Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor trojan-browser hijacks and regenerates deleted files


  • This topic is locked This topic is locked
11 replies to this topic

#1 betteloop

betteloop

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Phx. AZ
  • Local time:04:13 PM

Posted 09 December 2011 - 05:40 PM

Referred from here: http://www.bleepingcomputer.com/forums/topic430839.html ~ OB

Hello, Topic was moved from Am I infected? and instructed to post dds, gmer and ark.logs here:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19154
Run by Glenn at 14:23:20 on 2011-12-09
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2047.1095 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Motorola\Moto Helper Service\MotoHelper.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Program Files\Core Temp\Core Temp.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Glenn\Desktop\Defogger.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\Explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uWindow Title =
mWindow Title =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [TkBellExe] "c:\program files\real\update\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{54F3E1C3-16C3-40D1-BC01-C5D79BF53784} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
AppInit_DLLs: c:\windows\system32\FileMonitor32.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
Hosts: 217.23.4.166 www.google-analytics.com.
Hosts: 217.23.4.166 ad-emea.doubleclick.net.
Hosts: 217.23.4.166 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 MpKsla5677b10;MpKsla5677b10;c:\programdata\microsoft\microsoft antimalware\definition updates\{db114c45-f223-40ac-a195-9ad7896b9b91}\MpKsla5677b10.sys [2011-12-9 29904]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-5-28 21504]
R2 MotoHelper.exe;Motorola Helper;c:\program files\motorola\moto helper service\MotoHelper.exe [2010-9-14 6656]
R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2011-4-26 223088]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-5-26 2218600]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-4-7 378472]
R3 Atc002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l260x86.sys [2011-5-26 28672]
R3 BTWAMPFL;btwampfl;c:\windows\system32\drivers\btwampfl.sys [2011-7-4 302120]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-7-4 33832]
R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [2007-1-24 299776]
R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [2007-1-24 149504]
R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [2007-1-24 498176]
R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [2007-1-24 23552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-30 136176]
S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [2005-7-19 57744]
S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [2005-7-19 8336]
S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [2005-7-19 93328]
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cur_serd.sys [2005-7-19 73152]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-5-30 136176]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2011-4-4 20480]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-5-8 42752]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
.
=============== File Associations ===============
.
.exe=ah
.
=============== Created Last 30 ================
.
2011-12-09 17:21:52 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{db114c45-f223-40ac-a195-9ad7896b9b91}\MpKsla5677b10.sys
2011-12-09 17:21:50 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{db114c45-f223-40ac-a195-9ad7896b9b91}\offreg.dll
2011-12-09 04:44:09 6823496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{db114c45-f223-40ac-a195-9ad7896b9b91}\mpengine.dll
2011-12-01 06:48:47 -------- d-----w- c:\program files\Browser Hijack Recover
2011-11-30 20:27:21 388096 ----a-r- c:\users\glenn\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-30 20:27:19 -------- d-----w- c:\program files\Trend Micro
2011-11-30 17:41:32 0 ---ha-w- c:\users\glenn\appdata\local\BIT5659.tmp
2011-11-22 03:22:28 -------- d-----w- c:\users\glenn\appdata\local\BVRP Software
2011-11-22 03:17:08 -------- d-----w- c:\program files\Motorola Phone Tools
.
==================== Find3M ====================
.
2011-11-25 21:33:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-30 23:06:24 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07:25 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-20 21:02:55 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 14:23:52.02 ===============


Attached File  Attach.txt   21.24KB   2 downloads





Attached File  ark.txt   16.29KB   2 downloads


I sincerely hope I have posted correctly and look forward to any help you may be able to provide.

Thanx
betteloop

Edited by Orange Blossom, 10 December 2011 - 01:01 PM.


BC AdBot (Login to Remove)

 


#2 betteloop

betteloop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Phx. AZ
  • Local time:04:13 PM

Posted 09 December 2011 - 08:10 PM

Hello again, I don't know if this happens to correlate with the findings of the logs posted, but presently I have no executable files it seems...for instance I launched IE from quick launch it does not open it asks what program I would like to use to open application...malwarebytes, microsoft word...the error code says: The file does not have a program associated with it for performing this action. Create an association in the Set Association control panel.

Prior to running Gmer and dds..etc logs I had not encountered this error...just thought I should add the information to the post.

#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 14 December 2011 - 08:49 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Please download ExeFix.scr by Farbar and save it to a flashdrive or on the root of the system drive (usually C:).
  • Important: Boot your computer into the account that has trouble running exe files.
  • Run the tool.
  • The tool notifies you within a fraction of a second to reboot the computer, please do so.
  • Please tell me if you are now able to run programs.
Note: If the tool did not run you may change the extension to .com or .bat or .cmd or .pif
Also note that in order the fix to work you need to be booted to the user account that has trouble running exe files.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Edited by RPMcMurphy, 14 December 2011 - 08:52 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 betteloop

betteloop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Phx. AZ
  • Local time:04:13 PM

Posted 15 December 2011 - 02:10 PM

Hi there...thank you for your assistance. I was unable to get the first program to run as directed...I thought I saw a few different screens come up, but I don't have log or results to post ...I apologize...

did run combo fix and here are those results
ComboFix 11-12-15.02 - Glenn 12/15/2011 11:16:17.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2047.1090 [GMT -7:00]
Running from: C:\Users\Glenn\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\prefs.js
C:\Users\Glenn\Documents\~WRL3102.tmp
C:\Users\Glenn\ExeFix.scr
C:\Windows\$NtUninstallKB26028$
C:\Windows\$NtUninstallKB26028$\1355458567
C:\Windows\$NtUninstallKB26028$\1368077351\@
C:\Windows\$NtUninstallKB26028$\1368077351\bckfg.tmp
C:\Windows\$NtUninstallKB26028$\1368077351\cfg.ini
C:\Windows\$NtUninstallKB26028$\1368077351\Desktop.ini
C:\Windows\$NtUninstallKB26028$\1368077351\keywords
C:\Windows\$NtUninstallKB26028$\1368077351\kwrd.dll
C:\Windows\$NtUninstallKB26028$\1368077351\L\fomtmfeh
C:\Windows\$NtUninstallKB26028$\1368077351\lsflt7.ver
C:\Windows\$NtUninstallKB26028$\1368077351\U\00000001.@
C:\Windows\$NtUninstallKB26028$\1368077351\U\00000002.@
C:\Windows\$NtUninstallKB26028$\1368077351\U\00000004.@
C:\Windows\$NtUninstallKB26028$\1368077351\U\80000000.@
C:\Windows\$NtUninstallKB26028$\1368077351\U\80000004.@
C:\Windows\$NtUninstallKB26028$\1368077351\U\80000032.@
C:\Windows\system32\bszip.dll


((((((((((((((((((((((((( Files Created from 2011-11-15 to 2011-12-15 )))))))))))))))))))))))))))))))


2011-12-15 18:25:07 . 2011-12-15 18:25:07 -------- d-----w- C:\Users\UpdatusUser\AppData\Local\temp
2011-12-15 18:25:07 . 2011-12-15 18:25:07 -------- d-----w- C:\Users\Default\AppData\Local\temp
2011-12-15 18:13:23 . 2011-12-15 18:13:23 56200 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3C043D49-9CA1-4531-B801-949797CB9B5B}\offreg.dll
2011-12-15 01:45:53 . 2011-11-21 10:47:38 6823496 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3C043D49-9CA1-4531-B801-949797CB9B5B}\mpengine.dll
2011-12-13 19:05:57 . 2011-12-13 20:14:19 -------- d-----w- C:\Users\Glenn\AppData\Local\Smilebox
2011-12-13 19:05:31 . 2011-12-13 19:41:24 -------- d-----w- C:\Users\Glenn\AppData\Roaming\Smilebox
2011-12-13 17:50:17 . 2011-12-13 17:50:17 -------- d-----w- C:\Users\Glenn\Untitled
2011-12-07 00:26:40 . 2011-12-07 00:26:40 4448256 ----a-w- C:\Windows\system32\GPhotos.scr
2011-12-01 06:48:47 . 2011-12-01 06:49:02 -------- d-----w- C:\Program Files\Browser Hijack Recover
2011-11-30 20:27:21 . 2011-11-30 20:27:22 388096 ----a-r- C:\Users\Glenn\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-30 20:27:19 . 2011-11-30 20:27:19 -------- d-----w- C:\Program Files\Trend Micro
2011-11-30 17:41:32 . 2011-11-30 17:41:32 0 ---ha-w- C:\Users\Glenn\AppData\Local\BIT5659.tmp
2011-11-22 03:22:28 . 2011-11-22 03:22:28 -------- d-----w- C:\Users\Glenn\AppData\Local\BVRP Software
2011-11-22 03:17:08 . 2011-11-22 03:18:04 -------- d-----w- C:\Program Files\Motorola Phone Tools
2011-11-22 03:16:34 . 2011-11-22 03:16:34 -------- d-----w- C:\Users\Glenn\AppData\Roaming\InstallShield
2011-11-22 03:13:06 . 2011-11-29 21:50:03 -------- d-----w- C:\Users\Glenn\AppData\Roaming\Nikon
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-11-25 21:33:07 . 2011-05-26 10:50:07 414368 ----a-w- C:\Windows\system32\FlashPlayerCPLApp.cpl
2011-11-21 10:47:38 . 2011-05-27 11:24:40 6823496 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-11 02:00:32 . 2011-10-11 02:01:11 703824 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E9FC8EE6-4225-4BD1-8327-592D5FD880A2}\gapaengine.dll
2011-09-20 21:02:55 . 2011-11-09 15:20:54 905088 ----a-w- C:\Windows\system32\drivers\tcpip.sys
2011-09-17 01:47:31 . 2011-09-17 01:47:31 652296 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-09-17 01:46:55 . 2011-09-17 01:46:55 749832 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-09-17 01:46:35 . 2011-09-17 01:46:35 416128 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 03:52:02 762000 ----a-r- C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 03:52:02 762000 ----a-r- C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmileboxTray"="C:\Users\Glenn\AppData\Roaming\Smilebox\SmileboxTray.exe" [2011-12-01 19:43:04 313160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\Program Files\Microsoft Security Client\msseces.exe" [2011-06-15 22:16:48 997920]
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 03:52:00 948880]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 19:55:28 937920]
"Nikon Transfer Monitor"="C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-16 01:47:36 479232]
"TkBellExe"="C:\Program Files\Real\Update\realsched.exe" [2011-08-08 23:38:44 273544]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 09:41:12 49208]
"Malwarebytes' Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 00:00:48 1047208]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2011-3-25 840992]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55:28 937920 ----a-w- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

R1 MpKsl54922535;MpKsl54922535;c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{57E0EE9A-A163-4F41-BBA3-F581F1CC56F2}\MpKsl54922535.sys [x]
R1 MpKsl70ad4de9;MpKsl70ad4de9;c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AFAF3C91-4881-40BD-B8D4-5381CE4F8462}\MpKsl70ad4de9.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 20:16:28 130384]
R2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [2011-05-31 04:12:51 136176]
R3 cur_bus;Curitel USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\cur_bus.sys [2005-07-20 01:39:24 57744]
R3 cur_mdfl;Curitel Packet Service Filter;C:\Windows\system32\DRIVERS\cur_mdfl.sys [2005-07-20 01:40:52 8336]
R3 cur_mdm;Curitel Packet Service Drivers;C:\Windows\system32\DRIVERS\cur_mdm.sys [2005-07-20 01:40:56 93328]
R3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);C:\Windows\system32\DRIVERS\cur_serd.sys [2005-07-20 01:42:22 73152]
R3 gupdatem;Google Update Service (gupdatem);C:\Program Files\Google\Update\GoogleUpdate.exe [2011-05-31 04:12:51 136176]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\system32\drivers\mbamswissarmy.sys [x]
R3 motccgp;Motorola USB Composite Device Driver;C:\Windows\system32\DRIVERS\motccgp.sys [2011-04-04 21:55:38 20480]
R3 motccgpfl;MotCcgpFlService;C:\Windows\system32\DRIVERS\motccgpfl.sys [2009-01-30 00:18:00 8320]
R3 MotDev;Motorola Inc. USB Device;C:\Windows\system32\DRIVERS\motodrv.sys [2009-05-08 18:56:12 42752]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 20:18:50 43392]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 22:25:24 65024]
R3 NisSrv;Microsoft Network Inspection;c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 22:39:26 208944]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 20:16:28 753504]
R4 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe [2011-05-30 00:45:24 313624]
S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 19:55:28 64952]
S2 MotoHelper.exe;Motorola Helper;C:\Program Files\Motorola\Moto Helper Service\MotoHelper.exe [2010-09-15 06:33:34 6656]
S2 MotoHelper;MotoHelper Service;C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe [2011-04-26 20:23:02 223088]
S2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-04-08 05:14:00 2218600]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-04-08 04:54:52 378472]
S3 ALSysIO;ALSysIO;C:\Users\Glenn\AppData\Local\Temp\ALSysIO.sys [x]
S3 Atc002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\Windows\system32\DRIVERS\l260x86.sys [2007-11-15 11:10:00 28672]
S3 BTWAMPFL;BTWAMPFL;C:\Windows\system32\DRIVERS\btwampfl.sys [2011-07-04 22:29:26 302120]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys [2011-07-04 22:29:26 33832]
S3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;C:\Windows\system32\drivers\hcw88tse.sys [2007-01-24 21:25:36 299776]
S3 HCW88TUNE;Hauppauge WinTV 88x Tuner;C:\Windows\system32\drivers\hcw88tun.sys [2007-01-24 21:25:38 149504]
S3 hcw88vid;Hauppauge WinTV 88x Video;C:\Windows\system32\drivers\hcw88vid.sys [2007-01-24 21:25:36 498176]
S3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;C:\Windows\system32\drivers\HCW88BAR.sys [2007-01-24 21:25:38 23552]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-12 00:23:54 38400 ----a-w- C:\Windows\System32\SoundSchemes.exe

Contents of the 'Scheduled Tasks' folder

2011-12-15 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2011-05-31 04:13:00 . 2011-05-31 04:12:51]

2011-12-15 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2011-05-31 04:13:00 . 2011-05-31 04:12:51]

2011-12-15 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-395952378-2028111303-4093731380-1000Core.job
- C:\Users\Glenn\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-10 07:36:54 . 2011-12-10 07:36:51]

2011-12-15 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-395952378-2028111303-4093731380-1000UA.job
- C:\Users\Glenn\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-10 07:36:54 . 2011-12-10 07:36:51]

2011-12-15 C:\Windows\Tasks\User_Feed_Synchronization-{D8E08906-EEE0-44C1-A2AC-7A0D2DDB3FA9}.job
- C:\Windows\system32\msfeedssync.exe [2011-12-14 11:47:35 . 2011-11-03 04:44:45]


------- Supplementary Scan -------

uDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11

- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{95A27763-F62A-4114-9072-E81D87DE3B68} - (no file)
MSConfigStartUp-DealRunner - C:\Program Files\DealRunner\DealRunner.exe
MSConfigStartUp-HP Software Update - D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-StartNowToolbarHelper - C:\Program Files\StartNow Toolbar\ToolbarHelper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-15 11:25:14
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

Completion time: 2011-12-15 11:27:07
ComboFix-quarantined-files.txt 2011-12-15 18:26:55

Pre-Run: 121,905,610,752 bytes free
Post-Run: 121,911,123,968 bytes free

- - End Of File - - DAD21EE5FC9FB2FB352BF79C6A72E189

#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 15 December 2011 - 05:14 PM

betteloop:

exeFix would not have produced a log, but it should have fixed the trouble you were having running exe's. Please do this next:

Open notepad and copy/paste the text in the quotebox below into it:

@echo off
dir /a /s "C:\Users\Glenn\Untitled" > log.txt
notepad log.txt
del log.txt

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • peek.bat results
  • MBAM log

Edited by RPMcMurphy, 15 December 2011 - 05:15 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 betteloop

betteloop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Phx. AZ
  • Local time:04:13 PM

Posted 15 December 2011 - 07:11 PM

Volume in drive C has no label.
Volume Serial Number is FAFE-C58C

Directory of C:\Users\Glenn\Untitled

12/13/2011 10:50 AM <DIR> .
12/13/2011 10:50 AM <DIR> ..
12/13/2011 10:50 AM 68 .picasa.ini
12/12/2011 03:40 AM 25,822 GirlpulledByRabbit.jpg
2 File(s) 25,890 bytes

Total Files Listed:
2 File(s) 25,890 bytes
2 Dir(s) 121,808,183,296 bytes free





Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8377

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19170

12/15/2011 5:10:13 PM
mbam-log-2011-12-15 (17-10-13).txt

Scan type: Full scan (C:\|)
Objects scanned: 368938
Time elapsed: 45 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Glenn\Desktop\tamtam\astrology.exe (Adware.FunWeb) -> Quarantined and deleted successfully.

#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 15 December 2011 - 09:35 PM

betteloop:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 betteloop

betteloop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Phx. AZ
  • Local time:04:13 PM

Posted 16 December 2011 - 02:20 AM

updated java as directed
The computer is running much better...thank you...am I cured/healed? Do please tell me when to turn security and virus protection back on...
here is the requested
C:\Program Files\Veoh Networks\VeohWebPlayer\OCSetupHlp.dll Win32/OpenCandy application
C:\Program Files\Veoh Networks\VeohWebPlayer\qlipso-qlipso-silent-us.exe a variant of Win32/Toolbar.Zugo application

Am I supposed to delete these? Im sure you will advise. Thank you

Edited by betteloop, 16 December 2011 - 02:21 AM.


#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 16 December 2011 - 11:07 PM

betteloop:

Your logs look good. ESET is flagging your Veoh player, but I'll leave that one up to you. If you find it useful feel free to keep it, or if you'd rather get rid of it you can simply uninstall it.

All I have left for you is some very important cleanup:

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • exeFix
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 betteloop

betteloop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Phx. AZ
  • Local time:04:13 PM

Posted 19 December 2011 - 04:11 AM

Ok I did as you instructed removing apps and tools, reboot and ran a scan-looks good so far so good. I want to say thank you very much for all your help...
hugs, lots of pc love
betteloop

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 19 December 2011 - 08:55 PM

You're welcome, betteloop. Take care!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 20 December 2011 - 07:28 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users