Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep seeing pop ups for windows services stopped working etc


  • This topic is locked This topic is locked
12 replies to this topic

#1 Stephenmozza

Stephenmozza

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 26 January 2013 - 08:56 AM

Hi guys,

Thanks in advance for any help you could give.

As well as pop ups saying Host process for windows not working I'm getting another one saying Deniece Ericka Chiyin has stopped working (spelling might be off).

I have had a reboot / crash problem recently as well which I had to resolve with a system restore and another crash today

I cannot turn windows firewall on due to an unidentified problem windows cannot display windows firewall setting which pops up when I click turn on firewall.

Any advice much appreciated and I will answer any questions you have.

Apologies if I haven't given enough information

Logs attached

Regards

Stephen

Attached Files


Edited by Stephenmozza, 26 January 2013 - 09:13 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,353 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:01 PM

Posted 26 January 2013 - 06:49 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button.
  • type exit and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Edited by CatByte, 07 February 2013 - 05:34 PM.

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#3 Stephenmozza

Stephenmozza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 27 January 2013 - 09:34 AM

Thanks for helping me Cat.

My computer is now locked by the pceu virus / trojan.

The log from frst is below

Let me know what I should do

Thanks

Stephen


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-01-2013 02 (ATTENTION: FRST version is 6 days old)
Ran by SYSTEM at 27-01-2013 14:07:21
Running from G:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [x]
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [x]
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [x]
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe [457216 2007-04-25] (HiTRUST)
HKLM\...\Run: [Acer Tour] [x]
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40048 2007-03-08] (Adobe Systems Incorporated)
HKLM\...\Run: [PLFSetL] C:\Windows\PLFSetL.exe [94208 2007-07-05] (sonix)
HKLM\...\Run: [SetPanel] C:\Acer\APanel\APanel.cmd [x]
HKLM\...\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe" [1286144 2007-06-11] (CyberLink)
HKLM\...\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe [752136 2007-06-27] (Dritek System Inc.)
HKLM\...\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [206952 2007-05-24] (CyberLink Corp.)
HKLM\...\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [174872 2007-03-21] (Intel Corporation)
HKLM\...\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe [57344 2006-11-05] (Acer Inc.)
HKLM\...\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe [151552 2007-05-22] (Acer Inc.)
HKLM\...\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart [86016 2007-07-25] (NVIDIA Corporation)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [8470528 2007-07-25] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [81920 2007-07-25] (NVIDIA Corporation)
HKLM\...\Run: [UIExec] "C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe" [132608 2009-07-16] ()
HKLM\...\Run: [KiesTrayAgent] C:\Program Files\Samsung\Kies\KiesTrayAgent.exe [3521424 2012-03-30] (Samsung Electronics Co., Ltd.)
HKLM\...\Run: [nhsfpi] "C:\Windows\System32\rundll32.exe" ,get_tRNS [44544 2006-11-02] (Microsoft Corporation)
HKLM\...\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min [384800 2012-10-16] (Avira Operations GmbH & Co. KG)
HKU\Default\...\RunOnce: [AcerScrSav] C:\Windows\Acer\run_NB.exe [27432 2007-04-26] ()
HKU\Default User\...\RunOnce: [AcerScrSav] C:\Windows\Acer\run_NB.exe [27432 2007-04-26] ()
HKU\Stephen\...\Run: [Acer Tour Reminder] [x]
HKU\Stephen\...\Run: [KiesHelper] C:\Program Files\Samsung\Kies\KiesHelper.exe /s [954256 2012-03-30] (Samsung)
HKU\Stephen\...\Run: [KiesPDLR] C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [21392 2012-03-30] ()
HKU\Stephen\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\Stephen\...\Run: [nhsfpi] "C:\Windows\System32\rundll32.exe" ,get_tRNS [44544 2006-11-02] (Microsoft Corporation)
HKU\Stephen\...\Run: [EPSON Stylus DX7400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU "C:\Windows\TEMP\E_SEDB8.tmp" /EF "HKCU" [182272 2007-04-11] (SEIKO EPSON CORPORATION)
HKU\Stephen\...\Run: [wlMAB] C:\Users\Stephen\AppData\Roaming\HqrOU.exe [250368 2012-10-27] (Janette Dena Agatha)
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$22f5016a7768110321777e62b23e0fa5\n. ATTENTION! ====> ZeroAccess
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
AppInit_DLLs: eNetHook.dll
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
ShortcutTarget: Empowering Technology Launcher.lnk -> C:\Acer\Empowering Technology\eAPLauncher.exe (Acer Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Launcher.lnk
ShortcutTarget: Launcher.lnk -> C:\Program Files\InternetEverywhere\Launcher.exe (TODO: <Company name>)
Startup: C:\Users\Stephen\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Stephen\Start Menu\Programs\Startup\runctf.lnk
ShortcutTarget: runctf.lnk -> C:\Windows\System32\rundll32.exe (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 AntiVirSchedulerService; "C:\Program Files\Avira\AntiVir Desktop\sched.exe" [84256 2012-10-16] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" [108320 2012-10-16] (Avira Operations GmbH & Co. KG)
2 eDataSecurity Service; "C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe" [457512 2007-04-25] (HiTRSUT)
2 eLockService; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [24576 2007-03-14] (Acer Inc.)
2 eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [135168 2007-05-22] (Acer Inc.)
2 eSettingsService; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [24576 2007-05-10] ()
2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe -p [107008 2006-11-24] ()
2 RichVideo; "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" [266343 2007-01-23] ()
2 UI Assistant Service; C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe [241664 2009-07-16] ()
2 WMIService; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [167936 2007-09-14] (acer)
2 WTGService; C:\Program Files\InternetEverywhere\WTGService.exe [308688 2009-09-09] ()
2 CLTNetCnService; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]

==================== Drivers (Whitelisted) ====================

2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [83792 2012-09-13] (Avira Operations GmbH & Co. KG)
1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [133824 2012-10-04] (Avira Operations GmbH & Co. KG)
1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [36552 2012-09-24] (Avira Operations GmbH & Co. KG)
1 DritekPortIO; \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys [20112 2006-11-02] (Dritek System Inc.)
3 GTUHSBUS; C:\Windows\System32\DRIVERS\gtuhsbus.sys [66560 2012-03-25] (Option N.V.)
3 GTUHSNDISIPXP; C:\Windows\System32\DRIVERS\gtuhs51.sys [107520 2012-03-25] (Option N.V.)
3 GTUHSSER; C:\Windows\System32\DRIVERS\gtuhsser.sys [8064 2012-03-25] (Option N.V.)
2 int15; \??\C:\Windows\system32\drivers\int15.sys [76584 2007-03-02] ()
2 pj93h; C:\Users\Stephen\AppData\Roaming\dahz.bat [89 2012-09-26] ()
0 PSDFilter; C:\Windows\System32\DRIVERS\psdfilter.sys [20776 2007-04-25] (HiTRUST)
0 PSDNServ; C:\Windows\System32\drivers\PSDNServ.sys [16680 2007-04-25] (HiTRUST)
0 psdvdisk; C:\Windows\System32\drivers\psdvdisk.sys [60712 2007-04-25] (HiTRUST)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1749376 2007-08-02] ()
1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2012-08-27] (Avira GmbH)
2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; \??\C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl [13560 2006-11-02] (Cyberlink Corp.)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
1 fmtggfeu; \??\C:\Windows\system32\drivers\fmtggfeu.sys [x]
3 igfx; C:\Windows\System32\DRIVERS\igdkmd32.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
1 itkqcsml; \??\C:\Windows\system32\drivers\itkqcsml.sys [x]
1 lqgcjwio; \??\C:\Windows\system32\drivers\lqgcjwio.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-01-27 14:07 - 2013-01-27 14:07 - 00000000 ____D C:\FRST
2013-01-27 05:56 - 2013-01-27 05:56 - 00000000 ____D C:\Users\Stephen\Documents\OneNote Notebooks
2013-01-27 05:49 - 2006-10-30 16:10 - 00120992 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\EpPicPrt.dll
2013-01-27 05:49 - 2006-10-30 16:10 - 00071840 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\EPPicMgr.dll
2013-01-27 05:49 - 2006-10-30 16:10 - 00000097 ____A C:\Windows\System32\PICSDK.ini
2013-01-27 05:49 - 2006-10-19 16:10 - 00501912 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\PICSDK2.dll
2013-01-27 05:49 - 2006-10-19 16:10 - 00108704 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\PICEntry.dll
2013-01-27 05:49 - 2006-10-19 16:10 - 00080024 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\PICSDK.dll
2013-01-27 05:49 - 2005-05-31 16:20 - 00111932 ____A C:\Windows\System32\EPPICPrinterDB.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00031053 ____A C:\Windows\System32\EPPICPattern131.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00027417 ____A C:\Windows\System32\EPPICPattern121.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00026154 ____A C:\Windows\System32\EPPICPattern1.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00024903 ____A C:\Windows\System32\EPPICPattern3.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00021390 ____A C:\Windows\System32\EPPICPattern5.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00020148 ____A C:\Windows\System32\EPPICPattern2.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00013732 ____A C:\Windows\System32\EPPICLocal_EN.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00011811 ____A C:\Windows\System32\EPPICPattern4.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00006442 ____A C:\Windows\System32\EPPICLocal_IT.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00006347 ____A C:\Windows\System32\EPPICLocal_PT.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00006347 ____A C:\Windows\System32\EPPICLocal_BP.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00006335 ____A C:\Windows\System32\EPPICLocal_GE.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00006195 ____A C:\Windows\System32\EPPICLocal_FR.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00006195 ____A C:\Windows\System32\EPPICLocal_CF.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00006122 ____A C:\Windows\System32\EPPICLocal_DU.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00006103 ____A C:\Windows\System32\EPPICLocal_ES.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00005817 ____A C:\Windows\System32\EPPICLocal_KO.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00005436 ____A C:\Windows\System32\EPPICLocal_SC.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00004943 ____A C:\Windows\System32\EPPICPattern6.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00002889 ____A C:\Windows\System32\EPPICLocal_RU.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00002426 ____A C:\Windows\System32\EPPICLocal_TC.cfg
2013-01-27 05:49 - 2004-03-02 22:10 - 00001146 ____A C:\Windows\System32\EPPICPresetData_DU.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00001139 ____A C:\Windows\System32\EPPICPresetData_PT.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00001139 ____A C:\Windows\System32\EPPICPresetData_BP.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00001136 ____A C:\Windows\System32\EPPICPresetData_ES.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00001129 ____A C:\Windows\System32\EPPICPresetData_FR.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00001129 ____A C:\Windows\System32\EPPICPresetData_CF.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00001120 ____A C:\Windows\System32\EPPICPresetData_IT.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00001107 ____A C:\Windows\System32\EPPICPresetData_GE.dat
2013-01-27 05:49 - 2004-03-02 22:10 - 00001104 ____A C:\Windows\System32\EPPICPresetData_EN.dat
2013-01-27 05:48 - 2013-01-27 05:49 - 02719744 ____A C:\Users\Stephen\Downloads\epson318477eu.exe
2013-01-26 15:55 - 2013-01-26 15:55 - 00909518 ____A (Farbar) C:\Users\Stephen\Downloads\FRST.exe
2013-01-26 15:44 - 2013-01-27 05:44 - 95023320 ___AT C:\Users\All Users\0tbpw.pad
2013-01-26 15:44 - 2013-01-26 15:44 - 00003202 ____A C:\Users\All Users\0tbpw.js
2013-01-26 05:41 - 2013-01-26 05:44 - 00010142 ____A C:\Users\Stephen\Desktop\attach.txt
2013-01-26 05:41 - 2013-01-26 05:42 - 00011078 ____A C:\Users\Stephen\Desktop\dds.txt

==================== One Month Modified Files and Folders ========

2013-01-27 14:07 - 2013-01-27 14:07 - 00000000 ____D C:\FRST
2013-01-27 06:04 - 2006-11-02 05:01 - 00020844 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-01-27 06:04 - 2006-11-02 04:47 - 00003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-27 06:04 - 2006-11-02 04:47 - 00003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-27 06:03 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-27 05:56 - 2013-01-27 05:56 - 00000000 ____D C:\Users\Stephen\Documents\OneNote Notebooks
2013-01-27 05:55 - 2012-10-25 05:33 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-27 05:53 - 2006-11-02 02:33 - 00690786 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-27 05:49 - 2013-01-27 05:48 - 02719744 ____A C:\Users\Stephen\Downloads\epson318477eu.exe
2013-01-27 05:44 - 2013-01-26 15:44 - 95023320 ___AT C:\Users\All Users\0tbpw.pad
2013-01-27 05:44 - 2012-10-30 03:17 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-01-27 05:44 - 2012-03-27 21:58 - 00054527 ____A C:\Users\Stephen\AppData\Roaming\nvModes.001
2013-01-27 05:44 - 2012-03-25 14:17 - 01474933 ____A C:\Windows\WindowsUpdate.log
2013-01-27 05:42 - 2012-10-25 05:33 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-27 05:42 - 2012-08-28 21:49 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-27 05:41 - 2012-03-25 14:13 - 00143132 ____A C:\Windows\PFRO.log
2013-01-26 22:34 - 2006-11-02 02:22 - 35651584 ____A C:\Windows\System32\config\software_previous
2013-01-26 22:33 - 2012-04-23 15:13 - 00000000 ____D C:\Program Files\T-Mobile Mobile Broadband Manager
2013-01-26 22:33 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\spool
2013-01-26 22:33 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\Msdtc
2013-01-26 22:33 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\registration
2013-01-26 22:30 - 2006-11-02 02:22 - 17825792 ____A C:\Windows\System32\config\system_previous
2013-01-26 22:29 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2013-01-26 22:29 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2013-01-26 22:27 - 2006-11-02 02:22 - 42467328 ____A C:\Windows\System32\config\components_previous
2013-01-26 22:25 - 2006-11-02 02:22 - 00524288 ____A C:\Windows\System32\config\default_previous
2013-01-26 16:20 - 2012-05-27 22:06 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-01-26 16:20 - 2012-03-25 13:53 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-01-26 15:59 - 2006-11-02 04:52 - 00051971 ____A C:\Windows\setupact.log
2013-01-26 15:55 - 2013-01-26 15:55 - 00909518 ____A (Farbar) C:\Users\Stephen\Downloads\FRST.exe
2013-01-26 15:44 - 2013-01-26 15:44 - 00003202 ____A C:\Users\All Users\0tbpw.js
2013-01-26 15:30 - 2012-03-27 13:27 - 00054527 ____A C:\Users\Stephen\AppData\Roaming\nvModes.dat
2013-01-26 09:06 - 2012-10-10 23:21 - 00000000 ____D C:\Windows\Minidump
2013-01-26 05:44 - 2013-01-26 05:41 - 00010142 ____A C:\Users\Stephen\Desktop\attach.txt
2013-01-26 05:42 - 2013-01-26 05:41 - 00011078 ____A C:\Users\Stephen\Desktop\dds.txt

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3593017929-1360062019-3519131131-1000\$22f5016a7768110321777e62b23e0fa5

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$22f5016a7768110321777e62b23e0fa5

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-11 07:09:43
Restore point made on: 2012-11-13 15:52:11
Restore point made on: 2012-11-21 04:47:37
Restore point made on: 2013-01-26 10:08:32

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 2045.39 MB
Available physical RAM: 1811.98 MB
Total Pagefile: 1977.21 MB
Available Pagefile: 1862.29 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.72 MB

==================== Partitions =============================

1 Drive c: (ACER) (Fixed) (Total:51.14 GB) (Free:7.84 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:111.79 GB) (Free:86.74 GB) NTFS
3 Drive e: (DATA) (Fixed) (Total:50.89 GB) (Free:42.01 GB) NTFS
5 Drive g: () (Removable) (Total:1 GB) (Free:0.99 GB) FAT
6 Drive x: (PQSERVICE) (Fixed) (Total:9.76 GB) (Free:0.6 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 923 KB
Disk 1 Online 112 GB 1528 KB
Disk 2 Online 1020 MB 0 B

Partitions of Disk 0:
===============

ACTIVE - Mark the selected basic partition as active.
ADD - Add a mirror to a simple volume.
ASSIGN - Assign a drive letter or mount point to the selected volume.
ATTRIBUTES - Manipulate volume attributes.
AUTOMOUNT - Enable and disable automatic mounting of basic volumes.
BREAK - Break a mirror set.
CLEAN - Clear the configuration information, or all information, off the
disk.
CONVERT - Convert between different disk formats.
CREATE - Create a volume or partition.
DELETE - Delete an object.
DETAIL - Provide details about an object.
EXIT - Exit DiskPart.
EXTEND - Extend a volume.
FILESYSTEMS - Display current and supported file systems on the volume.
FORMAT - Format the volume or partition.
GPT - Assign attributes to the selected GPT partition.
HELP - Display a list of commands.
IMPORT - Import a disk group.
INACTIVE - Mark the selected basic partition as inactive.
LIST - Display a list of objects.
ONLINE - Online a disk that is currently marked as offline.
REM - Does nothing. This is used to comment scripts.
REMOVE - Remove a drive letter or mount point assignment.
REPAIR - Repair a RAID-5 volume with a failed member.
RESCAN - Rescan the computer looking for disks and volumes.
RETAIN - Place a retained partition under a simple volume.
SELECT - Shift the focus to an object.
SETID - Change the partition type.
SHRINK - Reduce the size of the selected volume.

=========================================================

Partitions of Disk 1:
===============

ACTIVE - Mark the selected basic partition as active.
ADD - Add a mirror to a simple volume.
ASSIGN - Assign a drive letter or mount point to the selected volume.
ATTRIBUTES - Manipulate volume attributes.
AUTOMOUNT - Enable and disable automatic mounting of basic volumes.
BREAK - Break a mirror set.
CLEAN - Clear the configuration information, or all information, off the
disk.
CONVERT - Convert between different disk formats.
CREATE - Create a volume or partition.
DELETE - Delete an object.
DETAIL - Provide details about an object.
EXIT - Exit DiskPart.
EXTEND - Extend a volume.
FILESYSTEMS - Display current and supported file systems on the volume.
FORMAT - Format the volume or partition.
GPT - Assign attributes to the selected GPT partition.
HELP - Display a list of commands.
IMPORT - Import a disk group.
INACTIVE - Mark the selected basic partition as inactive.
LIST - Display a list of objects.
ONLINE - Online a disk that is currently marked as offline.
REM - Does nothing. This is used to comment scripts.
REMOVE - Remove a drive letter or mount point assignment.
REPAIR - Repair a RAID-5 volume with a failed member.
RESCAN - Rescan the computer looking for disks and volumes.
RETAIN - Place a retained partition under a simple volume.
SELECT - Shift the focus to an object.
SETID - Change the partition type.
SHRINK - Reduce the size of the selected volume.

=========================================================

Partitions of Disk 2:
===============

ACTIVE - Mark the selected basic partition as active.
ADD - Add a mirror to a simple volume.
ASSIGN - Assign a drive letter or mount point to the selected volume.
ATTRIBUTES - Manipulate volume attributes.
AUTOMOUNT - Enable and disable automatic mounting of basic volumes.
BREAK - Break a mirror set.
CLEAN - Clear the configuration information, or all information, off the
disk.
CONVERT - Convert between different disk formats.
CREATE - Create a volume or partition.
DELETE - Delete an object.
DETAIL - Provide details about an object.
EXIT - Exit DiskPart.
EXTEND - Extend a volume.
FILESYSTEMS - Display current and supported file systems on the volume.
FORMAT - Format the volume or partition.
GPT - Assign attributes to the selected GPT partition.
HELP - Display a list of commands.
IMPORT - Import a disk group.
INACTIVE - Mark the selected basic partition as inactive.
LIST - Display a list of objects.
ONLINE - Online a disk that is currently marked as offline.
REM - Does nothing. This is used to comment scripts.
REMOVE - Remove a drive letter or mount point assignment.
REPAIR - Repair a RAID-5 volume with a failed member.
RESCAN - Rescan the computer looking for disks and volumes.
RETAIN - Place a retained partition under a simple volume.
SELECT - Shift the focus to an object.
SETID - Change the partition type.
SHRINK - Reduce the size of the selected volume.

=========================================================

Last Boot: 2013-01-27 05:50

==================== End Of Log ============================

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,353 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:01 PM

Posted 27 January 2013 - 09:54 AM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [nhsfpi] "C:\Windows\System32\rundll32.exe" ,get_tRNS [44544 2006-11-02] (Microsoft Corporation)
HKU\Stephen\...\Run: [nhsfpi] "C:\Windows\System32\rundll32.exe" ,get_tRNS [44544 2006-11-02] (Microsoft Corporation)
HKU\Stephen\...\Run: [wlMAB] C:\Users\Stephen\AppData\Roaming\HqrOU.exe [250368 2012-10-27] (Janette Dena Agatha)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$22f5016a7768110321777e62b23e0fa5\n. ATTENTION! ====> ZeroAccess
Startup: C:\Users\Stephen\Start Menu\Programs\Startup\runctf.lnk
ShortcutTarget: runctf.lnk -> C:\Windows\System32\rundll32.exe (Microsoft Corporation)
2 pj93h; C:\Users\Stephen\AppData\Roaming\dahz.bat [89 2012-09-26] ()
C:\Users\Stephen\AppData\Roaming\dahz.bat
C:\Users\Stephen\AppData\Roaming\HqrOU.exe
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
1 fmtggfeu; \??\C:\Windows\system32\drivers\fmtggfeu.sys [x]
3 igfx; C:\Windows\System32\DRIVERS\igdkmd32.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
1 itkqcsml; \??\C:\Windows\system32\drivers\itkqcsml.sys [x]
1 lqgcjwio; \??\C:\Windows\system32\drivers\lqgcjwio.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
C:\$Recycle.Bin\S-1-5-21-3593017929-1360062019-3519131131-1000\$22f5016a7768110321777e62b23e0fa5
C:\$Recycle.Bin\S-1-5-18\$22f5016a7768110321777e62b23e0fa5
C:\Windows\assembly\GAC\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.



NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Edited by CatByte, 27 January 2013 - 09:54 AM.

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#5 Stephenmozza

Stephenmozza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 27 January 2013 - 11:04 AM

Hi Cat,

Combofix log as below.

Firefox would not open on that computer after running combofix. Said "Illegal operation attempted on a registry key that has been marked for deletion"

Thanks

Stephen

ComboFix 13-01-27.03 - Stephen 27/01/2013 15:35:21.1.2 - x86
Running from: c:\users\Stephen\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\drv\Tuner\Yuan\Resources\_desktop.ini
c:\program files\DealPly
c:\program files\DealPly\DealPly.crx
c:\program files\DealPly\DealPly.xpi
c:\program files\DealPly\DealPlyIE.dll
c:\program files\DealPly\DealPlyUpdate.exe
c:\program files\DealPly\DealPlyUpdate.log
c:\program files\DealPly\DealPlyUpdateRun.exe
c:\program files\DealPly\icon.ico
c:\program files\DealPly\uninst.exe
c:\programdata\0tbpw.pad
c:\programdata\Roaming
c:\users\Stephen\AppData\Local\Temp\bd7c47bb-f5c0-417c-a180-ec348d87718a\CliSecureRT.dll
c:\users\Stephen\AppData\Local\Temp\wpbt0.dll
c:\users\Stephen\AppData\Roaming\k9plimgc.bat
E:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-27 to 2013-01-27 )))))))))))))))))))))))))))))))
.
.
2013-01-27 22:07 . 2013-01-27 23:21 -------- d-----w- C:\FRST
2013-01-27 13:49 . 2006-10-31 00:10 71840 ----a-w- c:\windows\system32\EPPicMgr.dll
2013-01-27 13:49 . 2006-10-31 00:10 120992 ----a-w- c:\windows\system32\EpPicPrt.dll
2013-01-27 13:49 . 2006-10-20 00:10 80024 ----a-w- c:\windows\system32\PICSDK.dll
2013-01-27 13:49 . 2006-10-20 00:10 501912 ----a-w- c:\windows\system32\PICSDK2.dll
2013-01-27 13:49 . 2006-10-20 00:10 108704 ----a-w- c:\windows\system32\PICEntry.dll
2013-01-26 23:44 . 2013-01-26 23:44 3202 ----a-w- c:\programdata\0tbpw.js
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-27 00:20 . 2012-05-28 06:06 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-27 00:20 . 2012-03-25 21:53 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-30 11:17 . 2012-10-30 11:17 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"KiesHelper"="c:\program files\Samsung\Kies\KiesHelper.exe" [2012-03-31 954256]
"KiesPDLR"="c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-03-31 21392]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-06-27 752136]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-25 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-25 8470528]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-25 81920]
"UIExec"="c:\program files\T-Mobile Mobile Broadband Manager\UIExec.exe" [2009-07-16 132608]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-03-31 3521424]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-10-16 384800]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
.
c:\users\Stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-8-8 535336]
Launcher.lnk - c:\program files\InternetEverywhere\Launcher.exe [2012-3-25 472528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\eNetHook.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - BMLoad
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-27 13:54 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.56\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-28 00:20]
.
2013-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-25 13:32]
.
2013-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-25 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Stephen\AppData\Roaming\Mozilla\Firefox\Profiles\o3qurq4k.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-IgfxTray - c:\windows\system32\igfxtray.exe
HKLM-Run-HotKeysCmds - c:\windows\system32\hkcmd.exe
HKLM-Run-Persistence - c:\windows\system32\igfxpers.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
AddRemove-DealPly - c:\program files\DealPly\uninst.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-27 15:49
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}"=hex:51,66,7a,6c,4c,1d,38,12,12,38,ad,
58,75,50,10,02,d8,cb,7a,2d,b5,19,2a,3d
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,
02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7
"{2EECD738-5844-4A99-B4B6-146BF802613B}"=hex:51,66,7a,6c,4c,1d,38,12,56,d4,ff,
2a,76,16,f7,0f,cb,a0,57,2b,fd,5c,25,2f
"{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}"=hex:51,66,7a,6c,4c,1d,38,12,df,fa,b1,
87,90,4f,cb,0f,f8,c7,06,f6,bd,0e,1a,82
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}"=hex:51,66,7a,6c,4c,1d,38,12,49,4c,04,
a2,cd,51,b8,a4,d6,29,f9,08,a8,03,90,5c
"{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}"=hex:51,66,7a,6c,4c,1d,38,12,35,fc,e1,
93,3e,68,a1,09,fc,5c,6e,9a,4b,77,a7,8a
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:af,6d,83,6c,d4,b2,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,19,1f,95,1b,e8,8c,46,88,e1,f1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,19,1f,95,1b,e8,8c,46,88,e1,f1,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5020)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\T-Mobile Mobile Broadband Manager\AssistantServices.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\InternetEverywhere\WTGService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ENET\ENMTRAY.EXE
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\users\Stephen\AppData\Local\Temp\RtkBtMnt.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\avira\antivir desktop\avconfig.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2013-01-27 15:55:11 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-27 15:55
.
Pre-Run: 8,186,421,248 bytes free
Post-Run: 14,738,235,392 bytes free

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,353 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:01 PM

Posted 27 January 2013 - 11:07 AM

reboot again and that error will go away

please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


Please download Malwarebytes Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#7 Stephenmozza

Stephenmozza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 27 January 2013 - 04:23 PM

Hi Cat,

All the requested below.

Thanks once again

Stephen

JRT Log is



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.5.2 (01.26.2013:2)
OS: Windows Vista ™ Home Premium x86
Ran by Stephen on 27/01/2013 at 17:10:39.73
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}
Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-3593017929-1360062019-3519131131-1000\software\microsoft\internet explorer\searchscopes\\DefaultScope



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_classes_root\escort.escortiepane
Successfully deleted: [Registry Key] hkey_classes_root\escort.escortiepane.1
Successfully deleted: [Registry Key] hkey_classes_root\esrv.babylonesrvc
Successfully deleted: [Registry Key] hkey_classes_root\esrv.babylonesrvc.1
Successfully deleted: [Registry Key] hkey_local_machine\software\babylon
Successfully deleted: [Registry Key] hkey_current_user\software\babylontoolbar
Successfully deleted: [Registry Key] hkey_local_machine\software\babylontoolbar
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escort.dll
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escortapp.dll
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escorteng.dll
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escortlbr.dll
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\esrv.exe
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\b
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\bbylnapp.appcore
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\bbylnapp.appcore.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\escort.escrtbtn.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\prod.cap
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{02478d38-c3f9-4efb-9b51-7695eca05670}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478d38-c3f9-4efb-9b51-7695eca05670}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0ecdf796-c2dc-4d79-a620-cce0c0a66cc9}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{291bccc1-6890-484a-89d3-318c928dac1b}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{2eecd738-5844-4a99-b4b6-146bf802613b}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{2eecd738-5844-4a99-b4b6-146bf802613b}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{97f2ff5b-260c-4ccf-834a-2dda4e29e39e}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{b8276a94-891d-453c-9ff3-715c042a2575}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{e46c8196-b634-44a1-af6e-957c64278ab1}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ffb9adcb-8c79-4c29-81d3-74d46a93d370}



~~~ Files

Successfully deleted: [File] C:\Users\Stephen\AppData\Local\{AAA107F6-F60F-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul [Trojan:JS/Medfos.A]



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\babylon"
Successfully deleted: [Folder] "C:\Users\Stephen\AppData\Roaming\babylon"
Successfully deleted: [Folder] "C:\Users\Stephen\appdata\local\babylon"
Successfully deleted: [Folder] "C:\Users\Stephen\appdata\locallow\babylontoolbar"
Successfully deleted: [Folder] "C:\Program Files\babylontoolbar"
Successfully deleted: [Folder] C:\Users\Stephen\AppData\Local\{AAA107F6-F60F-11E1-8270-B8AC6F996F26} [Trojan:JS/Medfos.A]



~~~ FireFox

Successfully deleted: [File] C:\user.js
Successfully deleted: [File] "C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml"
Successfully deleted: [File] C:\Users\Stephen\AppData\Roaming\mozilla\firefox\profiles\o3qurq4k.default\user.js
Successfully deleted the following from C:\Users\Stephen\AppData\Roaming\mozilla\firefox\profiles\o3qurq4k.default\prefs.js

user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
user_pref("extensions.BabylonToolbar_i.babExt", "");
user_pref("extensions.BabylonToolbar_i.babTrack", "affID=101385");
user_pref("extensions.BabylonToolbar_i.hardId", "90e5896c00000000000000f1d000f1d0");
user_pref("extensions.BabylonToolbar_i.id", "90e5896c00000000000000f1d000f1d0");
user_pref("extensions.BabylonToolbar_i.instlDay", "15424");
user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
user_pref("extensions.BabylonToolbar_i.newTab", false);
user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1722:50:01");
user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
Emptied folder: C:\Users\Stephen\AppData\Roaming\mozilla\firefox\profiles\o3qurq4k.default\minidumps [16 files]



~~~ Chrome

Successfully deleted: [Folder] C:\Users\Stephen\appdata\local\Google\Chrome\User Data\Default\Extensions\gaiilaahiahdejapggenmdmafpmbipje
Successfully deleted: [Registry Key] hkey_current_user\software\google\chrome\extensions\gaiilaahiahdejapggenmdmafpmbipje
Successfully deleted: [Registry Key] hkey_local_machine\software\google\chrome\extensions\gaiilaahiahdejapggenmdmafpmbipje



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 27/01/2013 at 17:14:26.46
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


ADW log was as below

# AdwCleaner v2.109 - Logfile created 01/27/2013 at 18:14:12
# Updated 26/01/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Stephen - STEPHEN-PC
# Boot Mode : Normal
# Running from : C:\Users\Stephen\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\DealPly
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BabylonToolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DealPly
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\Software\DealPly
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BabylonToolbar

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16450

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-GB)

File : C:\Users\Stephen\AppData\Roaming\Mozilla\Firefox\Profiles\o3qurq4k.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v24.0.1312.56

File : C:\Users\Stephen\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [4174 octets] - [27/01/2013 18:14:12]

########## EOF - C:\AdwCleaner[S1].txt - [4234 octets] ##########

MBAM log as below

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.27.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Stephen :: STEPHEN-PC [administrator]

27/01/2013 18:23:04
mbam-log-2013-01-27 (18-23-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201397
Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

And ESET sacn log as below

C:\FRST\Quarantine\HqrOU.exe a variant of Win32/Injector.YRB trojan
C:\Program Files\Avira\AntiVir Desktop\apnic.dll a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files\Avira\AntiVir Desktop\apntoolbarinstaller.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\ProgramData\0tbpw.js JS/Agent.NID trojan
C:\Qoobox\Quarantine\C\Program Files\DealPly\DealPlyIE.dll.vir a variant of Win32/DealPly.A application
C:\Qoobox\Quarantine\C\Users\Stephen\AppData\Local\Temp\wpbt0.dll.vir Win32/Reveton.N trojan
C:\Users\All Users\0tbpw.js JS/Agent.NID trojan
C:\Users\Stephen\Downloads\avira_free_antivirus_en.exe a variant of Win32/Bundled.Toolbar.Ask application
E:\camfrog_5.5.exe a variant of Win32/Bundled.Toolbar.Ask application
E:\fyzip-setup.exe Win32/DownloadAdmin.A.Gen application

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,353 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:01 PM

Posted 27 January 2013 - 04:30 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\ProgramData\0tbpw.js 
C:\Users\All Users\0tbpw.js 
E:\camfrog_5.5.exe 
 
ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version XI)
Having the latest updates ensures there are no security vulnerabilities in your system.



Please advise how the computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#9 Stephenmozza

Stephenmozza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 27 January 2013 - 05:28 PM

Hi Cat,

I'm not sure if I managed to turn off Avira enough as it was still popping up with queries re registry.

Log as below.

Computer seems a lot more stable without any worrying pop ups.

Cheers

Stephen

ComboFix 13-01-27.03 - Stephen 27/01/2013 21:42:19.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2045.1089 [GMT 0:00]
Running from: c:\users\Stephen\Desktop\ComboFix.exe
Command switches used :: c:\users\Stephen\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\0tbpw.js"
"c:\users\All Users\0tbpw.js"
"E:\camfrog_5.5.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\0tbpw.js
c:\users\All Users\0tbpw.js
c:\users\Stephen\AppData\Local\Temp\bd7c47bb-f5c0-417c-a180-ec348d87718a\CliSecureRT.dll
c:\windows\system32\muzapp.exe
E:\camfrog_5.5.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-27 to 2013-01-27 )))))))))))))))))))))))))))))))
.
.
2013-01-27 22:07 . 2013-01-27 23:21 -------- d-----w- C:\FRST
2013-01-27 21:50 . 2013-01-27 22:02 -------- d-----w- c:\users\Stephen\AppData\Local\temp
2013-01-27 21:50 . 2013-01-27 21:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-27 18:59 . 2013-01-27 18:59 -------- d-----w- c:\program files\ESET
2013-01-27 18:22 . 2013-01-27 18:22 -------- d-----w- c:\users\Stephen\AppData\Roaming\Malwarebytes
2013-01-27 18:21 . 2013-01-27 18:21 -------- d-----w- c:\programdata\Malwarebytes
2013-01-27 18:21 . 2013-01-27 18:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-27 18:21 . 2012-12-14 16:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-27 17:10 . 2013-01-27 17:10 -------- d-----w- c:\windows\ERUNT
2013-01-27 17:10 . 2013-01-27 17:10 -------- d-----w- C:\JRT
2013-01-27 16:21 . 2013-01-15 02:49 6991832 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ECB8B3EE-CA91-4402-AFFF-18261F6F7C75}\mpengine.dll
2013-01-27 13:49 . 2006-10-31 00:10 71840 ----a-w- c:\windows\system32\EPPicMgr.dll
2013-01-27 13:49 . 2006-10-31 00:10 120992 ----a-w- c:\windows\system32\EpPicPrt.dll
2013-01-27 13:49 . 2006-10-20 00:10 80024 ----a-w- c:\windows\system32\PICSDK.dll
2013-01-27 13:49 . 2006-10-20 00:10 501912 ----a-w- c:\windows\system32\PICSDK2.dll
2013-01-27 13:49 . 2006-10-20 00:10 108704 ----a-w- c:\windows\system32\PICEntry.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-27 16:19 . 2012-05-28 06:06 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-27 16:19 . 2012-03-25 21:53 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-30 11:17 . 2012-10-30 11:17 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"KiesHelper"="c:\program files\Samsung\Kies\KiesHelper.exe" [2012-03-31 954256]
"KiesPDLR"="c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-03-31 21392]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Acer Tour Reminder"="" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-06-27 752136]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-25 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-25 8470528]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-25 81920]
"UIExec"="c:\program files\T-Mobile Mobile Broadband Manager\UIExec.exe" [2009-07-16 132608]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-03-31 3521424]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-10-16 384800]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
.
c:\users\Stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-8-8 535336]
Launcher.lnk - c:\program files\InternetEverywhere\Launcher.exe [2012-3-25 472528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\eNetHook.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - BMLoad
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-27 13:54 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.56\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-28 16:19]
.
2013-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-25 13:32]
.
2013-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-25 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Stephen\AppData\Roaming\Mozilla\Firefox\Profiles\o3qurq4k.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-27 22:02
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}"=hex:51,66,7a,6c,4c,1d,38,12,12,38,ad,
58,75,50,10,02,d8,cb,7a,2d,b5,19,2a,3d
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,
02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7
"{2EECD738-5844-4A99-B4B6-146BF802613B}"=hex:51,66,7a,6c,4c,1d,38,12,56,d4,ff,
2a,76,16,f7,0f,cb,a0,57,2b,fd,5c,25,2f
"{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}"=hex:51,66,7a,6c,4c,1d,38,12,df,fa,b1,
87,90,4f,cb,0f,f8,c7,06,f6,bd,0e,1a,82
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}"=hex:51,66,7a,6c,4c,1d,38,12,49,4c,04,
a2,cd,51,b8,a4,d6,29,f9,08,a8,03,90,5c
"{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}"=hex:51,66,7a,6c,4c,1d,38,12,35,fc,e1,
93,3e,68,a1,09,fc,5c,6e,9a,4b,77,a7,8a
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:af,6d,83,6c,d4,b2,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,19,1f,95,1b,e8,8c,46,88,e1,f1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,19,1f,95,1b,e8,8c,46,88,e1,f1,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1156)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\T-Mobile Mobile Broadband Manager\AssistantServices.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\InternetEverywhere\WTGService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ENET\ENMTRAY.EXE
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\users\Stephen\AppData\Local\Temp\RtkBtMnt.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,353 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:01 PM

Posted 27 January 2013 - 06:09 PM

We just have some housekeeping to do now,

Please do the following:


You can delete the DDS, JRT and the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    PC Safety and Security--What Do I Need?.
  • Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#11 Stephenmozza

Stephenmozza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 29 January 2013 - 04:50 AM

Hi Cat,


Sorry I was away from my computer yesterday.


I've followed all the instruction but have had further major crash issues. Not sure what to do.

I will be back at my computer in 24 hours and able to spend time on it.

Regards

Stephen

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,353 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:01 PM

Posted 29 January 2013 - 09:12 PM

oh dear, that's not good news

please describe in as much detail as possible what has happened

this might not be malware related
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,353 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:01 PM

Posted 09 February 2013 - 07:28 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users