Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

West Yorkshire police Ukash virus help please


  • Please log in to reply
9 replies to this topic

#1 anothername

anothername

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 23 August 2012 - 10:39 AM

My computer has been infected with the West Yorkshire police Ukash virus. When booted normally, the machine presents a screen demanding payment for illegal activity. The computer cannot be used as it is not possible to get access to the desktop as the virus screen takes up the whole are of the screen. Task manager cannot be started nor can any other program. As far as I can work out, my data files have not been affected some users have reported that the virus encrypts them but they seemed OK on my system.

However, I can boot to Safe mode. In Safe mode, the virus screen does not appear. I ran McAfee and this picked up a few nasties and removed then as did Malware Bytes. However, the virus remains when the computer is booted up normally again. Running McAfee and Malware Bytes again in Safe mode do not find anything else.

The computer is laptop and when booted in Safe mode, it comes up with a display of probably 640 x 480 resolution. This means it is not possible to see the buttons at the bottom of some larger dialogue boxes or move them so that the lower part is visible other than that it is not a particular problem. It is not possible to change the screen resolution back to the native resolution.

I would be grateful for any help you can provide. The computer is running Windows XP service pack 3.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:03 AM

Posted 23 August 2012 - 10:40 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 anothername

anothername
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 23 August 2012 - 04:17 PM

Thank you for your swift response. Here are the logs of what was found:

TDSSkiller

17:12:59.0593 2012 TDSS rootkit removing tool 2.8.7.0 Aug 20 2012 17:30:03
17:12:59.0796 2012 ============================================================
17:12:59.0796 2012 Current date / time: 2012/08/23 17:12:59.0796
17:12:59.0796 2012 SystemInfo:
17:12:59.0796 2012
17:12:59.0796 2012 OS Version: 5.1.2600 ServicePack: 3.0
17:12:59.0796 2012 Product type: Workstation
17:12:59.0796 2012 ComputerName: BUS-WO57112903
17:12:59.0796 2012 UserName: xpuser1
17:12:59.0796 2012 Windows directory: C:\WINDOWS
17:12:59.0796 2012 System windows directory: C:\WINDOWS
17:12:59.0796 2012 Processor architecture: Intel x86
17:12:59.0796 2012 Number of processors: 2
17:12:59.0796 2012 Page size: 0x1000
17:12:59.0796 2012 Boot type: Safe boot with network
17:12:59.0796 2012 ============================================================
17:13:01.0687 2012 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:13:01.0687 2012 ============================================================
17:13:01.0687 2012 \Device\Harddisk0\DR0:
17:13:01.0687 2012 MBR partitions:
17:13:01.0687 2012 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x12A18800
17:13:01.0687 2012 ============================================================
17:13:01.0718 2012 Initialize success
17:13:01.0718 2012 ============================================================
17:14:09.0781 0252 ============================================================
17:14:09.0781 0252 Scan started
17:14:09.0781 0252 Mode: Manual; TDLFS;
17:14:09.0781 0252 ============================================================
17:14:11.0625 0252 ================ Scan system memory ========================
17:14:11.0625 0252 System memory - ok
17:14:11.0625 0252 ================ Scan services =============================
17:14:11.0703 0252 Abiosdsk - ok
17:14:11.0734 0252 abp480n5 - ok
17:14:11.0765 0252 ACPI - ok
17:14:11.0781 0252 ACPIEC - ok
17:14:11.0859 0252 AdobeFlashPlayerUpdateSvc - ok
17:14:11.0875 0252 adpu160m - ok
17:14:11.0921 0252 aec - ok
17:14:11.0953 0252 AFD - ok
17:14:11.0968 0252 Aha154x - ok
17:14:12.0000 0252 aic78u2 - ok
17:14:12.0031 0252 aic78xx - ok
17:14:12.0062 0252 Alerter - ok
17:14:12.0078 0252 ALG - ok
17:14:12.0109 0252 AliIde - ok
17:14:12.0140 0252 Ambfilt - ok
17:14:12.0156 0252 amsint - ok
17:14:12.0187 0252 AppMgmt - ok
17:14:12.0218 0252 asc - ok
17:14:12.0234 0252 asc3350p - ok
17:14:12.0265 0252 asc3550 - ok
17:14:12.0390 0252 aspnet_state - ok
17:14:12.0421 0252 AsyncMac - ok
17:14:12.0453 0252 atapi - ok
17:14:12.0468 0252 Atdisk - ok
17:14:12.0500 0252 Atmarpc - ok
17:14:12.0531 0252 AudioSrv - ok
17:14:12.0562 0252 audstub - ok
17:14:12.0593 0252 Beep - ok
17:14:12.0625 0252 BITS - ok
17:14:12.0640 0252 Browser - ok
17:14:12.0671 0252 cbidf2k - ok
17:14:12.0703 0252 CCALib8 - ok
17:14:12.0734 0252 cd20xrnt - ok
17:14:12.0750 0252 Cdaudio - ok
17:14:12.0765 0252 Cdfs - ok
17:14:12.0796 0252 Cdr4_xp - ok
17:14:12.0828 0252 Cdralw2k - ok
17:14:12.0843 0252 Cdrom - ok
17:14:12.0875 0252 Changer - ok
17:14:12.0906 0252 CiSvc - ok
17:14:12.0921 0252 ClipSrv - ok
17:14:12.0953 0252 clr_optimization_v2.0.50727_32 - ok
17:14:12.0984 0252 CmBatt - ok
17:14:13.0015 0252 CmdIde - ok
17:14:13.0031 0252 Compbatt - ok
17:14:13.0062 0252 COMSysApp - ok
17:14:13.0109 0252 Cpqarray - ok
17:14:13.0156 0252 cpudrv - ok
17:14:13.0187 0252 CronService - ok
17:14:13.0203 0252 CryptSvc - ok
17:14:13.0234 0252 dac2w2k - ok
17:14:13.0265 0252 dac960nt - ok
17:14:13.0296 0252 DcomLaunch - ok
17:14:13.0328 0252 Dhcp - ok
17:14:13.0343 0252 Disk - ok
17:14:13.0375 0252 dmadmin - ok
17:14:13.0406 0252 dmboot - ok
17:14:13.0421 0252 dmio - ok
17:14:13.0453 0252 dmload - ok
17:14:13.0484 0252 dmserver - ok
17:14:13.0500 0252 DMusic - ok
17:14:13.0531 0252 Dnscache - ok
17:14:13.0562 0252 Dot3svc - ok
17:14:13.0593 0252 dpti2o - ok
17:14:13.0609 0252 drmkaud - ok
17:14:13.0640 0252 DwMirror - ok
17:14:13.0671 0252 DWMRCS - ok
17:14:13.0687 0252 dwvkbd - ok
17:14:13.0718 0252 EapHost - ok
17:14:13.0750 0252 enterceptAgent - ok
17:14:13.0781 0252 ERSvc - ok
17:14:13.0796 0252 Eventlog - ok
17:14:13.0828 0252 EventSystem - ok
17:14:13.0859 0252 Fastfat - ok
17:14:13.0875 0252 FastUserSwitchingCompatibility - ok
17:14:13.0906 0252 Fdc - ok
17:14:13.0937 0252 Fips - ok
17:14:13.0968 0252 Firehk - ok
17:14:14.0000 0252 FirehkMP - ok
17:14:14.0000 0252 firelm01 - ok
17:14:14.0031 0252 FirePM - ok
17:14:14.0062 0252 FireTDI - ok
17:14:14.0093 0252 Flpydisk - ok
17:14:14.0109 0252 FltMgr - ok
17:14:14.0140 0252 FontCache3.0.0.0 - ok
17:14:14.0171 0252 Fs_Rec - ok
17:14:14.0187 0252 Ftdisk - ok
17:14:14.0218 0252 Gpc - ok
17:14:14.0250 0252 gupdate - ok
17:14:14.0281 0252 gupdatem - ok
17:14:14.0296 0252 HDAudBus - ok
17:14:14.0328 0252 helpsvc - ok
17:14:14.0359 0252 HidServ - ok
17:14:14.0375 0252 HidUsb - ok
17:14:14.0406 0252 HIPK - ok
17:14:14.0437 0252 HIPPSK - ok
17:14:14.0453 0252 HIPQK - ok
17:14:14.0484 0252 hips - ok
17:14:14.0515 0252 hkmsvc - ok
17:14:14.0546 0252 HP Port Resolver - ok
17:14:14.0562 0252 HP Status Server - ok
17:14:14.0593 0252 hpn - ok
17:14:14.0625 0252 HTTP - ok
17:14:14.0640 0252 HTTPFilter - ok
17:14:14.0671 0252 i2omgmt - ok
17:14:14.0703 0252 i2omp - ok
17:14:14.0734 0252 i8042prt - ok
17:14:14.0750 0252 ialm - ok
17:14:14.0781 0252 IDriverT - ok
17:14:14.0812 0252 idsvc - ok
17:14:14.0828 0252 Imapi - ok
17:14:14.0859 0252 ImapiService - ok
17:14:14.0906 0252 ini910u - ok
17:14:14.0937 0252 IntcAzAudAddService - ok
17:14:14.0968 0252 IntcHdmiAddService - ok
17:14:15.0000 0252 IntelIde - ok
17:14:15.0015 0252 intelppm - ok
17:14:15.0031 0252 Ip6Fw - ok
17:14:15.0062 0252 IpFilterDriver - ok
17:14:15.0093 0252 IpInIp - ok
17:14:15.0109 0252 IpNat - ok
17:14:15.0140 0252 IPSec - ok
17:14:15.0171 0252 IRENUM - ok
17:14:15.0203 0252 isapnp - ok
17:14:15.0234 0252 JavaQuickStarterService - ok
17:14:15.0265 0252 JMCR - ok
17:14:15.0296 0252 JME - ok
17:14:15.0328 0252 Kbdclass - ok
17:14:15.0343 0252 kbdhid - ok
17:14:15.0375 0252 kmixer - ok
17:14:15.0406 0252 KSecDD - ok
17:14:15.0421 0252 LanmanServer - ok
17:14:15.0453 0252 lanmanworkstation - ok
17:14:15.0484 0252 lbrtfdc - ok
17:14:15.0531 0252 LmHosts - ok
17:14:15.0562 0252 McAfeeEngineService - ok
17:14:15.0593 0252 McAfeeFramework - ok
17:14:15.0609 0252 McShield - ok
17:14:15.0640 0252 McTaskManager - ok
17:14:15.0671 0252 MDM - ok
17:14:15.0687 0252 Messenger - ok
17:14:15.0718 0252 mfeapfk - ok
17:14:15.0750 0252 mfeavfk - ok
17:14:15.0781 0252 mfebopk - ok
17:14:15.0796 0252 mfehidk - ok
17:14:15.0828 0252 mferkdet - ok
17:14:15.0859 0252 mfetdik - ok
17:14:15.0875 0252 mfevtp - ok
17:14:15.0906 0252 Microsoft SharePoint Workspace Audit Service - ok
17:14:15.0937 0252 mnmdd - ok
17:14:15.0968 0252 mnmsrvc - ok
17:14:15.0984 0252 Modem - ok
17:14:16.0015 0252 Monfilt - ok
17:14:16.0046 0252 Mouclass - ok
17:14:16.0062 0252 mouhid - ok
17:14:16.0093 0252 MountMgr - ok
17:14:16.0125 0252 mraid35x - ok
17:14:16.0140 0252 MRxDAV - ok
17:14:16.0171 0252 MRxSmb - ok
17:14:16.0203 0252 MSDTC - ok
17:14:16.0234 0252 Msfs - ok
17:14:16.0265 0252 MSIServer - ok
17:14:16.0296 0252 MSKSSRV - ok
17:14:16.0328 0252 MSPCLOCK - ok
17:14:16.0343 0252 MSPQM - ok
17:14:16.0375 0252 mssmbios - ok
17:14:16.0406 0252 Mup - ok
17:14:16.0421 0252 napagent - ok
17:14:16.0453 0252 NDIS - ok
17:14:16.0484 0252 NdisTapi - ok
17:14:16.0515 0252 Ndisuio - ok
17:14:16.0531 0252 NdisWan - ok
17:14:16.0562 0252 NDProxy - ok
17:14:16.0593 0252 NetBIOS - ok
17:14:16.0609 0252 NetBT - ok
17:14:16.0640 0252 NetDDE - ok
17:14:16.0671 0252 NetDDEdsdm - ok
17:14:16.0703 0252 Netlogon - ok
17:14:16.0718 0252 Netman - ok
17:14:16.0750 0252 NetTcpPortSharing - ok
17:14:16.0781 0252 NETw5x32 - ok
17:14:16.0796 0252 Nla - ok
17:14:16.0828 0252 Npfs - ok
17:14:16.0859 0252 Ntfs - ok
17:14:16.0875 0252 NtLmSsp - ok
17:14:16.0906 0252 NtmsSvc - ok
17:14:16.0937 0252 NuidFltr - ok
17:14:16.0968 0252 Null - ok
17:14:16.0984 0252 NwlnkFlt - ok
17:14:17.0015 0252 NwlnkFwd - ok
17:14:17.0046 0252 odserv - ok
17:14:17.0062 0252 ose - ok
17:14:17.0093 0252 osppsvc - ok
17:14:17.0140 0252 Parport - ok
17:14:17.0156 0252 PartMgr - ok
17:14:17.0187 0252 ParVdm - ok
17:14:17.0218 0252 PCI - ok
17:14:17.0250 0252 PCIDump - ok
17:14:17.0250 0252 PCIIde - ok
17:14:17.0281 0252 Pcmcia - ok
17:14:17.0312 0252 PDCOMP - ok
17:14:17.0343 0252 PDFRAME - ok
17:14:17.0359 0252 PDRELI - ok
17:14:17.0390 0252 PDRFRAME - ok
17:14:17.0421 0252 perc2 - ok
17:14:17.0437 0252 perc2hib - ok
17:14:17.0531 0252 PlugPlay - ok
17:14:17.0546 0252 Pml Driver HPZ12 - ok
17:14:17.0578 0252 Point32 - ok
17:14:17.0609 0252 PolicyAgent - ok
17:14:17.0625 0252 PptpMiniport - ok
17:14:17.0656 0252 ProtectedStorage - ok
17:14:17.0687 0252 PSched - ok
17:14:17.0703 0252 Ptilink - ok
17:14:17.0734 0252 PxHelp20 - ok
17:14:17.0765 0252 ql1080 - ok
17:14:17.0796 0252 Ql10wnt - ok
17:14:17.0812 0252 ql12160 - ok
17:14:17.0843 0252 ql1240 - ok
17:14:17.0875 0252 ql1280 - ok
17:14:17.0890 0252 RasAcd - ok
17:14:17.0921 0252 RasAuto - ok
17:14:17.0953 0252 Rasl2tp - ok
17:14:17.0984 0252 RasMan - ok
17:14:18.0000 0252 RasPppoe - ok
17:14:18.0031 0252 Raspti - ok
17:14:18.0062 0252 Rdbss - ok
17:14:18.0078 0252 RDPCDD - ok
17:14:18.0125 0252 rdpdr - ok
17:14:18.0171 0252 RDPWD - ok
17:14:18.0187 0252 RDSessMgr - ok
17:14:18.0218 0252 redbook - ok
17:14:18.0250 0252 RemoteAccess - ok
17:14:18.0265 0252 RemoteRegistry - ok
17:14:18.0296 0252 RpcLocator - ok
17:14:18.0328 0252 RpcSs - ok
17:14:18.0359 0252 RSVP - ok
17:14:18.0375 0252 Sage SData Service - ok
17:14:18.0406 0252 SamSs - ok
17:14:18.0437 0252 SCardSvr - ok
17:14:18.0453 0252 Schedule - ok
17:14:18.0484 0252 sdbus - ok
17:14:18.0515 0252 Secdrv - ok
17:14:18.0531 0252 seclogon - ok
17:14:18.0562 0252 SENS - ok
17:14:18.0593 0252 Serial - ok
17:14:18.0656 0252 Sfloppy - ok
17:14:18.0687 0252 SharedAccess - ok
17:14:18.0718 0252 ShellHWDetection - ok
17:14:18.0750 0252 Simbad - ok
17:14:18.0796 0252 Sparrow - ok
17:14:18.0828 0252 splitter - ok
17:14:18.0843 0252 Spooler - ok
17:14:18.0875 0252 sr - ok
17:14:18.0906 0252 srservice - ok
17:14:18.0937 0252 Srv - ok
17:14:18.0953 0252 SSDPSRV - ok
17:14:18.0984 0252 stisvc - ok
17:14:19.0015 0252 swenum - ok
17:14:19.0031 0252 swmidi - ok
17:14:19.0062 0252 SwPrv - ok
17:14:19.0093 0252 symc810 - ok
17:14:19.0125 0252 symc8xx - ok
17:14:19.0140 0252 sym_hi - ok
17:14:19.0171 0252 sym_u3 - ok
17:14:19.0203 0252 SynTP - ok
17:14:19.0218 0252 sysaudio - ok
17:14:19.0250 0252 SysmonLog - ok
17:14:19.0281 0252 TapiSrv - ok
17:14:19.0296 0252 Tcpip - ok
17:14:19.0328 0252 TDPIPE - ok
17:14:19.0359 0252 TDTCP - ok
17:14:19.0390 0252 TermDD - ok
17:14:19.0421 0252 TermService - ok
17:14:19.0437 0252 Themes - ok
17:14:19.0468 0252 TlntSvr - ok
17:14:19.0500 0252 TosIde - ok
17:14:19.0531 0252 TrkWks - ok
17:14:19.0562 0252 Udfs - ok
17:14:19.0593 0252 ultra - ok
17:14:19.0625 0252 Update - ok
17:14:19.0640 0252 upnphost - ok
17:14:19.0671 0252 UPS - ok
17:14:19.0703 0252 usbccgp - ok
17:14:19.0734 0252 usbehci - ok
17:14:19.0750 0252 usbhub - ok
17:14:19.0781 0252 usbprint - ok
17:14:19.0812 0252 usbscan - ok
17:14:19.0828 0252 usbstor - ok
17:14:19.0859 0252 usbuhci - ok
17:14:19.0890 0252 VgaSave - ok
17:14:19.0921 0252 ViaIde - ok
17:14:19.0937 0252 VolSnap - ok
17:14:19.0968 0252 VSS - ok
17:14:20.0000 0252 W32Time - ok
17:14:20.0031 0252 Wanarp - ok
17:14:20.0062 0252 WDC_SAM - ok
17:14:20.0093 0252 Wdf01000 - ok
17:14:20.0109 0252 WDICA - ok
17:14:20.0140 0252 wdmaud - ok
17:14:20.0171 0252 WebClient - ok
17:14:20.0203 0252 winmgmt - ok
17:14:20.0281 0252 WMDM PMSP Service - ok
17:14:20.0312 0252 WmdmPmSN - ok
17:14:20.0328 0252 Wmi - ok
17:14:20.0359 0252 WmiAcpi - ok
17:14:20.0406 0252 WmiApSrv - ok
17:14:20.0421 0252 WMPNetworkSvc - ok
17:14:20.0468 0252 wuauserv - ok
17:14:20.0484 0252 WudfPf - ok
17:14:20.0515 0252 WudfRd - ok
17:14:20.0546 0252 WudfSvc - ok
17:14:20.0578 0252 WZCSVC - ok
17:14:20.0593 0252 xmlprov - ok
17:14:20.0640 0252 ================ Scan global ===============================
17:14:20.0656 0252 [Global] - ok
17:14:20.0671 0252 ================ Scan MBR ==================================
17:14:20.0703 0252 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
17:14:20.0921 0252 \Device\Harddisk0\DR0 - ok
17:14:20.0921 0252 ================ Scan VBR ==================================
17:14:20.0937 0252 [ 434965715C717B0C9C4F6D99BB2F359A ] \Device\Harddisk0\DR0\Partition1
17:14:20.0953 0252 \Device\Harddisk0\DR0\Partition1 - ok
17:14:20.0953 0252 ============================================================
17:14:20.0953 0252 Scan finished
17:14:20.0953 0252 ============================================================
17:14:21.0000 0208 Detected object count: 0
17:14:21.0000 0208 Actual detected object count: 0
17:15:02.0921 2008 Deinitialize success



aswMBR

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-23 17:15:55
-----------------------------
17:15:55.687 OS Version: Windows 5.1.2600 Service Pack 3
17:15:55.687 Number of processors: 2 586 0x170A
17:15:55.687 ComputerName: BUS-WO57112903 UserName: xpuser1
17:15:56.218 Initialize success
17:19:17.656 AVAST engine defs: 12082300
17:19:53.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
17:19:53.078 Disk 0 Vendor: Hitachi_HTS545016B9A300 PBBOC60F Size: 152627MB BusType: 3
17:19:54.796 Disk 0 MBR read successfully
17:19:54.812 Disk 0 MBR scan
17:19:54.875 Disk 0 Windows 7 default MBR code
17:19:54.906 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152625 MB offset 2048
17:19:54.937 Disk 0 scanning sectors +312578048
17:19:55.046 Disk 0 scanning C:\WINDOWS\system32\drivers
17:20:01.765 Service scanning
17:20:25.656 Modules scanning
17:20:31.375 Disk 0 trace - called modules:
17:20:31.437 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
17:20:31.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a57dab8]
17:20:32.468 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a515d98]
17:20:33.234 AVAST engine scan C:\WINDOWS
17:20:42.421 AVAST engine scan C:\WINDOWS\system32
17:23:11.875 AVAST engine scan C:\WINDOWS\system32\drivers
17:23:24.109 AVAST engine scan C:\Documents and Settings\xpuser1
17:24:34.234 File: C:\Documents and Settings\xpuser1\Local Settings\Application Data\Microsoft\Windows\3459\tcpmonui.exe **INFECTED** Win32:Kryptik-JOY [Trj]
17:30:09.656 AVAST engine scan C:\Documents and Settings\All Users
17:37:48.015 Scan finished successfully
17:41:47.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\xpuser1\Desktop\MBR.dat"
17:41:47.468 The log file has been saved successfully to "C:\Documents and Settings\xpuser1\Desktop\aswMBR.txt"


ESET

C:\Documents and Settings\xpuser1\Local Settings\Application Data\Microsoft\Windows\3459\tcpmonui.exe a variant of Win32/Kryptik.AJOQ trojan cleaned by deleting - quarantined

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:03 AM

Posted 23 August 2012 - 04:27 PM

Reboot to normal mode

Download

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Install,update and run a full scan

Click on SHOW results.Select all infections and remove it

Reboot the PC and scan MBAM once in regular mode until you get a clean log

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

Download

FSS

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.


Download

adware cleaner

Launch it click on Delete

post the generated log

#5 anothername

anothername
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 24 August 2012 - 12:57 PM

These are the logs from the programs:

Malware bytes - run twice first time found and removed three nasties - second time clear:


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.24.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
xpuser1 :: BUS-WO57112903 [administrator]

24/08/2012 13:00:03
mbam-log-2012-08-24 (13-00-03).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 431021
Time elapsed: 2 hour(s), 14 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\xpuser1\Application Data\hellomoto (Trojan.Ransom.FGen) -> Quarantined and deleted successfully.

Files Detected: 2
C:\Documents and Settings\xpuser1\Application Data\hellomoto\TujP.dat (Trojan.Ransom.FGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\xpuser1\Application Data\hellomoto\BukF.dat (Trojan.Ransom.FGen) -> Quarantined and deleted successfully.

(end)


Malware bytes log 2



Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.24.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
xpuser1 :: BUS-WO57112903 [administrator]

24/08/2012 16:07:08
mbam-log-2012-08-24 (16-07-08).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 430976
Time elapsed: 2 hour(s), 21 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Mini tool box log:


MiniToolBox by Farbar Version: 23-07-2012
Ran by xpuser1 (administrator) on 24-08-2012 at 18:32:44
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================
Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================


WARNING: Could not obtain host information from machine: [BUS-WO57112903]. Some commands may not be available.
The specified module could not be found.



# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : bus-wo57112903 Primary Dns Suffix . . . . . . . : lsbu.ac.uk Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : lsbu.ac.uk lan ac.ukEthernet adapter Wireless Network Connection: Connection-specific DNS Suffix . : lan Description . . . . . . . . . . . : Intel® WiFi Link 5300 AGN Physical Address. . . . . . . . . : 00-21-6A-C2-4C-F0 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.64 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.254 DHCP Server . . . . . . . . . . . : 192.168.1.254 DNS Servers . . . . . . . . . . . : 192.168.1.254 Lease Obtained. . . . . . . . . . : 24 August 2012 15:56:03 Lease Expires . . . . . . . . . . : 25 August 2012 15:56:03Server: dsldevice.lan
Address: 192.168.1.254

Name: google.com
Addresses: 173.194.34.166, 173.194.34.167, 173.194.34.168, 173.194.34.169
173.194.34.174, 173.194.34.160, 173.194.34.161, 173.194.34.162, 173.194.34.163
173.194.34.164, 173.194.34.165

Pinging google.com [173.194.34.163] with 32 bytes of data:Reply from 173.194.34.163: bytes=32 time=24ms TTL=54Reply from 173.194.34.163: bytes=32 time=24ms TTL=54Ping statistics for 173.194.34.163: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 24ms, Maximum = 24ms, Average = 24msServer: dsldevice.lan
Address: 192.168.1.254

Name: yahoo.com
Addresses: 72.30.38.140, 98.138.253.109, 98.139.183.24

Pinging yahoo.com [98.139.183.24] with 32 bytes of data:Reply from 98.139.183.24: bytes=32 time=628ms TTL=46Reply from 98.139.183.24: bytes=32 time=813ms TTL=46Ping statistics for 98.139.183.24: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 628ms, Maximum = 813ms, Average = 720msServer: dsldevice.lan
Address: 192.168.1.254

Name: bleepingcomputer.com
Address: 208.43.87.2

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:Reply from 208.43.87.2: Destination host unreachable.Reply from 208.43.87.2: Destination host unreachable.Ping statistics for 208.43.87.2: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10004 ...00 21 6a c2 4c f0 ...... Intel® WiFi Link 5300 AGN - McAfee NDIS Intermediate Filter Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.64 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.64 192.168.1.64 10
192.168.1.64 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.64 192.168.1.64 10
224.0.0.0 240.0.0.0 192.168.1.64 192.168.1.64 10
255.255.255.255 255.255.255.255 192.168.1.64 192.168.1.64 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/24/2012 04:47:16 PM) (Source: McLogEvent) (User: )
Description: The McShield service terminated unexpectedly.

Please review event 5019 or 5051 for details.
The McShield service will be restarted in 5 seconds;

Error: (08/24/2012 04:46:16 PM) (Source: McLogEvent) (User: NT AUTHORITY)NT AUTHORITY
Description: A thread in process C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 3984 (0xf90)

Thread address : 0x1221E4FA

Thread message :

Build VSCORE.14.1.0.515 / 5400.1158
Object being scanned = \Device\Harddisk0\DP(1)0x100000-0x2543100000+1\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
by C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (08/24/2012 03:59:47 PM) (Source: UserInit) (User: )
Description: Could not execute the following script AddGroup.cmd. The system cannot find the file specified.
.

Error: (08/24/2012 03:59:47 PM) (Source: UserInit) (User: )
Description: Could not execute the following script enclosure.vbs. The system cannot find the file specified.
.

Error: (08/24/2012 03:59:47 PM) (Source: UserInit) (User: )
Description: Could not execute the following script EnableLaptopFW.cmd. The system cannot find the file specified.
.

Error: (08/24/2012 03:59:47 PM) (Source: UserInit) (User: )
Description: Could not execute the following script InstallHolidayFile.vbs. The system cannot find the file specified.
.

Error: (08/24/2012 03:59:47 PM) (Source: UserInit) (User: )
Description: Could not execute the following script ConfigureSpssToAuthenticateFromLicenceServer.vbs. The system cannot find the file specified.
.

Error: (08/24/2012 03:59:47 PM) (Source: UserInit) (User: )
Description: Could not execute the following script InstallAgent.vbs. The system cannot find the file specified.
.

Error: (08/24/2012 03:57:04 PM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/24/2012 03:56:00 PM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.


System errors:
=============
Error: (08/24/2012 05:46:58 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 119 minutes.
NtpClient has no source of accurate time.

Error: (08/24/2012 04:46:59 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 59 minutes.
NtpClient has no source of accurate time.

Error: (08/24/2012 04:16:59 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

Error: (08/24/2012 04:01:56 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Error: (08/24/2012 04:01:55 PM) (Source: PlugPlayManager) (User: )
Description: The device 'JMicron PCI Express Gigabit Ethernet Adapter' (PCI\VEN_197B&DEV_0250&SUBSYS_84301558&REV_03\4&296e4dac&0&05E4) disappeared from the system without first being prepared for removal.

Error: (08/24/2012 04:01:53 PM) (Source: PlugPlayManager) (User: )
Description: The device 'JMB38X MS Host Controller' (PCI\VEN_197B&DEV_2383&SUBSYS_84301558&REV_80\4&296e4dac&0&03E4) disappeared from the system without first being prepared for removal.

Error: (08/24/2012 04:01:53 PM) (Source: PlugPlayManager) (User: )
Description: The device 'JMB38X SD Host Controller' (PCI\VEN_197B&DEV_2381&SUBSYS_84301558&REV_80\4&296e4dac&0&02E4) disappeared from the system without first being prepared for removal.

Error: (08/24/2012 04:01:53 PM) (Source: PlugPlayManager) (User: )
Description: The device 'JMB38X SD/MMC Host Controller' (PCI\VEN_197B&DEV_2382&SUBSYS_84301558&REV_80\4&296e4dac&0&00E4) disappeared from the system without first being prepared for removal.

Error: (08/24/2012 03:56:56 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (08/24/2012 03:56:51 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

7-Zip 4.57
Accounts (Version: 16.0.14.147)
Adobe AIR (Version: 1.5.3.9120)
Adobe Community Help (Version: 3.0.0)
Adobe Community Help (Version: 3.0.0.400)
Adobe Dreamweaver CS5 (Version: 11.0)
Adobe Flash Player 11 ActiveX (Version: 11.3.300.271)
Adobe Media Player (Version: 1.8)
Adobe Reader X (10.1.4) (Version: 10.1.4)
BufferChm (Version: 60.0.155.000)
Canon Camera Access Library (Version: 8.3.0.1)
Canon Camera Support Core Library (Version: 7.3.1.6)
Canon Camera Window DC_DV 5 for ZoomBrowser EX (Version: 5.4.5.17)
Canon Camera Window DC_DV 6 for ZoomBrowser EX (Version: 6.4.0.9)
Canon Camera Window MC 6 for ZoomBrowser EX (Version: 6.3.0.8)
Canon G.726 WMP-Decoder (Version: 1.1.0.4)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (Version: 1.3.1.5)
Canon Internet Library for ZoomBrowser EX (Version: 1.5.1.4)
Canon MovieEdit Task for ZoomBrowser EX (Version: 2.4.0.14)
Canon RAW Image Task for ZoomBrowser EX (Version: 2.6.0.13)
Canon RemoteCapture Task for ZoomBrowser EX (Version: 1.7.0.8)
Canon Utilities EOS Utility (Version: 1.1.0.8)
Canon Utilities PhotoStitch (Version: 3.1.19.43)
Canon Utilities ZoomBrowser EX (Version: 5.8.0.74)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
CP_AtenaShokunin1Config (Version: 60.0.155.000)
CP_CalendarTemplates1 (Version: 60.0.155.000)
cp_OnlineProjectsConfig (Version: 60.0.155.000)
CP_Package_Basic1 (Version: 60.0.155.000)
CP_Panorama1Config (Version: 60.0.155.000)
cp_PosterPrintConfig (Version: 60.0.155.000)
CueTour (Version: 60.0.155.000)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Destinations (Version: 60.0.155.000)
DeviceFunctionQFolder (Version: 1.00.0000)
DeviceManagementQFolder (Version: 1.00.0000)
dj_taplugin (Version: 60.0.196.000)
dj6980 (Version: 60.0.196.000)
Easy CD & DVD Creator 6 (Version: 6.1.1.40)
ESET Online Scanner v3
eSupportQFolder (Version: 1.00.0000)
FileZilla Client 3.5.0 (Version: 3.5.0)
FullDPAppQFolder (Version: 1.00.0000)
Google Chrome (Version: 21.0.1180.83)
Google Earth Plug-in (Version: 6.1.0.5001)
Google Update Helper (Version: 1.3.21.115)
Hotkey (Version: 1.00.0000)
HP Deskjet 6900 series (Version: 6.0)
HP Imaging Device Functions 6.0 (Version: 6.0)
HP Photosmart Premier Software 6.0 (Version: 6.0)
HP Software Update (Version: 3.0.6.003)
HP Solution Center and Imaging Support Tools 6.0 (Version: 6.0)
hpf_ProductContext (Version: 60.0.196.000)
HPProductAssistant (Version: 60.0.155.000)
Inspiration 8 IE
InstantShareDevices (Version: 60.0.155.000)
Intel® Graphics Media Accelerator Driver (Version: 6.14.10.5355)
Jasc Paint Shop Pro 8 (Version: 8.10.0000)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
JMicron Ethernet Adapter NDIS Driver (Version: 5.0.11.10)
JMicron JMB38X Flash Media Controller (Version: 1.0.33.2)
Juniper Networks Host Checker (Version: 7.1.0.19757)
Juniper Networks, Inc. Setup Client (Version: 7.1.5.14305)
LP6980_Help (Version: 60.0.196.000)
LP6980Trb (Version: 60.0.196.000)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
McAfee Agent (Version: 4.5.0.1719)
McAfee AntiSpyware Enterprise Module (Version: 8.7.0.129)
McAfee Host Intrusion Prevention (Version: 7.00.0601)
McAfee VirusScan Enterprise (Version: 8.7.0)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft IntelliPoint 6.2 (Version: 6.20.182.0)
Microsoft IntelliType Pro 6.2 (Version: 6.20.182.0)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Enterprise 2007 (Version: 12.0.6612.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
Microsoft Office Project 2007 Service Pack 3 (SP3)
Microsoft Office Project MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Project Professional 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Visio 2007 Service Pack 3 (SP3)
Microsoft Office Visio MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Visio Professional 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Software Update for Web Folders (English) 12 (Version: 12.0.6612.1000)
Microsoft Software Update for Web Folders (English) 14 (Version: 14.0.6029.1000)
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft_VC80_CRT_x86 (Version: 1.00.0000)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
PASW Statistics 18 (Version: 18.0.0)
PhotoGallery (Version: 60.0.155.000)
PowerDVD
Quicken Deluxe 98
QuickTime Alternative 2.7.0 (Version: 2.7.0)
RandMap (Version: 60.0.155.000)
Readme (Version: 60.0.196.000)
Real Alternative 1.9.0 (Version: 1.9.0)
Realtek High Definition Audio Driver (Version: 5.10.0.5888)
Sage 50 Accounts 2010 (Version: 16.0.14.147)
SkinsHP1 (Version: 60.0.155.000)
SolutionCenter (Version: 60.0.155.000)
Sonic_PrimoSDK (Version: 60.0.155.000)
Status (Version: 60.0.155.000)
Synaptics Pointing Device Driver (Version: 13.2.3.0)
System Requirements Lab for Intel (Version: 4.4.24.0)
TrayApp (Version: 60.0.155.000)
Unload (Version: 6.0.0)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB2447568) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676-v2) (Version: 2)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 60.0.155.000)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11

========================= Memory info: ===================================

Percentage of memory in use: 33%
Total physical RAM: 2008.79 MB
Available physical RAM: 1342.69 MB
Total Pagefile: 3901.66 MB
Available Pagefile: 3410.62 MB
Total Virtual: 2047.88 MB
Available Virtual: 1976.99 MB

========================= Partitions: =====================================

1 Drive c: (SYSTEM) (Fixed) (Total:149.05 GB) (Free:89.05 GB) NTFS

========================= Users: ========================================

User accounts for \\BUS-WO57112903

Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0 xpuser1


**** End of log ****


FSS log

Farbar Service Scanner Version: 06-08-2012
Ran by xpuser1 (administrator) on 24-08-2012 at 18:37:20
Running from "C:\Documents and Settings\xpuser1\My Documents\Downloads"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
FireTDI(8) Gpc(3) IPSec(5) mfetdik(8) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****


Adware cleaner log:


# AdwCleaner v1.801 - Logfile created 08/24/2012 at 18:39:22
# Updated 14/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : xpuser1 - BUS-WO57112903
# Boot Mode : Normal
# Running from : C:\Documents and Settings\xpuser1\My Documents\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v21.0.1180.83

File : C:\Documents and Settings\xpuser1\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted : "description": "The fastest way to search the web.",

*************************

AdwCleaner[S1].txt - [912 octets] - [24/08/2012 18:39:22]

########## EOF - C:\AdwCleaner[S1].txt - [1039 octets] ##########

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:03 AM

Posted 24 August 2012 - 08:36 PM

Download

wscsvc

Launch it,click YES

download

http://www.bleepingcomputer.com/download/rkill/

Run it and after scan finishes,post the contents of RKILL log located on the desktop here

Any current issues?

#7 anothername

anothername
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 25 August 2012 - 01:02 PM

Many thanks for your continuing help. I ran WSCSVC and Rkill. The Rkill log is here - I notice it terminated two processes - do you think there still something rogue active? I have now turned the computer off at the end of the day. Does that mean that if there is another step to take, I should run Rkill again when the computer is switched on? The computer appears to operate normally.


Rkill 2.3.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/25/2012 06:57:25 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop.

* No malware services found to stop.

Checking for processes to terminate.

* C:\WINDOWS\SYSTEM32\DWRCS.EXE (PID: 1408) [WD-HEUR]
* C:\WINDOWS\system32\MsPMSPSv.exe (PID: 1968) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings.

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.
* No issues found.

Checking Windows Service Integrity:

* Background Intelligent Transfer Service (BITS) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 08/25/2012 06:58:30 PM
Execution time: 0 hours(s), 1 minute(s), and 4 seconds(s)

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:03 AM

Posted 25 August 2012 - 01:43 PM

They are not rogues

Download

TFC

Launch it,it will close all running programs

click on START,it should ask for reboot

Turn off your system restore,restart the PC,create a new restore point

http://support.microsoft.com/kb/310405

Update your JAVA from here

http://java.com/en/download/inc/windows_upgrade_xpi.jsp

Update your antivirus frequently,do not click on suspicious links

Safe surfing :)

#9 anothername

anothername
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 26 August 2012 - 04:11 PM

Now all working again. Thank you once again for the help you have provided.

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:03 AM

Posted 26 August 2012 - 08:39 PM

You're most welcome :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users