Jump to content


Photo

Could you please check my Laptop

Malware virus

  • This topic is locked This topic is locked
21 replies to this topic

#1 Mr Angry

Mr Angry

    Advanced Member

  • Full Member
  • PipPipPip
  • 114 posts

Posted 05 May 2013 - 02:33 PM

Hi

 

Could you please check the following to see if everythings look ok. Call it a type of M.O.T.

 

I attach firstly a scan from Malwarebytes Anti-Malware and secondly from hijackthis  -

 

 

 

 
Malwarebytes Anti-Malware

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.05.05.05
 
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Tony123 :: TONYW [administrator]
 
05/05/2013 17:38:47
mbam-log-2013-05-05 (17-38-47).txt
 
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 380651
Time elapsed: 2 hour(s), 5 minute(s), 40 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 

 

 

HijackThis

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:47:49, on 05/05/2013
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16476)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Video Web Camera\traybar.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Video Web Camera\CEC_MAIN.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Users\Tony123\AppData\Local\Google\Update\1.3.21.145\GoogleCrashHandler.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.pack...&d=0709&m=dotma
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.pack...&d=0709&m=dotma
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MSN & Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ÿþ1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Video Web Camera\traybar.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [EPSON Stylus DX7400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU "C:\Windows\TEMP\E_S9920.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [Google Update] "C:\Users\Tony123\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Musicmatch Jukebox.lnk = C:\Program Files\Musicmatch\Musicmatch Jukebox\mmjb.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O13 - Gopher Prefix: 
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset...lineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Avira Mail Protection (AntiVirMailService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Real-Time Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
 
--
End of file - 10561 bytes
 
Await your reply
 
 
Mr Angry  (aka Lord23sutch   -   aka  Tony)

 

EDIT: Please read the Instructions http://www.spywarein...showtopic=79038 and post logs...  You are using an obsolete copy of HijackThis and we need the DDS and SecurityCheck logs as well...  Our helpers need details to review in order to help...


Edited by Budfred, 05 May 2013 - 03:04 PM.



#2 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,477 posts

Posted 05 May 2013 - 08:41 PM

Hi Mr Angry, and Welcome Back.

As Budfred already said in your post above, please post the logs from DDS and Security Check.

Also, why did you want the system checked, were you experiencing a specific problem? If you were, please describe the problem, as that info would be useful as well.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#3 Mr Angry

Mr Angry

    Advanced Member

  • Full Member
  • PipPipPip
  • 114 posts

Posted 08 May 2013 - 08:09 PM

Thanks for replying.  Here's all the logs

 

HIJACKTHIS 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 02:27:21, on 09/05/2013
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16476)
CHROME: 26.0.1410.64
 
Boot mode: Normal
 
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Users\Tony123\AppData\Local\Google\Update\1.3.21.145\GoogleCrashHandler.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Users\Tony123\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tony123\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tony123\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tony123\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tony123\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tony123\Desktop\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.pack...&d=0709&m=dotma
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.pack...&d=0709&m=dotma
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MSN & Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ÿþ1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [EPSON Stylus DX7400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU "C:\Windows\TEMP\E_S9920.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [Google Update] "C:\Users\Tony123\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Musicmatch Jukebox.lnk = C:\Program Files\Musicmatch\Musicmatch Jukebox\mmjb.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset...lineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Avira Mail Protection (AntiVirMailService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Real-Time Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
 
--
End of file - 9819 bytes
 

DDS

 

DDS (Ver_2012-11-20.01) - NTFS_x86 

Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.21.2
Run by Tony123 at 2:32:05 on 2013-05-09
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.1790.897 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Users\Tony123\AppData\Local\Google\Update\1.3.21.145\GoogleCrashHandler.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\system32\UI0Detect.exe
C:\Users\Tony123\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tony123\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tony123\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tony123\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=2&o=vp32&d=0709&m=dotma
mDefault_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=2&o=vp32&d=0709&m=dotma
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPSON Stylus DX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticde.exe /fu "c:\windows\temp\E_S9920.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRun: [Google Update] "c:\users\tony123\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [MtdAcq] c:\program files\creative\shared files\media sniffer\MtdAcq.exe /s
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\users\tony123\appdata\roaming\micros~1\windows\startm~1\programs\startup\musicm~1.lnk - c:\program files\musicmatch\musicmatch jukebox\mmjb.exe
StartupFolder: c:\users\tony123\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{4B81CF83-58A5-4842-80CC-79A3DBB2FB42} : DHCPNameServer = 88.82.13.60 88.82.13.60
TCP: Interfaces\{6909B29E-FDB0-43AE-B3C4-C105CAA98BC5} : DHCPNameServer = 88.82.13.44 88.82.13.44
TCP: Interfaces\{CAF4E00B-4449-4D84-AD6D-9F36A3EC8398} : DHCPNameServer = 194.168.4.100 194.168.8.100
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: EasyBits ShellExecute Hook - {E54729E8-BB3D-4270-9D49-7389EA579090} - c:\windows\system32\ezUPBHook.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-12-17 37352]
R1 RapportCerberus_50414;RapportCerberus_50414;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_50414.sys [2013-2-21 316984]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-2-13 102680]
R2 AntiVirMailService;Avira Mail Protection;c:\program files\avira\antivir desktop\avmailc.exe [2012-12-17 371768]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-12-17 86752]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-12-17 110816]
R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2012-12-17 562744]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-12-17 84744]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-2-13 1124184]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-4-15 3289208]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2013-2-12 93072]
R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\RapportIaso.sys [2012-5-3 55448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-3-1 161384]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-12-3 112128]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-31 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2009-9-9 66560]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2009-9-9 107520]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2009-9-9 8064]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-12-3 100736]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2013-2-13 102008]
S3 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-2-13 173880]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\WordPad.exe="c:\program files\windows nt\accessories\WORDPAD.EXE" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2013-05-06 21:49:00 -------- d-----w- c:\users\tony123\appdata\local\{3D24D873-128D-424E-8346-4C3C09C1070E}
2013-05-05 16:35:27 -------- d-----w- c:\programdata\Malwarebytes
2013-04-30 00:07:01 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-21 03:06:09 -------- d-----w- c:\users\tony123\appdata\roaming\FreeTorentPlayer
2013-04-15 14:27:41 -------- d-----w- C:\components
2013-04-10 06:05:47 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 06:05:45 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-04-10 06:05:42 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-04-10 06:05:36 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 06:05:35 64000 ----a-w- c:\windows\system32\smss.exe
2013-04-10 06:05:35 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-10 06:05:35 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-10 06:05:29 2049024 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M  ====================
.
2013-05-02 15:32:23 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-02 15:32:23 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-25 13:13:39 84744 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-03-25 13:13:39 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-03-07 20:32:15 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-07 20:32:15 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-22 03:46:00 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-22 03:38:00 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-02-22 03:37:50 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-22 03:34:17 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-22 03:34:03 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-02-22 03:31:46 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-02-13 09:19:12 102008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2013-02-12 01:57:27 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
============= FINISH:  2:33:25.84 ===============
 

 

Results of screen317's Security Check version 0.99.63  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Security Center service is not running! This report may not be accurate! 
Avira Desktop   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Out of date HijackThis  installed! 
 SpywareBlaster 5.0    
 Spybot - Search & Destroy 
 HijackThis 2.0.2    
 Java™ 6 Update 35  
 Java 7 Update 21  
 Adobe Flash Player 11.6.602.180  
 Adobe Reader 9 Adobe Reader out of Date! 
 Adobe Reader 10.1.6 Adobe Reader out of Date!  
 Google Chrome 26.0.1410.43  
 Google Chrome 26.0.1410.64  
````````Process Check: objlist.exe by Laurent````````  
 Avira Antivir avgnt.exe 
 Avira Antivir avguard.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 1 % 
````````````````````End of Log`````````````````````` 
 

 

I've already sent you the Malwarebytes' Anti-Malware log

 

Thanks

 

 




#4 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,477 posts

Posted 09 May 2013 - 06:40 PM

Could you please check the following to see if everythings look ok. Call it a type of M.O.T.

 

Did you simply want a check, or was there some reason you suspected something, or were experiencing some questionable activity such as pop-ups or redirects?

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.
Please don't forget this step to disable teatimer.
 

Please download Malwarebytes Anti-Rootkit here.
 

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.

Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

 

 

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Please post the two logs from MBAR, the log from AdwCleaner, the log from Farbar Service Scanner, note any errors encountered, and let me know if you were experiencing any suspect activity or simply wanted a check?

 


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#5 Mr Angry

Mr Angry

    Advanced Member

  • Full Member
  • PipPipPip
  • 114 posts

Posted 09 May 2013 - 08:13 PM

Thank you for all the work you have done. Yes all I want is a check

 

Regarding all the steps you asked me to go through, I WILL reply as soon as possible but I'm going away till Mon 20 May and will try to reply before then but I'm not confident of thsat. Hope you can be patient

 

 

Tony




#6 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,477 posts

Posted 09 May 2013 - 08:17 PM

That won't be a problem.


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#7 Mr Angry

Mr Angry

    Advanced Member

  • Full Member
  • PipPipPip
  • 114 posts

Posted 10 May 2013 - 09:04 PM

Hey  I found time !!

 

Here are the logs.  

 

Malwarebytes  Log 1

 

 

Malwarebytes Anti-Rootkit BETA 1.05.0.1001
www.malwarebytes.org
 
Database version: v2013.05.11.01
 
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Tony123 :: TONYW [administrator]
 
11/05/2013 02:39:28
mbar-log-2013-05-11 (02-39-28).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 28755
Time elapsed: 23 minute(s), 9 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 4
c:\windows\$ntuninstallkb30504$\2697779172 (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb30504$\2697779172\l (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb30504$\2697779172\u (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb30504$\2931768806 (Backdoor.0Access) -> Delete on reboot.
 
Files Detected: 1
c:\windows\$ntuninstallkb30504$\2697779172\desktop.ini (Backdoor.0Access) -> Delete on reboot.
 
(end)
 
Malwarebytes  Log 2
 
Malwarebytes Anti-Rootkit BETA 1.05.0.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.0.6002 Windows Vista Service Pack 2 x86
 
Account is Administrative
 
Internet Explorer version: 9.0.8112.16421
 
Java version: 1.6.0_35
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.197000 GHz
Memory total: 1876619264, free: 1025552384
 
------------ Kernel report ------------
     05/11/2013 02:15:30
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\AtiPcie.sys
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\amdk8.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\Rtlh86.sys
\SystemRoot\system32\DRIVERS\athr.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\DKbFltr.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHDA.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_50414.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\ssmdrv.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\??\C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\avkmgr.sys
\SystemRoot\system32\DRIVERS\avipbb.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\avgntflt.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff880d6218
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff870835e8
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
Downloaded database version: v2013.05.11.01
Downloaded database version: v2013.05.07.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff880d6218, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff881d9d18, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff880d6218, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff870874e8, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff870835e8, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0xffffffffae56e1b0, 0xffffffff880d6218, 0xffffffff87806a20
Lower DeviceData: 0xffffffffae47deb0, 0xffffffff870835e8, 0xffffffff82582138
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 12F66377
 
Partition information:
 
    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 20971520
 
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 20973568  Numsec = 291604480
    Partition file system is NTFS
    Partition is bootable
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 160041885696 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-312561808-312581808)...
Done!
Performing system, memory and registry scan...
Read File: File "c:\windows\$ntuninstallkb30504$\2697779172\desktop.ini" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb30504$\2697779172 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb30504$\2697779172\desktop.ini --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb30504$\2697779172\l --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb30504$\2697779172\u --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb30504$\2931768806 --> [Backdoor.0Access]
Done!
Scan finished
Creating System Restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Executing an action fixdamage.exe...
Success!
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.05.0.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.0.6002 Windows Vista Service Pack 2 x86
 
Account is Administrative
 
Internet Explorer version: 9.0.8112.16421
 
Java version: 1.6.0_35
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.197000 GHz
Memory total: 1876619264, free: 1168310272
 
Removal queue found; removal started
Removing c:\windows\$ntuninstallkb30504$\2697779172...
Directory c:\windows\$ntuninstallkb30504$\2697779172 postponed for removal
Removing c:\windows\$ntuninstallkb30504$\2697779172\desktop.ini...
Removing c:\windows\$ntuninstallkb30504$\2697779172\l...
Removing c:\windows\$ntuninstallkb30504$\2697779172\u...
Removing c:\windows\$ntuninstallkb30504$\2931768806...
Directory c:\windows\$ntuninstallkb30504$\2697779172 deleted successfully
Removal finished
=======================================
 

 

Adwcleaner Log

 

# AdwCleaner v2.300 - Logfile created 05/11/2013 at 03:19:21

# Updated 28/04/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Tony123 - TONYW
# Boot Mode : Normal
# Running from : C:\Users\Tony123\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\END
File Deleted : C:\Program Files\Mozilla FireFox\Components\AskSearch.js
Folder Deleted : C:\Program Files\Windows Searchqu Toolbar
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\Tony123\AppData\LocalLow\AGI
Folder Deleted : C:\Users\Tony123\AppData\LocalLow\Bandoo
Folder Deleted : C:\Users\Tony123\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Tony123\AppData\Roaming\Bandoo
Folder Deleted : C:\Users\Tony123\AppData\Roaming\dvdvideosoftiehelpers
Folder Deleted : C:\Users\Tony123\AppData\Roaming\OpenCandy
Folder Deleted : C:\Users\Tony123\AppData\Roaming\SpeedMaxPc
Folder Deleted : C:\Users\Tony123\AppData\Roaming\yourfiledownloader
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\59ed8d8b13aee46
Key Deleted : HKCU\Software\AGI
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2101}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\SearchCore for Browsers
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\SpeedMaxPC
Key Deleted : HKCU\Software\Surf Canyon
Key Deleted : HKLM\SOFTWARE\59ed8d8b13aee46
Key Deleted : HKLM\Software\AGI
Key Deleted : HKLM\Software\Bandoo
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1301A8A5-3DFB-4731-A162-B357D00C9644}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{A7DDCBDE-5C86-415C-8A37-763AE183E7E4}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BandooCore.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WMHelper.DLL
Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.BandooCore
Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.BandooCore.1
Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.ResourcesMngr
Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.ResourcesMngr.1
Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.SettingsMngr
Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.SettingsMngr.1
Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.StatisticMngr
Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.StatisticMngr.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{27BF8F8D-58B8-D41C-F913-B7EEB57EF6F6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{06DE5702-44CF-4B79-B4EF-3DDF653358F5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{477F210A-2A86-4666-9C4B-1189634D2C84}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B37B4BA6-334E-72C1-B57E-6AFE8F8A5AF3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B77AD4AC-C1C2-B293-7737-71E13A11FFEA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E773F2CF-5E6E-FF2B-81A1-AC581A26B2B2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FF871E51-2655-4D06-AED5-745962A96B32}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4E1D-BDD0-1E9C9B7799CC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7F000001-DB8E-F89C-2FEC-49BF726F8C12}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{87A0B80B-5BA7-4CB0-9553-105D68777D60}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4FDE-B055-AE7B0F4CF080}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2101}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6087829B-114F-42A1-A72B-B4AEDCEA4E5B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Software
Key Deleted : HKLM\Software\SpeedMaxPC
Key Deleted : HKLM\Software\Tarma Installer
Key Deleted : HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}
Key Deleted : HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D7E97865-918F-41E4-9CD0-25AB1C574CE8}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [10]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16476
 
[OK] Registry is clean.
 
-\\ Google Chrome v26.0.1410.64
 
File : C:\Users\Tony123\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [7220 octets] - [11/05/2013 03:19:21]
 
########## EOF - C:\AdwCleaner[S1].txt - [7280 octets] ##########
 

Farbar Log

 

 

Farbar Service Scanner Version: 14-04-2013
Ran by Tony123 (administrator) on 11-05-2013 at 03:47:50
Running from "C:\Users\Tony123\Desktop"
Windows Vista ™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-02-13 17:53] - [2013-01-04 12:28] - 0905576 ____A (Microsoft Corporation) 74E2D020C47BB2B2FCCBA29A518A7EB4
 
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
 
 
**** End of log ****

 

 

Please let me know. Btw how do I get email notification when there's a post for me ?

 

Thanks

 

 

Tony




#8 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,477 posts

Posted 10 May 2013 - 09:53 PM

Btw how do I get email notification when there's a post for me ?

There's a "Follow this topic" button near the upper right of the page of your topic. Just click it. Do careful to NOT subscribe to a forum or you will receive an e-mail every time anyone posts in that forum.
 

You had a nasty rootkit (ZeroAccess) that MBAR found and removed.

 

 

Download RogueKiller (by tigzy) and save it to your the desktop

  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan. Click on Report and copy/paste the content of the notepad

 

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:
http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).
Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**
**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the log at C:\ComboFix.txt in your next reply.

 

You have an outdated and vulnerable version of Java installed along with the current version.
Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 7.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, click the "Accept License Agreement" button.
  • Download the file for Windows x86 Offline (jre-7u21-windows-i586.exe) and save to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all versions of Java.
    • Java™ 6 Update 35
    • Java 7 Update 21

    • Any other version listed 
  • Then from your Desktop double-click on the new version you downloaded and install it.

 

Your version of Adobe Acrobat Reader is outdated and vulnerable. Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs:
Adobe Reader 9

Adobe Reader 10

Then go to to http://www.adobe.com and download and install the current version, When you download it, be careful to UNcheck any optional toolbar installation unless you really want the toolbar.

 

 

Please post the log from ComboFix, the log from RogueKiller, and note any errors encountered.


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#9 Mr Angry

Mr Angry

    Advanced Member

  • Full Member
  • PipPipPip
  • 114 posts

Posted 14 May 2013 - 02:30 AM

Thanks

 

Logs from Rogue Killer and Combifix enclosed.

 

Old versions of Java and Adobe Acrobat uninstalled and newest versions installed.

 

Look forward to hearing from you

 

 

Tony

 

 

ROGUE  KILLER

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Tony123 [Admin rights]
Mode : Scan -- Date : 05/14/2013 07:28:18
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[TASK][SUSP PATH] expressburnShakeIcon : C:\Users\Tony123\AppData\Local\Temp\n2s.exe -shakeicon [x] -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[75] : NtCreateSection @ 0x8546AFA5 -> HOOKED (Unknown @ 0x8C86D9FE)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x853F9349 -> HOOKED (Unknown @ 0x8C86D9D6)
SSDT[165] : NtLoadDriver @ 0x853A4E12 -> HOOKED (Unknown @ 0x8C86D9DB)
SSDT[197] : NtOpenSection @ 0x8544A794 -> HOOKED (Unknown @ 0x8C86D9D1)
SSDT[276] : NtRequestWaitReplyPort @ 0x8547D142 -> HOOKED (Unknown @ 0x8C86DA08)
SSDT[289] : NtSetContextThread @ 0x854CC25F -> HOOKED (Unknown @ 0x8C86DA03)
SSDT[314] : NtSetSecurityObject @ 0x853F9027 -> HOOKED (Unknown @ 0x8C86DA0D)
SSDT[317] : NtSetSystemInformation @ 0x8541FF18 -> HOOKED (Unknown @ 0x8C86D9E0)
SSDT[332] : NtSystemDebugControl @ 0x85431EF1 -> HOOKED (Unknown @ 0x8C86DA12)
SSDT[334] : NtTerminateProcess @ 0x8542A173 -> HOOKED (Unknown @ 0x8C86D99F)
SSDT[358] : NtWriteVirtualMemory @ 0x85446A2F -> HOOKED (Unknown @ 0x8C86D99A)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8C86DA26)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8C86DA2B)
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
ÿþ1
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST9160310AS ATA Device +++++
--- User ---
[MBR] 23820e8ac6fe7f2f2933e4b2cafa7c02
[BSP] ac09585a1616f26edca7152c68a692c4 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10240 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20973568 | Size: 142385 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[1]_S_05142013_02d0728.txt >>
RKreport[1]_S_05142013_02d0728.txt
 
 
 

COMBIFIX

 

ComboFix 13-05-12.01 - Tony123 14/05/2013   8:04.1.1 - x86

Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.1790.1060 [GMT 1:00]
Running from: c:\users\Tony123\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB30504$
c:\windows\system32\DEBUG.log
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-14 to 2013-05-14  )))))))))))))))))))))))))))))))
.
.
2013-05-13 00:27 . 2013-05-13 00:27 -------- d-----w- c:\users\Tony123\AppData\Roaming\Dropbox
2013-05-13 00:22 . 2013-05-13 00:22 -------- d-----w- c:\program files\Common Files\Java
2013-05-13 00:20 . 2013-05-13 00:19 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-13 00:19 . 2013-05-13 00:19 -------- d-----w- c:\program files\Java
2013-05-11 04:16 . 2013-05-11 04:16 -------- d-----w- c:\users\Tony123\AppData\Local\APN
2013-05-05 16:35 . 2013-05-05 16:35 -------- d-----w- c:\programdata\Malwarebytes
2013-04-30 00:01 . 2013-04-30 00:01 -------- d-----w- c:\programdata\McAfee
2013-04-21 03:06 . 2013-04-21 03:12 -------- d-----w- c:\users\Tony123\AppData\Roaming\FreeTorentPlayer
2013-04-15 14:27 . 2013-04-15 14:27 -------- d-----w- C:\components
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-13 00:19 . 2012-06-16 11:43 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-13 00:19 . 2010-05-01 05:49 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-09 19:34 . 2011-08-16 03:29 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-02 15:32 . 2012-05-03 20:48 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-02 15:32 . 2011-11-07 05:48 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-25 13:13 . 2012-12-17 09:13 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-03-25 13:13 . 2012-12-17 09:13 84744 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-03-25 13:13 . 2012-12-17 09:13 135136 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-03-11 13:25 . 2013-04-10 06:05 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-11 13:25 . 2013-04-10 06:05 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-09 03:45 . 2013-04-10 06:05 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-09 01:28 . 2013-04-10 06:05 64000 ----a-w- c:\windows\system32\smss.exe
2013-03-08 03:53 . 2013-04-10 06:05 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 03:52 . 2013-04-10 06:05 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-03-05 01:40 . 2013-04-10 06:05 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-03-03 19:07 . 2013-04-10 06:05 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-02-22 03:46 . 2013-04-10 08:15 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-22 03:38 . 2013-04-10 08:15 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-02-22 03:37 . 2013-04-10 08:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-22 03:34 . 2013-04-10 08:15 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-22 03:34 . 2013-04-10 08:15 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-02-22 03:31 . 2013-04-10 08:15 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-02-13 09:19 . 2013-02-13 09:19 102008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2013-03-22 248208]
"MtdAcq"="c:\program files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-16 118862]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-05-06 345312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
c:\users\Tony123\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Musicmatch Jukebox.lnk - c:\program files\Musicmatch\Musicmatch Jukebox\mmjb.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\Tony123\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-03 15:32]
.
2013-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-01 13:51]
.
2013-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-01 13:51]
.
2013-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3462403146-3643634387-288131805-1001Core.job
- c:\users\Tony123\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-07 04:02]
.
2013-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3462403146-3643634387-288131805-1001UA.job
- c:\users\Tony123\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-07 04:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.avira.com/?l=dis&o=APN10267&gct=hp&dc=EU&locale=en_GB
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=2&o=vp32&d=0709&m=dotma
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 10.1.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-Uninstall_is1 - c:\program files\Common Files\DVDVideoSoft\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-14 08:39
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Avira\AntiVir Desktop\avmailc.exe
c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE
c:\program files\Trusteer\Rapport\bin\RapportService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2013-05-14  08:48:55 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-14 07:48
.
Pre-Run: 60,505,071,616 bytes free
Post-Run: 60,358,811,648 bytes free
.
- - End Of File - - 85BAE431B093DD76861CE0C585940338



#10 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,477 posts

Posted 14 May 2013 - 06:37 PM

Please re-run RogueKiller and click Scan.
Please put a check mark next to following entries only (uncheck the other entries), then click Delete.

 

[TASK][SUSP PATH] expressburnShakeIcon : C:\Users\Tony123\AppData\Local\Temp\n2s.exe -shakeicon [x] -> FOUND

 

Save a copy of the report and post it in your next reply.

 

Please run a scan with Kaspersky Rescue Disk.

Read all these directions before proceeding.

Be sure to read these:
Download Kaspersky Rescue Disk 10
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like  ImgBurn that can burn an .ISO image.Using a CD/DVD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Summarizing:

  • Go to a clean PC.
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • At the infected PC: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarize yourself with How to create a report file in Kaspersky Rescue Disk 10?

Print the following directions:

Boot from Kaspersky Rescue Disk 10:
Restart your computer and put the disk in the drive while booting.
Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu (select Windows whatever)
Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
Click My Update Center and update if any available
Back to other tab and click Start Object Scan.
(It took 3 hours to scan my 47G)
When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
On the upper right hand corner of the Detailed report window, click on the Save button.
After clicking Detailed Report and 'SAVE', a browse window opens.
Double-click on the \
Click 'disks'.
All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
Click on the Save button.
The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

 

Please post the log from Kaspersky's Rescue Disk, the log from RogueKiller, and note any errors encountered.


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#11 Mr Angry

Mr Angry

    Advanced Member

  • Full Member
  • PipPipPip
  • 114 posts

Posted 16 May 2013 - 04:42 PM

Hi "The Joker"

 

I have read over all you've written and have looked at the pages you have linked to and basically I do understand what is required but I found actually doing the processes on the computers not to be the same as described on your post.

 

I am not criticising your great work. I am asking if the steps can be simplified - treat me as a "dummy" (hey I heard that !!!  lol)

 

Thanks

 

Mr Angry (aka Tony)




#12 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,477 posts

Posted 16 May 2013 - 09:39 PM

There really are that many steps. The difference that I see is that to accept the license agreement, you need to press 1 rather than A, and the scan does take a while, as can updating the database before you scan.


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#13 Mr Angry

Mr Angry

    Advanced Member

  • Full Member
  • PipPipPip
  • 114 posts

Posted 20 May 2013 - 07:08 PM

Here's the rogue killer log

 

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Tony123 [Admin rights]
Mode : Remove -- Date : 05/18/2013 13:14:59
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 6 ¤¤¤
[TASK][SUSP PATH] expressburnShakeIcon : C:\Users\Tony123\AppData\Local\Temp\n2s.exe -shakeicon [x] -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> NOT SELECTED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> NOT SELECTED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[75] : NtCreateSection @ 0x85468FA5 -> HOOKED (Unknown @ 0x8AF30D0E)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x853F7349 -> HOOKED (Unknown @ 0x8AF30CE6)
SSDT[165] : NtLoadDriver @ 0x853A2E12 -> HOOKED (Unknown @ 0x8AF30CEB)
SSDT[197] : NtOpenSection @ 0x85448794 -> HOOKED (Unknown @ 0x8AF30CE1)
SSDT[276] : NtRequestWaitReplyPort @ 0x8547B142 -> HOOKED (Unknown @ 0x8AF30D18)
SSDT[289] : NtSetContextThread @ 0x854CA25F -> HOOKED (Unknown @ 0x8AF30D13)
SSDT[314] : NtSetSecurityObject @ 0x853F7027 -> HOOKED (Unknown @ 0x8AF30D1D)
SSDT[317] : NtSetSystemInformation @ 0x8541DF18 -> HOOKED (Unknown @ 0x8AF30CF0)
SSDT[332] : NtSystemDebugControl @ 0x8542FEF1 -> HOOKED (Unknown @ 0x8AF30D22)
SSDT[334] : NtTerminateProcess @ 0x85428173 -> HOOKED (Unknown @ 0x8AF30CAF)
SSDT[358] : NtWriteVirtualMemory @ 0x85444A2F -> HOOKED (Unknown @ 0x8AF30CAA)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8AF30D36)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8AF30D3B)
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
ÿþ1
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST9160310AS ATA Device +++++
--- User ---
[MBR] 23820e8ac6fe7f2f2933e4b2cafa7c02
[BSP] ac09585a1616f26edca7152c68a692c4 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10240 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20973568 | Size: 142385 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[2]_D_05182013_02d1314.txt >>
RKreport[1]_S_05182013_02d1309.txt ; RKreport[2]_D_05182013_02d1314.txt
 
 
Re the Kaspersky log I'm afraid my "bad" laptop fans are knackered and before the scan is completed the laptop shuts down. I've attempted this 6 times to the same effect.  

 

Any further action ?

 

 

Tony




#14 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,477 posts

Posted 22 May 2013 - 06:37 PM

The best solution to that I can come up with would be to raise the laptop up off the surface it's sitting on, something narrow under both sides, and direct a household fan at the laptop, ensuring there is air from the fan circulating both over the top, and underneath the case. With that happening, I think it would be likely that the same would happen with any thorough scan regardless of the antivirus vendor.


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#15 Mr Angry

Mr Angry

    Advanced Member

  • Full Member
  • PipPipPip
  • 114 posts

Posted 24 May 2013 - 05:19 PM

Hi and thanks. Thanks for all your great work but I'm going to stop this now.   It's proving too much like hard work.  Please now close this post

 

 

Tony




#16 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,477 posts

Posted 24 May 2013 - 06:03 PM

There is some cleanup that needs to be done.

Go to start > run and copy and paste the next command in the field:
ComboFix /uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, implement some cleanup procedures, and reset System Restore points.

Then you candelete the programs you downloaded and logs they produced:
Malwarebytes Anti-Rootkit
AdwCleaner
Farbar Service Scanner
RogueKiller

To help keep malware off your system:

  • Keep Windows updated at Windows Update or Microsoft Update.
  • Keep your other applications updated, there are vulnerabilities that rely on exploits through other programs like Java, Microsoft Office, Adobe Reader, Flash, and others.
  • Run a program like Secunia Online Software Inspector or FileHippo Update Checker to see what programs need to be updated.
  • Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety.
  • Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.
  • Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.
  • Don't click on links received in instant message programs.
  • In place of Internet Explorer, browse with Firefox with the NoScript and AdBlock Plus add-ons.
  • A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at http://www.mvps.org/...p2002/hosts.htm
  • A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at http://www.javacools...m/products.html
  • I recommend reading Tony Klein's article So How did I get Infected in the First Place? at http://www.spywarein...showtopic=60955

 

 

 


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#17 Mr Angry

Mr Angry

    Advanced Member

  • Full Member
  • PipPipPip
  • 114 posts

Posted 25 May 2013 - 10:32 PM

I've managed to get a Kapersky Rescue Disk 10 Report. Here it is -

 

Objects Scan: completed 8 days ago   (events: 2, objects: 761, time: 00:03:12)
5/18/13 4:07 AM Task completed
5/18/13 4:03 AM Task started
Objects Scan: malfunction    (events: 1, objects: 0, time: Unknown)
5/18/13 4:07 AM Task started
Objects Scan: malfunction    (events: 1, objects: 0, time: Unknown)
5/18/13 11:40 AM Task started
Objects Scan: completed 6 days ago   (events: 2, objects: 761, time: 00:03:00)
5/20/13 2:26 AM Task completed
5/20/13 2:23 AM Task started
Objects Scan: completed 5 days ago   (events: 16, objects: 1174215, time: 06:05:52)
5/20/13 8:33 AM Task completed
5/20/13 6:52 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/complete/map/Europe_-_Western_Zone/Europe_West.zip Read error
5/20/13 6:52 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/temp/6c9015851fccd5545b18ac294dcb2ee6.tmp Read error
5/20/13 6:52 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/complete/program/TomTom_application_for_Car_and_Motor_Navigation-3/9.510.2-2039.CAB-navcore-LE.cab Read error
5/20/13 6:52 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/complete/program/TomTom_application_for_Car_and_Motor_Navigation-3/9.510.2-2039.CAB-navcore-LE.cab/data.chk Read error
5/20/13 6:29 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/complete/map/Europe_-_Western_Zone/Europe_West.zip Read error
5/20/13 6:29 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/temp/6c9015851fccd5545b18ac294dcb2ee6.tmp Read error
5/20/13 5:47 AM Processing error C:/ProgramData/NokiaInstallerCache/ProductCache/{D5878294-C113-43c5-A24F-FC333C52015A}/Installer.exe/UPX/Packages/VC90_x86_v2/Setup/VC90_x86_v2.msi Read error
5/20/13 5:47 AM Processing error C:/ProgramData/NokiaInstallerCache/ProductCache/{D5878294-C113-43c5-A24F-FC333C52015A}/Installer.exe/UPX/Packages/VC90_x86_v2/Setup/VC90_x86_v2.msi/VC90_x86.cab Read error
5/20/13 4:29 AM Processing error C:/Program Files/TomTom/HOME/Download/temp/a2da536e53936f29e5e410ceb1033925.tmp Read error
5/20/13 4:29 AM Processing error C:/Program Files/TomTom/TomTom/HOME/Download/temp/a2da536e53936f29e5e410ceb1033925.tmp Read error
5/20/13 4:28 AM Processing error C:/Program Files/TomTom/TomTom/HOME/Download/complete/map/Europe_-_Western_Zone/Europe_West.zip Read error
5/20/13 4:01 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/complete/map/Europe_-_Western_Zone/Europe_West.zip Read error
5/20/13 4:01 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/temp/6c9015851fccd5545b18ac294dcb2ee6.tmp Read error
5/20/13 3:36 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/temp/6c9015851fccd5545b18ac294dcb2ee6.tmp Read error
5/20/13 2:27 AM Task started
Objects Scan: malfunction    (events: 1, objects: 0, time: Unknown)
5/20/13 12:24 PM Task started
Objects Scan: malfunction    (events: 1, objects: 0, time: Unknown)
5/20/13 4:22 PM Task started
Objects Scan: malfunction    (events: 1, objects: 0, time: Unknown)
5/20/13 5:16 PM Task started
Objects Scan: completed 4 minutes ago   (events: 17, objects: 1172896, time: 05:58:39)
5/26/13 4:28 AM Task completed
5/26/13 2:49 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/complete/map/Europe_-_Western_Zone/Europe_West.zip Read error
5/26/13 2:49 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/temp/6c9015851fccd5545b18ac294dcb2ee6.tmp Read error
5/26/13 2:27 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/complete/map/Europe_-_Western_Zone/Europe_West.zip Read error
5/26/13 2:27 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/temp/6c9015851fccd5545b18ac294dcb2ee6.tmp Read error
5/26/13 1:46 AM Processing error C:/ProgramData/NokiaInstallerCache/ProductCache/{D5878294-C113-43c5-A24F-FC333C52015A}/Installer.exe/UPX/Packages/VC90_x86_v2/Setup/VC90_x86_v2.msi Read error
5/26/13 1:46 AM Processing error C:/ProgramData/NokiaInstallerCache/ProductCache/{D5878294-C113-43c5-A24F-FC333C52015A}/Installer.exe/UPX/Packages/VC90_x86_v2/Setup/VC90_x86_v2.msi/VC90_x86.cab Read error
5/26/13 12:30 AM Processing error C:/Program Files/TomTom/HOME/Download/temp/a2da536e53936f29e5e410ceb1033925.tmp Read error
5/26/13 12:30 AM Processing error C:/Program Files/TomTom/TomTom/HOME/Download/temp/a2da536e53936f29e5e410ceb1033925.tmp Read error
5/26/13 12:30 AM Processing error C:/Program Files/PC Connectivity Solution/WUDFUpdate_01009.dll/data0001.res Read error
5/26/13 12:30 AM Processing error C:/Program Files/PC Connectivity Solution/WUDFUpdate_01009.dll/data0001.res/Windows6.0-KB970159-x86.cab Read error
5/26/13 12:29 AM Processing error C:/Program Files/TomTom/TomTom/HOME/Download/complete/map/Europe_-_Western_Zone/Europe_West.zip Read error
5/26/13 12:01 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/complete/map/Europe_-_Western_Zone/Europe_West.zip Read error
5/26/13 12:01 AM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/temp/6c9015851fccd5545b18ac294dcb2ee6.tmp Read error
5/25/13 11:38 PM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/complete/map/Europe_-_Western_Zone/Europe_West.zip Read error
5/25/13 11:38 PM Processing error C:/Users/Tony123/Documents/TomTom/HOME/Download/temp/6c9015851fccd5545b18ac294dcb2ee6.tmp Read error
5/25/13 10:29 PM Task started
 

In my post #13 of 21 May I sent the second Rogue Killer log

 

Before I take action on your latest post #16 of 25 May, please let me know what you think

 

 

Tony




#18 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,477 posts

Posted 26 May 2013 - 08:32 AM

You had a lot of read errors on that scan. You need to check your hard disk for errors. Please follow the directions here to check for and fix disk errors:
http://windows.micro...disk-for-errors

 


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#19 Mr Angry

Mr Angry

    Advanced Member

  • Full Member
  • PipPipPip
  • 114 posts

Posted 28 May 2013 - 11:48 AM

Have done the disk check and repair. Report looks good.  What now ? Back to Ur post #16 of 25 May 2013 ?

 

 

Tony




#20 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,477 posts

Posted 28 May 2013 - 07:37 PM

Have done the disk check and repair. Report looks good. 


Excellent.

What now ? Back to Ur post #16 of 25 May 2013 ?


Yes, but I'd make one more recommendation, particularly with the failing fan(s).

Do you backup your system? You may want to consider a good backup program that supports system recovery like Paragon Software's Backup & Recovery 2012 Free or Marcium Reflect Free Edition. Both are available in 32 and 64 bit versions, and both support system recovery through use of a bootable recovery CD. And remember, a backup program is only useful if you use it regularly.

Do you consider your problem resolved?

 


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#21 Mr Angry

Mr Angry

    Advanced Member

  • Full Member
  • PipPipPip
  • 114 posts

Posted 30 May 2013 - 10:47 AM

Hi & thanks.  I've done all you've asked and have uninstalled/ deleted previously installed / used programs. The problem appears resolved.

 

Case closed.

 

Thankyou

 

 

Tony 




#22 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,477 posts

Posted 30 May 2013 - 06:32 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005






Member of UNITE
Support SpywareInfo Forum - click the button