Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cloud AV


  • This topic is locked This topic is locked
23 replies to this topic

#1 MisanthropeKitty

MisanthropeKitty

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 26 November 2011 - 08:04 PM

Cloud AV has taken over the computer. All attempts to be rid of it have not worked. I even reset the computer to the last backup date and it returned after I rebooted the computer.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_26
Run by LISA at 19:02:13 on 2011-11-26
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1013.119 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\Cloud AV 2012v121.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Users\LISA\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\LISA\Downloads\123.com.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=15119&l=dis
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Acer Tour Reminder]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [eRecoveryService]
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CgRZqhYXwUeOtP8234A] c:\windows\system32\Cloud AV 2012v121.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [NSSInstallation] c:\program files\divx\symantec\scstubinstaller.exe /runonce
mRunOnce: [wextract_cleanup0] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\windows\temp\ixp000.tmp\"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{05DBC8C6-5315-4E99-AA36-CB889E98D544} : DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{FFE10D9B-8650-4A77-9B7E-EF2E9AB76E29} : DhcpNameServer = 192.168.2.1 192.168.2.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: eNetHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lisa\appdata\roaming\mozilla\firefox\profiles\5w3qzlru.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Swag Bucks Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&q=
FF - component: c:\users\lisa\appdata\roaming\mozilla\firefox\profiles\5w3qzlru.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\users\lisa\appdata\roaming\mozilla\firefox\profiles\5w3qzlru.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - component: c:\users\lisa\appdata\roaming\mozilla\firefox\profiles\5w3qzlru.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\users\lisa\appdata\roaming\mozilla\firefox\profiles\5w3qzlru.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - component: c:\users\lisa\appdata\roaming\mozilla\firefox\profiles\5w3qzlru.default\extensions\engine@conduit.com\components\FFExternalAlert.dll
FF - component: c:\users\lisa\appdata\roaming\mozilla\firefox\profiles\5w3qzlru.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npArtistScope.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 1fdf6c7b-8727-4eb7-99d3-f6ffa7d9ce4c
FF - user.js: extentions.y2layers.defaultEnableAppsList - BestVideoDownloader,BestVideoDownloader,
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-5 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-5 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-5 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-5 66616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-9-3 179712]
S4 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-9-3 50688]
S4 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-10-14 266240]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
=============== Created Last 30 ================
.
2011-11-26 22:15:44 -------- dc----w- c:\users\lisa\appdata\roaming\x5sWJ7dELgZhXkV
2011-11-26 22:15:44 -------- dc----w- c:\users\lisa\appdata\roaming\aP0ycS1iv3n4m
2011-11-26 21:46:01 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-26 21:45:13 -------- dc----w- c:\users\lisa\appdata\roaming\grlOBtxP0c1v3n
2011-11-26 21:45:12 -------- dc----w- c:\users\lisa\appdata\roaming\GibonmH6WE
2011-11-26 21:43:45 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9c90ddc9-d616-47b8-83f9-b97bb2df511d}\offreg.dll
2011-11-26 21:40:30 -------- dc----w- c:\users\lisa\appdata\roaming\RG4aQH6sW7E9Tq
2011-11-26 21:40:29 -------- dc----w- c:\users\lisa\appdata\roaming\qTXqjYCekrOt
2011-11-26 20:21:11 -------- dc----w- c:\users\lisa\appdata\roaming\OxSp5Jd89T
2011-11-26 20:21:08 -------- dc----w- c:\users\lisa\appdata\roaming\G9jIxSnHfgYIlP1
2011-11-26 20:12:17 22216 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-11-26 20:12:16 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-26 18:36:18 -------- dc----w- c:\users\lisa\appdata\roaming\A3pnG4aQHsKfLgZ
2011-11-26 18:36:13 2789376 -c--a-w- c:\windows\system32\Cloud AV 2012v121.exe
2011-11-26 18:15:45 -------- dc----w- c:\users\lisa\appdata\roaming\B1ivD2onFHQ7E
2011-11-26 18:15:44 -------- dc----w- c:\users\lisa\appdata\roaming\WRZqhYXwkVlBz0c
2011-11-26 16:15:13 -------- dc----w- c:\users\lisa\appdata\roaming\Avira
2011-11-26 16:09:55 -------- dc----w- c:\users\lisa\appdata\roaming\EA0uvSibFpGaHdK
2011-11-26 16:09:54 -------- dc----w- c:\users\lisa\appdata\roaming\ufRL9hTXqUeIrOy
2011-11-26 15:56:33 2789376 -c--a-w- c:\users\lisa\appdata\roaming\java.exe
2011-11-26 08:52:42 -------- dc----w- c:\users\lisa\appdata\roaming\PVVVrllOBtxPyc1
2011-11-26 08:52:41 -------- dc----w- c:\users\lisa\appdata\roaming\LL99ggTZqjYCkIr
2011-11-26 08:52:27 -------- dc----w- c:\users\lisa\appdata\roaming\iL88ggTZqhYCkUr
2011-11-26 08:52:21 -------- dc----w- c:\users\lisa\appdata\roaming\NCCCekkIVrzNtA
2011-11-26 08:52:21 -------- dc----w- c:\users\lisa\appdata\roaming\gNNNyyxA0uvSib3
2011-11-25 07:28:54 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9c90ddc9-d616-47b8-83f9-b97bb2df511d}\mpengine.dll
2011-11-24 02:29:40 -------- dc----r- c:\program files\Skype
2011-11-14 14:27:26 4335776 -c--a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
.
==================== Find3M ====================
.
.
============= FINISH: 19:04:37.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:17 AM

Posted 27 November 2011 - 11:52 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 MisanthropeKitty

MisanthropeKitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 28 November 2011 - 10:58 AM

It looks like this got rid of it. *fingers crossed* Here is the log file:

ComboFix 11-11-28.02 - LISA 11/28/2011 10:32:39.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1013.329 [GMT -5:00]
Running from: c:\users\LISA\Downloads\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setup.dll
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.dat
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.exe
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.ico
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\users\LISA\008.jpg
c:\users\LISA\021a.jpg
c:\users\LISA\022a.jpg
c:\users\LISA\AppData\Roaming\B1ivD2onFHQ7E
c:\users\LISA\AppData\Roaming\B1ivD2onFHQ7E\Cloud AV 2012.ico
c:\users\LISA\AppData\Roaming\BbbFF33pmG5QJ
c:\users\LISA\AppData\Roaming\BbbFF33pmG5QJ\Cloud AV 2012.ico
c:\users\LISA\AppData\Roaming\CG5aQH6dW7R9TqY
c:\users\LISA\AppData\Roaming\CG5aQH6dW7R9TqY\Cloud AV 2012.ico
c:\users\LISA\AppData\Roaming\Cloud AV 2012.exe
c:\users\LISA\AppData\Roaming\EA0uvSibFpGaHdK
c:\users\LISA\AppData\Roaming\EA0uvSibFpGaHdK\Cloud AV 2012.ico
c:\users\LISA\AppData\Roaming\grlOBtxP0c1v3n
c:\users\LISA\AppData\Roaming\grlOBtxP0c1v3n\Cloud AV 2012.ico
c:\users\LISA\AppData\Roaming\java.exe
c:\users\LISA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012
c:\users\LISA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk
c:\users\LISA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Uninstall Cloud AV 2012.lnk
c:\users\LISA\AppData\Roaming\PVVVrllOBtxPyc1
c:\users\LISA\AppData\Roaming\PVVVrllOBtxPyc1\Cloud AV 2012.ico
c:\users\LISA\AppData\Roaming\RG4aQH6sW7E9Tq
c:\users\LISA\AppData\Roaming\RG4aQH6sW7E9Tq\Cloud AV 2012.ico
c:\users\LISA\AppData\Roaming\TFF33pmGG5QJ
c:\users\LISA\AppData\Roaming\TFF33pmGG5QJ\Cloud AV 2012.ico
c:\users\LISA\AppData\Roaming\TXwkUVelOtPyAiD
c:\users\LISA\AppData\Roaming\TXwkUVelOtPyAiD\Cloud AV 2012.ico
c:\users\LISA\AppData\Roaming\x5sWJ7dELgZhXkV
c:\users\LISA\AppData\Roaming\x5sWJ7dELgZhXkV\Cloud AV 2012.ico
c:\users\LISA\AppData\Roaming\xvD2mG5sJdKfZhX
c:\users\LISA\AppData\Roaming\xvD2mG5sJdKfZhX\Cloud AV 2012.ico
c:\users\LISA\Desktop\Cloud AV 2012.lnk
c:\windows\system32\Cloud AV 2012v121.exe
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))))))))))))))))))))))))))
.
.
2011-11-28 15:45 . 2011-11-28 15:45 -------- dc----w- c:\users\Default\AppData\Local\temp
2011-11-28 15:22 . 2011-11-28 15:22 -------- dc----w- c:\users\LISA\AppData\Roaming\jsWJ7dEL8R
2011-11-28 15:20 . 2011-11-28 15:20 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9C90DDC9-D616-47B8-83F9-B97BB2DF511D}\offreg.dll
2011-11-27 20:01 . 2011-11-27 20:01 -------- dc----w- c:\users\LISA\AppData\Roaming\SzONyxA0uSiFp
2011-11-27 02:31 . 2011-11-27 02:31 -------- dc----w- c:\users\LISA\AppData\Roaming\EEK8gRZ9hX
2011-11-27 02:31 . 2011-11-27 02:31 -------- dc----w- c:\users\LISA\AppData\Roaming\vcA1ivD2oFpHs
2011-11-27 02:25 . 2011-11-27 02:25 -------- dc----w- c:\users\LISA\AppData\Roaming\tlllIBBrzPNxAuv
2011-11-27 02:24 . 2011-11-27 02:24 -------- dc----w- c:\users\LISA\AppData\Roaming\rvvvSS2ob
2011-11-27 00:24 . 2011-11-27 00:24 -------- dc----w- c:\users\LISA\AppData\Roaming\B9hYXwjUVlBzNc1
2011-11-26 22:15 . 2011-11-26 22:15 -------- dc----w- c:\users\LISA\AppData\Roaming\aP0ycS1iv3n4m
2011-11-26 21:46 . 2011-11-26 21:46 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-26 21:45 . 2011-11-26 21:45 -------- dc----w- c:\users\LISA\AppData\Roaming\GibonmH6WE
2011-11-26 21:40 . 2011-11-26 21:40 -------- dc----w- c:\users\LISA\AppData\Roaming\qTXqjYCekrOt
2011-11-26 20:21 . 2011-11-26 20:21 -------- dc----w- c:\users\LISA\AppData\Roaming\OxSp5Jd89T
2011-11-26 20:21 . 2011-11-26 20:21 -------- dc----w- c:\users\LISA\AppData\Roaming\G9jIxSnHfgYIlP1
2011-11-26 20:12 . 2011-08-31 22:00 22216 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-11-26 20:12 . 2011-11-26 20:12 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-26 18:36 . 2011-11-26 18:36 -------- dc----w- c:\users\LISA\AppData\Roaming\A3pnG4aQHsKfLgZ
2011-11-26 18:15 . 2011-11-26 18:15 -------- dc----w- c:\users\LISA\AppData\Roaming\WRZqhYXwkVlBz0c
2011-11-26 16:15 . 2011-11-26 16:15 -------- dc----w- c:\users\LISA\AppData\Roaming\Avira
2011-11-26 16:09 . 2011-11-26 16:09 -------- dc----w- c:\users\LISA\AppData\Roaming\ufRL9hTXqUeIrOy
2011-11-26 08:52 . 2011-11-26 08:52 -------- dc----w- c:\users\LISA\AppData\Roaming\LL99ggTZqjYCkIr
2011-11-26 08:52 . 2011-11-26 08:52 -------- dc----w- c:\users\LISA\AppData\Roaming\iL88ggTZqhYCkUr
2011-11-26 08:52 . 2011-11-26 08:52 -------- dc----w- c:\users\LISA\AppData\Roaming\NCCCekkIVrzNtA
2011-11-26 08:52 . 2011-11-26 08:52 -------- dc----w- c:\users\LISA\AppData\Roaming\gNNNyyxA0uvSib3
2011-11-25 07:28 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9C90DDC9-D616-47B8-83F9-B97BB2DF511D}\mpengine.dll
2011-11-24 02:29 . 2011-11-24 02:30 -------- dc----r- c:\program files\Skype
2011-11-14 14:27 . 2011-11-14 14:27 4335776 -c--a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 23:15 . 2011-06-20 16:32 134104 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-08-19 16:45 790304 -c--a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19550344]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NSSInstallation"="c:\program files\DivX\Symantec\scstubinstaller.exe" [2010-03-08 497016]
"wextract_cleanup0"="c:\windows\system32\advpack.dll" [2008-01-19 128000]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-02-02 19:24 3383296 -c--a-w- c:\program files\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-03-08 11:38 40048 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2007-04-25 23:33 457216 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-01-02 22:06 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-01-02 22:07 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-11-22 01:09 842584 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2007-07-16 05:51 768520 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-01-02 22:07 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 -c--a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-19 07:33 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-06-15 08:45 1826816 -c--a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2008-01-29 21:38 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-06-05 179712]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]
R4 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-10-14 266240]
R4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-03-16 2849844]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-27 136360]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-21 c:\windows\Tasks\Install_NSS.job
- c:\program files\DivX\Symantec\scstubinstaller.exe [2010-03-08 18:00]
.
2011-11-28 c:\windows\Tasks\User_Feed_Synchronization-{24DEB9BC-C21E-45F1-B4A0-D618ED58325F}.job
- c:\windows\system32\msfeedssync.exe [2008-06-06 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15119&l=dis
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
FF - ProfilePath - c:\users\LISA\AppData\Roaming\Mozilla\Firefox\Profiles\5w3qzlru.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Swag Bucks Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 1fdf6c7b-8727-4eb7-99d3-f6ffa7d9ce4c
FF - user.js: extentions.y2layers.defaultEnableAppsList - BestVideoDownloader,BestVideoDownloader,
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-CgRZqhYXwUeOtP8234A - c:\windows\system32\Cloud AV 2012v121.exe
MSConfigStartUp-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
MSConfigStartUp-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
MSConfigStartUp-SetPanel - c:\acer\APanel\APanel.cmd
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\progra~2\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-28 10:46
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\eNetHook.dll
.
- - - - - - - > 'lsass.exe'(600)
c:\windows\system32\eNetHook.dll
.
Completion time: 2011-11-28 10:55:06
ComboFix-quarantined-files.txt 2011-11-28 15:55
.
Pre-Run: 3,978,440,704 bytes free
Post-Run: 4,774,273,024 bytes free
.
- - End Of File - - FC1250FC4C0BFD0D6705D7F9B0371F90

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:17 AM

Posted 28 November 2011 - 11:34 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

Folder::
c:\program files\Yontoo Layers Runtime
c:\users\LISA\AppData\Roaming\jsWJ7dEL8R
c:\users\LISA\AppData\Roaming\SzONyxA0uSiFp
c:\users\LISA\AppData\Roaming\EEK8gRZ9hX
c:\users\LISA\AppData\Roaming\vcA1ivD2oFpHs
c:\users\LISA\AppData\Roaming\tlllIBBrzPNxAuv
c:\users\LISA\AppData\Roaming\rvvvSS2ob
c:\users\LISA\AppData\Roaming\B9hYXwjUVlBzNc1
c:\users\LISA\AppData\Roaming\aP0ycS1iv3n4m
c:\users\LISA\AppData\Roaming\GibonmH6WE
c:\users\LISA\AppData\Roaming\qTXqjYCekrOt
c:\users\LISA\AppData\Roaming\OxSp5Jd89T
c:\users\LISA\AppData\Roaming\G9jIxSnHfgYIlP1
c:\users\LISA\AppData\Roaming\A3pnG4aQHsKfLgZ
c:\users\LISA\AppData\Roaming\WRZqhYXwkVlBz0c
c:\users\LISA\AppData\Roaming\Avira
c:\users\LISA\AppData\Roaming\ufRL9hTXqUeIrOy
c:\users\LISA\AppData\Roaming\LL99ggTZqjYCkIr
c:\users\LISA\AppData\Roaming\iL88ggTZqhYCkUr
c:\users\LISA\AppData\Roaming\NCCCekkIVrzNtA
c:\users\LISA\AppData\Roaming\gNNNyyxA0uvSib3

DDS::
uStart Page = hxxp://www.ask.com?o=15119&l=dis

Firefox::
FF - ProfilePath - c:\users\LISA\AppData\Roaming\Mozilla\Firefox\Profiles\5w3qzlru.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 MisanthropeKitty

MisanthropeKitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 28 November 2011 - 12:53 PM

ComboFix 11-11-28.02 - LISA 11/28/2011 12:22:16.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1013.474 [GMT -5:00]
Running from: c:\users\LISA\Desktop\ComboFix.exe
Command switches used :: c:\users\LISA\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Yontoo Layers Runtime
c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
c:\users\LISA\AppData\Roaming\A3pnG4aQHsKfLgZ
c:\users\LISA\AppData\Roaming\aP0ycS1iv3n4m
c:\users\LISA\AppData\Roaming\Avira
c:\users\LISA\AppData\Roaming\B9hYXwjUVlBzNc1
c:\users\LISA\AppData\Roaming\EEK8gRZ9hX
c:\users\LISA\AppData\Roaming\EEK8gRZ9hX\Cloud AV 2012.ico
c:\users\LISA\AppData\Roaming\G9jIxSnHfgYIlP1
c:\users\LISA\AppData\Roaming\GibonmH6WE
c:\users\LISA\AppData\Roaming\gNNNyyxA0uvSib3
c:\users\LISA\AppData\Roaming\iL88ggTZqhYCkUr
c:\users\LISA\AppData\Roaming\jsWJ7dEL8R
c:\users\LISA\AppData\Roaming\LL99ggTZqjYCkIr
c:\users\LISA\AppData\Roaming\NCCCekkIVrzNtA
c:\users\LISA\AppData\Roaming\NCCCekkIVrzNtA\Cloud AV 2012v121.exe
c:\users\LISA\AppData\Roaming\OxSp5Jd89T
c:\users\LISA\AppData\Roaming\OxSp5Jd89T\Cloud AV 2012.ico
c:\users\LISA\AppData\Roaming\qTXqjYCekrOt
c:\users\LISA\AppData\Roaming\rvvvSS2ob
c:\users\LISA\AppData\Roaming\SzONyxA0uSiFp
c:\users\LISA\AppData\Roaming\tlllIBBrzPNxAuv
c:\users\LISA\AppData\Roaming\ufRL9hTXqUeIrOy
c:\users\LISA\AppData\Roaming\vcA1ivD2oFpHs
c:\users\LISA\AppData\Roaming\WRZqhYXwkVlBz0c
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))))))))))))))))))))))))))
.
.
2011-11-28 17:33 . 2011-11-28 17:33 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9C90DDC9-D616-47B8-83F9-B97BB2DF511D}\offreg.dll
2011-11-28 17:31 . 2011-11-28 17:42 -------- dc----w- c:\users\LISA\AppData\Local\temp
2011-11-26 21:46 . 2011-11-26 21:46 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-26 20:12 . 2011-08-31 22:00 22216 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-11-26 20:12 . 2011-11-26 20:12 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-25 07:28 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9C90DDC9-D616-47B8-83F9-B97BB2DF511D}\mpengine.dll
2011-11-24 02:29 . 2011-11-24 02:30 -------- dc----r- c:\program files\Skype
2011-11-14 14:27 . 2011-11-14 14:27 4335776 -c--a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 23:15 . 2011-06-20 16:32 134104 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19550344]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-02-02 19:24 3383296 -c--a-w- c:\program files\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-03-08 11:38 40048 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2007-04-25 23:33 457216 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-01-02 22:06 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-01-02 22:07 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-11-22 01:09 842584 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2007-07-16 05:51 768520 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-01-02 22:07 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 -c--a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-19 07:33 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-06-15 08:45 1826816 -c--a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2008-01-29 21:38 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-06-05 179712]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]
R4 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-10-14 266240]
R4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-03-16 2849844]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-27 136360]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-28 c:\windows\Tasks\Install_NSS.job
- c:\program files\DivX\Symantec\scstubinstaller.exe [2010-03-08 18:00]
.
2011-11-28 c:\windows\Tasks\User_Feed_Synchronization-{24DEB9BC-C21E-45F1-B4A0-D618ED58325F}.job
- c:\windows\system32\msfeedssync.exe [2008-06-06 07:33]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
FF - ProfilePath - c:\users\LISA\AppData\Roaming\Mozilla\Firefox\Profiles\5w3qzlru.default\
FF - prefs.js: browser.search.selectedEngine - Swag Bucks Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 1fdf6c7b-8727-4eb7-99d3-f6ffa7d9ce4c
FF - user.js: extentions.y2layers.defaultEnableAppsList - BestVideoDownloader,BestVideoDownloader,
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\RtHDVCpl.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Apoint2K\Apntex.exe
c:\users\LISA\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-28 12:51:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-28 17:49
ComboFix2.txt 2011-11-28 15:55
.
Pre-Run: 4,606,877,696 bytes free
Post-Run: 4,547,805,184 bytes free
.
- - End Of File - - 85791262896BFBB3DDEBF37B787BD708

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:17 AM

Posted 28 November 2011 - 01:14 PM

Hello


Now is a good time to check things out and make sure everything is good.


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 8.1.0

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 MisanthropeKitty

MisanthropeKitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 29 November 2011 - 11:00 AM

I turned on the computer today and loaded Windows and first thing I noticed was that my mouse wouldn't move. Then a blue screen came up and said something about kernel_stack_inpage_error

Then the computer restarted and now I am on a black page that says No bootable device -- Insert boot disk and press any key

I'm not sure I even have a boot disk!

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:17 AM

Posted 29 November 2011 - 11:12 AM

Hello


that sounds like the harddrive failed - lets see if we can see it with this


I need you to make a bootable usb and to make a screenshot for me - follow the instructions below to do this

How to create a bootable Puppy USB Drive

  • Download and save a copy of the latest Puppy ISO file
  • Download and save a copy of Unetbootin for Windows.
  • Insert an empty formatted USB drive into a USB port on the computer that's being used to create the bootable USB.
  • Launch Unetbootin ....
  • Ensure that Disk Image is selected.
  • Using the browse button ... browse to and select the Puppy ISO file.
  • Ensure that Type: is set to USB Drive and that the Drive: letter corresponds to the USB drive.
  • Click OK
Unetbootin will now copy the Puppy files to the USB and make it a bootable device.

Next

You need to change the boot order of the computer to boot from a USB drive ....

  • Read HERE for instructions how to do this.

Now boot into Puppylinux

when you get to the desktop Click on each of the drive items found in the bottom left corner to mount them (when mounted they will have a red cross next to them)

Next - Launch GParted which is found at Menu > System > GParted partition manager,
Click to select All Drives then click Okay
I need you to take a screenshot of the window that opens up - to do this follow these instructions

To take a screenshot in Puppy ....

With the GParted window open ...

  • Click menu > Graphic > mtPaint-snapshot screen capture
  • A small window will open ....

    • Click Capture Now
    • Click OK
  • The mtPaint program will open ....
    • Click File > Save
    • Double click on ../
    • Double click on mnt/
    • Double click on sdb1/
    • Set File Format to JPEG
    • Enter screenshot1 into the text box
    • Click OK

This will save a file screenshot1.jpeg into the USB drive, paste or attach this to your next post

Next

  • Click menu > shutdown > power off computer
  • If prompted to save the session click on No

Puppy will now close down.

remove the usb and save it - we will use it again - boot back into windows and send me the screen capture

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 MisanthropeKitty

MisanthropeKitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 29 November 2011 - 11:19 AM

Thanks for the fast reply. I have a new laptop coming in the mail and I will have to wait until then to do this as I have no other computer (on phone now). Will that be ok?

#10 MisanthropeKitty

MisanthropeKitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 29 November 2011 - 11:30 AM

Well I may have been a bit hasty... I turned the computer off and at my 4 year old's insistence to show him the computer was broke, I turned it back on and Windows booted normally and it is working now. That was quite odd.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:17 AM

Posted 29 November 2011 - 11:40 AM

hello


that is very odd and I don't like it.


1st backup any photos or documents that cannot be replaced - do this now.


2nd after you have anything you want to keep safe - go to this page and run seatools for windows - http://www.seagate.com/www/en-us/support/downloads/seatools


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 MisanthropeKitty

MisanthropeKitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 29 November 2011 - 12:18 PM

I have downloaded SeaTools, what would you like me to do? Modify or Repair? I am guessing Repair but I will wait for your word.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:17 AM

Posted 29 November 2011 - 01:05 PM

I want you to run it and let me know if you get any fails



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 MisanthropeKitty

MisanthropeKitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 29 November 2011 - 04:15 PM

I left Seatools running and came back to find the computer off. I rebooted it and got a screen saying that Windows had errors and failed to load did I want to start Windows normally or start Windows repair? I went to Windows repair and went through their process where it said it was attempting to repair damages. It restarted the computer and Windows loaded normally. It did not give me any kind of log as to what exactly it repaired.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:17 AM

Posted 29 November 2011 - 06:44 PM

ok go back to post 6 and give me those reports


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users