FreeEnvironmentStringsW, GetCommandLineA, GetProcAddress, WideCharToMultiByte, GetStringTypeA, GetModuleHandleA, WriteFile, GetCurrentProcess, GetACP, HeapReAlloc, GetStringTypeW, TerminateProcess, GetEnvironmentVariableA, HeapCreate, VirtualFree, GetFileType, HeapAlloc, GetVersion, VirtualAlloc

PE Resources..................:

Resource type Number of resources
RT_ICON 5
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1

Resource language Number of resources
NEUTRAL 7

ENGLISH US 1

Symantec Reputation
Suspicious.Insight
ClamAV PUA Engine
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: »www.clamav.net/index.php?s=pua&lang=en .
First seen by VirusTotal
2012-04-05 03:16:23 UTC ( 1 year ago )
Last seen by VirusTotal
2013-05-03 00:59:16 UTC ( 6 minutes ago )
File names (max. 25)

SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
ARPPRODUCTICON.exe
00D8E06B0033AE2820C20131601FE50015D6202D.exe
ARPPRODUCTICON.exe
SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
A0019751.exe
file-4563098_exe
_IsIcoRes.exe

Second file results:

(similar preamble about file already having been analysed)

(devil 1, angel 0)

SHA256: deef30e052eaa8220a8c9868aa45cc3532d6b5a4b34e439421d55c6a4d207f21
SHA1: 119c915604c4d8a5de3d7357dc2401fdddadbfd7
MD5: b9693ffe7ada752dbe588c0e004df4c4
File size: 72.0 KB ( 73728 bytes )
File name: _IsIcoRes.exe
File type: Win32 EXE
Detection ratio: 0 / 46
Analysis date: 2013-05-03 00:59:16 UTC ( 11 minutes ago )
0
1
Less details

Analysis
Additional information
Comments
Votes

Antivirus Result Update
Agnitum 20130502
AhnLab-V3 20130502
AntiVir 20130503
Antiy-AVL 20130502
Avast 20130503
AVG 20130502
BitDefender 20130503
ByteHero 20130430
CAT-QuickHeal 20130502
ClamAV 20130503
Commtouch 20130503
Comodo 20130503
DrWeb 20130503
Emsisoft 20130503
eSafe 20130501
ESET-NOD32 20130502
F-Prot 20130502
F-Secure 20130503
Fortinet 20130503
GData 20130503
Ikarus 20130503
Jiangmin 20130502
K7AntiVirus 20130502
K7GW 20130502
Kaspersky 20130503
Kingsoft 20130502
Malwarebytes 20130503
McAfee 20130503
McAfee-GW-Edition 20130502
Microsoft 20130503
MicroWorld-eScan 20130503
NANO-Antivirus 20130503
Norman 20130502
nProtect 20130502
Panda 20130502
PCTools 20130502
Sophos 20130503
SUPERAntiSpyware 20130503
Symantec 20130503
TheHacker 20130502
TotalDefense 20130502
TrendMicro 20130503
TrendMicro-HouseCall 20130503
VBA32 20130502
VIPRE 20130503
ViRobot 20130503

from the additional info tab:

ssdeep
768:SMAyAdTmPJbgqcnDccThMsBmsmBaEX3bsvL7cxjKcL9d:SdU81cc9MmIFXya9d
TrID
Win32 Executable MS Visual C++ (generic) (64.5%)
Win32 Dynamic Link Library (generic) (13.6%)
Win32 Executable (generic) (13.4%)
Generic Win/DOS Executable (4.1%)
DOS Executable Generic (4.1%)
PEiD packer identifier
Armadillo v1.71
ExifTool

SubsystemVersion.........: 4.0
InitializedDataSize......: 53248
ImageVersion.............: 0.0
ProductName..............: InstallShield
FileVersionNumber........: 12.0.0.58849
UninitializedDataSize....: 0
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
CharacterSet.............: Unicode
LinkerVersion............: 6.0
OriginalFilename.........: _IsIcoRes.exe
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 12.0.58849
TimeStamp................: 2007:01:20 07:15:38+01:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: _IsIcoRes.exe
FileAccessDate...........: 2013:05:03 01:59:41+01:00
ProductVersion...........: 12.0
FileDescription..........: InstallShield
OSVersion................: 4.0
FileCreateDate...........: 2013:05:03 01:59:41+01:00
FileOS...................: Windows NT 32-bit
LegalCopyright...........: Copyright (C) 2006 Macrovision Corporation
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Macrovision Corporation
CodeSize.................: 16384
FileSubtype..............: 0
ProductVersionNumber.....: 12.0.0.0
EntryPoint...............: 0x1005
ObjectFileType...........: Executable application

Sigcheck

publisher................: Macrovision Corporation
product..................: InstallShield
internal name............: _IsIcoRes.exe
copyright................: Copyright (C) 2006 Macrovision Corporation
original name............: _IsIcoRes.exe
file version.............: 12.0.58849
description..............: InstallShield

Portable Executable structural information

Compilation timedatestamp.....: 2007-01-20 06:15:38
Target machine................: Intel 386 or later processors and compatible processors
Entry point address...........: 0x00001005

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 13742 16384 5.95 125d4361997b933c25cdfaa441c403f6
.rdata 20480 1952 4096 3.17 15e13969f0737bb4ec50592b029c02f2
.data 24576 10716 12288 0.36 9b57a8510b2e985a48115bbaee120bb5
.rsrc 36864 36676 36864 5.39 4ba0d276eb6299f76d3bfa93dc0a4dba

PE Imports....................:

[[KERNEL32.dll]]
HeapFree, GetStdHandle, LCMapStringW, SetHandleCount, GetOEMCP, LCMapStringA, HeapDestroy, ExitProcess, GetEnvironmentStringsW, GetVersionExA, GetModuleFileNameA, RtlUnwind, LoadLibraryA, FreeEnvironmentStringsA, GetStartupInfoA, GetEnvironmentStrings, GetCPInfo, UnhandledExceptionFilter, MultiByteToWideChar, FreeEnvironmentStringsW, GetCommandLineA, GetProcAddress, WideCharToMultiByte, GetStringTypeA, GetModuleHandleA, WriteFile, GetCurrentProcess, GetACP, HeapReAlloc, GetStringTypeW, TerminateProcess, GetEnvironmentVariableA, HeapCreate, VirtualFree, GetFileType, HeapAlloc, GetVersion, VirtualAlloc

PE Resources..................:

Resource type Number of resources
RT_ICON 5
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1

Resource language Number of resources
NEUTRAL 7

ENGLISH US 1

Symantec Reputation
Suspicious.Insight
ClamAV PUA Engine
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: »www.clamav.net/index.php?s=pua&lang=en .
First seen by VirusTotal
2012-04-05 03:16:23 UTC ( 1 year ago )
Last seen by VirusTotal
2013-05-03 00:59:16 UTC ( 12 minutes ago )
File names (max. 25)

SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
ARPPRODUCTICON.exe
00D8E06B0033AE2820C20131601FE50015D6202D.exe
ARPPRODUCTICON.exe
SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
A0019751.exe
file-4563098_exe
_IsIcoRes.exe

Third file results:

similar preamble

devil 1, angel 0

SHA256: deef30e052eaa8220a8c9868aa45cc3532d6b5a4b34e439421d55c6a4d207f21
SHA1: 119c915604c4d8a5de3d7357dc2401fdddadbfd7
MD5: b9693ffe7ada752dbe588c0e004df4c4
File size: 72.0 KB ( 73728 bytes )
File name: _IsIcoRes.exe
File type: Win32 EXE
Detection ratio: 0 / 44
Analysis date: 2013-05-03 01:13:50 UTC ( 2 minutes ago )
0
1
Less details

Analysis
Additional information
Comments
Votes

Antivirus Result Update
Agnitum 20130502
AhnLab-V3 20130502
AntiVir 20130503
Antiy-AVL 20130502
Avast 20130503
AVG 20130502
BitDefender 20130503
ByteHero 20130424
CAT-QuickHeal 20130502
ClamAV 20130503
Commtouch 20130503
Comodo 20130503
Emsisoft 20130503
eSafe 20130501
ESET-NOD32 20130502
F-Prot 20130502
F-Secure 20130503
Fortinet 20130503
GData 20130503
Ikarus 20130503
Jiangmin 20130502
K7AntiVirus 20130502
K7GW 20130502
Kaspersky 20130503
Kingsoft 20130502
Malwarebytes 20130503
McAfee 20130503
McAfee-GW-Edition 20130502
Microsoft 20130503
MicroWorld-eScan 20130503
NANO-Antivirus 20130503
Norman 20130502
nProtect 20130502
Panda 20130502
PCTools 20130503
Sophos 20130503
SUPERAntiSpyware 20130503
Symantec 20130503
TheHacker 20130502
TotalDefense 20130502
TrendMicro-HouseCall 20130503
VBA32 20130502
VIPRE 20130503
ViRobot 20130503

From the additional info tab:

ssdeep
768:SMAyAdTmPJbgqcnDccThMsBmsmBaEX3bsvL7cxjKcL9d:SdU81cc9MmIFXya9d
TrID
Win32 Executable MS Visual C++ (generic) (64.5%)
Win32 Dynamic Link Library (generic) (13.6%)
Win32 Executable (generic) (13.4%)
Generic Win/DOS Executable (4.1%)
DOS Executable Generic (4.1%)
PEiD packer identifier
Armadillo v1.71
ExifTool

SubsystemVersion.........: 4.0
InitializedDataSize......: 53248
ImageVersion.............: 0.0
ProductName..............: InstallShield
FileVersionNumber........: 12.0.0.58849
UninitializedDataSize....: 0
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
CharacterSet.............: Unicode
LinkerVersion............: 6.0
OriginalFilename.........: _IsIcoRes.exe
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 12.0.58849
TimeStamp................: 2007:01:20 06:15:38+00:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: _IsIcoRes.exe
FileAccessDate...........: 2013:05:03 02:14:48+01:00
ProductVersion...........: 12.0
FileDescription..........: InstallShield
OSVersion................: 4.0
FileCreateDate...........: 2013:05:03 02:14:48+01:00
FileOS...................: Windows NT 32-bit
LegalCopyright...........: Copyright (C) 2006 Macrovision Corporation
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Macrovision Corporation
CodeSize.................: 16384
FileSubtype..............: 0
ProductVersionNumber.....: 12.0.0.0
EntryPoint...............: 0x1005
ObjectFileType...........: Executable application

Sigcheck

publisher................: Macrovision Corporation
product..................: InstallShield
internal name............: _IsIcoRes.exe
copyright................: Copyright (C) 2006 Macrovision Corporation
original name............: _IsIcoRes.exe
file version.............: 12.0.58849
description..............: InstallShield

Portable Executable structural information

Compilation timedatestamp.....: 2007-01-20 06:15:38
Target machine................: Intel 386 or later processors and compatible processors
Entry point address...........: 0x00001005

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 13742 16384 5.95 125d4361997b933c25cdfaa441c403f6
.rdata 20480 1952 4096 3.17 15e13969f0737bb4ec50592b029c02f2
.data 24576 10716 12288 0.36 9b57a8510b2e985a48115bbaee120bb5
.rsrc 36864 36676 36864 5.39 4ba0d276eb6299f76d3bfa93dc0a4dba

PE Imports....................:

[[KERNEL32.dll]]
HeapFree, GetStdHandle, LCMapStringW, SetHandleCount, GetOEMCP, LCMapStringA, HeapDestroy, ExitProcess, GetEnvironmentStringsW, GetVersionExA, GetModuleFileNameA, RtlUnwind, LoadLibraryA, FreeEnvironmentStringsA, GetStartupInfoA, GetEnvironmentStrings, GetCPInfo, UnhandledExceptionFilter, MultiByteToWideChar, FreeEnvironmentStringsW, GetCommandLineA, GetProcAddress, WideCharToMultiByte, GetStringTypeA, GetModuleHandleA, WriteFile, GetCurrentProcess, GetACP, HeapReAlloc, GetStringTypeW, TerminateProcess, GetEnvironmentVariableA, HeapCreate, VirtualFree, GetFileType, HeapAlloc, GetVersion, VirtualAlloc

PE Resources..................:

Resource type Number of resources
RT_ICON 5
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1

Resource language Number of resources
NEUTRAL 7

ENGLISH US 1

Symantec Reputation
Suspicious.Insight
ClamAV PUA Engine
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: »www.clamav.net/index.php?s=pua&lang=en .
First seen by VirusTotal
2012-04-05 03:16:23 UTC ( 1 year ago )
Last seen by VirusTotal
2013-05-03 01:13:50 UTC ( 3 minutes ago )
File names (max. 25)

SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
ARPPRODUCTICON.exe
00D8E06B0033AE2820C20131601FE50015D6202D.exe
ARPPRODUCTICON.exe
SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
A0019751.exe
file-4563098_exe
_IsIcoRes.exe

4th file:

Upload error
temp.dat file not found
Check the file name and try again.

Checking the HD via windows explorer, that folder, DownloadTerms, is empty, set for read only (files only). Folder options set to display hidden, system, executable, etc.

Oh, I just noticed something. Was MSE and SAS supposed to be turned off for these scans?

Computer is behaving well, save for the continuing intermittent browser redirect (emerging pattern: sporadic opening of bogus blank page in a new tab, when new tab was not requested. URL along the lines of google.com.(alphabet soup).

I will be away from the computer for approx. 4 hours.

Re: [Adware] Win 7 laptop infected w/ backup ads, browser redire

Sorry for the delay. Took a while to download the 303MB file. Then the laptop did not want to boot off the CD, no matter what the boot settings were. Now I'm in, and will post the report as soon as it finishes updating and scanning.

I have it set to scan:

Disk boot sectors
Hidden startup objects
C:
sda1
sda2

Can you tell what these folders are for from the contents?
c:\users\ROLLIEA\AppData\Local\Torch
c:\programdata\Datamngr

They were installed about the same time as Search Results Toolbar. If you right-click on the files in the folders, go to Properties, and the Details tab, there may be information on the Product Name of Copyright.
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010

Still getting the sporadic browser unwanted new tab (google.com.[alphabet soup]).