Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

An infected Master Boot Record ??


  • This topic is locked This topic is locked
15 replies to this topic

#1 SWIM_GOOD

SWIM_GOOD

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 27 November 2012 - 03:33 PM

Hello, I've been directed here after being told that my system has an infected MBR after first posting in the 'Am I Infected?' forum.. This was my initial cry for help:

"Hello, I've not bumped into any issues with my laptop since last year but at the end of last week Microsoft Security Essentials detected and quarantined 'Exploit:JS/Blacole.JQ' whilst I was using the internet.. It was removed and subsequent scans with Malwarebytes and SUPERAntiSpyware came back clean. I noticed the system was somewhat laggy and so ran a scan with Dr.Web CureIt!, this found the Win32 virus and I 'cured' the infected file using this programme. All subsequent scans with Malwarebytes, SUPERAntiSpyware, Security Essentials AND Dr.Web CureIt! are coming back clean but I'd like confirmation from you guys that this is indeed the case and that there aren't various other nasties roaming around my laptop!"

Please find the DDS logs attached:



DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6001.18639
Run by Dan at 19:20:02 on 2012-11-27
#Option MBR scan is disabled.
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.3000.1652 [GMT 0:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Dan\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Acer\Empowering Technology\NotificationCenter\Framework.NotificationCenter.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=1008&m=aspire_7730
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=1008&m=aspire_7730
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: ShowBarObj Class: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\13.2.0.5\AVG Secure Search_toolbar.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7725.1624\swg.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: Acer eDataSecurity Management: {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\13.2.0.5\AVG Secure Search_toolbar.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRun: [iCloudServices] c:\program files\common files\apple\internet services\iCloudServices.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [ROC_ROC_JULY_P1] "c:\program files\avg secure search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{42BB607C-2404-4E3A-8D9D-934090046114} : DHCPNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\13.2.0\ViProtocol.dll
Notify: !SASWinLogon - <no file>
Notify: igfxcui - <no file>
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dan\appdata\roaming\mozilla\firefox\profiles\fd18cl6k.default\
FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid=%7Bd200bae3-f2ee-41a6-8a95-0d80d5b0c527%7D&mid=5707b6f446eaa431ba19f2c3599b2f1f-0d3e1b47427d0730047c4a6dcbba385ec7ecaafe&ds=AVG&v=12.2.5.32&lang=en&pr=pr&d=2012-05-13%2019%3A02%3A37&sap=ku&q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\13.2.0\npsitesafety.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\dan\appdata\local\yahoo!\browserplus\2.5.1\plugins\npybrowserplus_2.5.1.dll
FF - plugin: c:\users\dan\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\dan\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: !HIDDEN! 2009-08-07 12:29; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2011-5-23 47968]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-8-29 26984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-4-28 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-8-2 116608]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\playmovie\000.fcl [2008-10-5 61424]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 CLHNService;CLHNService;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\CLHNService.exe [2008-10-5 81504]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-4-17 24576]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\NTIPPKernel.sys [2008-10-5 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\ToolbarUpdater.exe [2012-11-9 711112]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-3-28 210432]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-3 112128]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-4-17 81296]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-17 3658752]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-28 43008]
S2 avgfws;AVG Firewall;"c:\program files\avg\avg2012\avgfws.exe" --> c:\program files\avg\avg2012\avgfws.exe [?]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg2012\avgidsagent.exe" --> c:\program files\avg\avg2012\AVGIDSAgent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\avg\avg2012\avgwdsvc.exe" --> c:\program files\avg\avg2012\avgwdsvc.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [2008-4-17 25856]
S3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [2008-4-17 42880]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 99272]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-11-27 19:08:28 6812136 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6527d696-83f2-454d-bd90-50947cfb9b05}\mpengine.dll
2012-11-26 19:24:41 -------- d-----w- c:\users\dan\Doctor Web
2012-11-26 15:35:20 6812136 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-11-22 12:59:31 -------- d-----w- c:\users\dan\DoctorWeb
2012-11-17 16:06:13 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-11-17 16:04:12 -------- d-----w- c:\program files\iPod
2012-11-17 16:04:02 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-11-17 16:04:02 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2012-11-23 09:02:25 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-23 09:02:24 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-09 11:03:20 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2012-10-25 03:12:26 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-25 03:12:26 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-09-29 18:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-30 21:03:50 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-30 21:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 19:20:31.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:40 AM

Posted 28 November 2012 - 08:29 AM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 SWIM_GOOD

SWIM_GOOD
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 29 November 2012 - 06:45 PM

I finally found my flash drive, I'll crack on with this tomorrow and post the results..

Dan

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:40 AM

Posted 30 November 2012 - 04:14 PM

ok, thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 SWIM_GOOD

SWIM_GOOD
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 30 November 2012 - 07:56 PM

Here's the FRST log:


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-11-2012 (ATTENTION: FRST version is 8 days old)
Ran by SYSTEM at 01-12-2012 00:42:13
Running from D:\
Windows Vista ™ Home Basic (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1033512 2008-01-17] (Synaptics, Inc.)
HKLM\...\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [526896 2008-03-04] (Egis Incorporated)
HKLM\...\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [34040 2008-04-06] ()
HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2516296 2010-03-24] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon [1185112 2010-04-02] (CANON INC.)
HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [997320 2012-11-09] ()
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947176 2012-09-12] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)
HKLM\...\Run: [ROC_ROC_JULY_P1] "C:\Program Files\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 [1022048 2012-08-29] ()
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-24] (Apple Inc.)
HKU\Dan\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [4763008 2012-11-06] (SUPERAntiSpyware.com)
HKU\Dan\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\Dan\...\Run: [iCloudServices] C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59280 2012-08-29] (Apple Inc.)
HKU\Dan\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2008-11-24] (Google Inc.)
HKU\Default\...\RunOnce: [AcerScrSav] C:\Windows\Acer\run_NB.exe [24576 2007-08-21] ()
HKU\Default User\...\RunOnce: [AcerScrSav] C:\Windows\Acer\run_NB.exe [24576 2007-08-21] ()
Winlogon\Notify\!SASWinLogon:
Winlogon\Notify\igfxcui:
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [116608 2012-09-17] (SUPERAntiSpyware.com)
2 BUNAgentSvc; "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe" [16384 2008-03-03] (NewTech Infosystems, Inc.)
2 CLHNService; C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [81504 2008-01-16] ()
2 ETService; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [24576 2008-03-21] ()
2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe -p [110592 2007-12-06] ()
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [20472 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [287824 2012-09-12] (Microsoft Corporation)
2 NTISchedulerSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [131072 2008-04-04] ()
2 RichVideo; "C:\Program Files\Cyberlink\Shared files\RichVideo.exe" [272024 2007-01-08] ()
2 vToolbarUpdater13.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [711112 2012-11-09] ()
2 avgfws; "C:\Program Files\AVG\AVG2012\avgfws.exe" [x]
2 AVGIDSAgent; "C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe" [x]
2 avgwd; "C:\Program Files\AVG\AVG2012\avgwdsvc.exe" [x]

==================== Drivers (Whitelisted) ====================

3 A310; C:\Windows\System32\DRIVERS\AVerA310USB.sys [25856 2008-04-14] (AVerMedia TECHNOLOGIES, Inc.)
1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6x.sys [47968 2011-05-22] (AVG Technologies CZ, s.r.o.)
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [134736 2011-07-10] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [23120 2011-07-10] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [24272 2011-07-10] (AVG Technologies CZ, s.r.o. )
3 AVGIDSShim; C:\Windows\System32\DRIVERS\AVGIDSShim.Sys [16720 2011-10-03] (AVG Technologies CZ, s.r.o. )
1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [230608 2011-10-06] (AVG Technologies CZ, s.r.o.)
1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [40016 2011-08-07] (AVG Technologies CZ, s.r.o.)
0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-09-12] (AVG Technologies CZ, s.r.o.)
1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [295248 2011-07-10] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx86.sys [26984 2012-11-09] (AVG Technologies)
3 BDASwCap; C:\Windows\System32\drivers\AVerA310Cap.sys [42880 2008-04-14] (AVerMedia TECHNOLOGIES, Inc.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-08-04] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [12872 2010-04-12] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [67664 2011-08-04] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 winbondcir; C:\Windows\System32\DRIVERS\winbondcir.sys [43008 2007-03-28] (Winbond Electronics Corporation)
2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; \??\C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl [61424 2008-05-09] (Cyberlink Corp.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-12-01 00:41 - 2012-12-01 00:41 - 00000000 ____D C:\FRST
2012-11-27 11:20 - 2012-11-27 11:21 - 00017984 ____A C:\Users\Dan\Desktop\attach.txt
2012-11-27 11:20 - 2012-11-27 11:21 - 00016755 ____A C:\Users\Dan\Desktop\dds.txt
2012-11-27 11:01 - 2012-11-27 11:02 - 00688992 ____R (Swearware) C:\Users\Dan\Downloads\dds.com
2012-11-27 01:51 - 2012-11-27 01:51 - 00002086 ____A C:\Users\Dan\Desktop\aswMBR27.11.12.txt
2012-11-27 01:28 - 2012-11-27 01:28 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Dan\Downloads\tdsskiller.exe
2012-11-26 11:24 - 2012-11-26 11:24 - 00000000 ____D C:\Users\Dan\Doctor Web
2012-11-26 11:23 - 2012-11-26 11:24 - 104820304 ____A C:\Users\Dan\Downloads\6rom8j5g.exe
2012-11-22 04:59 - 2012-11-22 04:59 - 00000000 ____D C:\Users\Dan\DoctorWeb
2012-11-22 04:56 - 2012-11-22 04:57 - 99969752 ____A C:\Users\Dan\Downloads\4schc524.exe
2012-11-17 08:11 - 2012-11-17 08:12 - 00000000 ____D C:\Program Files\QuickTime
2012-11-17 08:11 - 2012-11-17 08:11 - 00001730 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-11-17 08:06 - 2012-11-17 08:06 - 00001668 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-11-17 08:06 - 2012-08-21 05:01 - 00026840 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-11-17 08:04 - 2012-11-17 08:06 - 00000000 ____D C:\Users\All Users\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-11-17 08:04 - 2012-11-17 08:06 - 00000000 ____D C:\Program Files\iTunes
2012-11-17 08:04 - 2012-11-17 08:04 - 00000000 ____D C:\Program Files\iPod

==================== One Month Modified Files and Folders ========

2012-12-01 00:41 - 2012-12-01 00:41 - 00000000 ____D C:\FRST
2012-11-30 16:27 - 2008-04-17 09:28 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-11-30 16:27 - 2006-11-02 04:58 - 00032644 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-11-30 16:27 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-30 16:26 - 2008-04-17 08:09 - 00000147 ____A C:\Windows\System32\agent.log
2012-11-30 16:26 - 2006-11-02 04:45 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-30 16:26 - 2006-11-02 04:45 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-29 13:36 - 2006-11-02 02:33 - 00708086 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-29 13:32 - 2008-01-20 19:02 - 07925552 ____A C:\Windows\PFRO.log
2012-11-27 11:37 - 2008-10-04 23:15 - 01341575 ____A C:\Windows\WindowsUpdate.log
2012-11-27 11:21 - 2012-11-27 11:20 - 00017984 ____A C:\Users\Dan\Desktop\attach.txt
2012-11-27 11:21 - 2012-11-27 11:20 - 00016755 ____A C:\Users\Dan\Desktop\dds.txt
2012-11-27 11:07 - 2010-02-02 05:45 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-27 11:02 - 2012-11-27 11:01 - 00688992 ____R (Swearware) C:\Users\Dan\Downloads\dds.com
2012-11-27 10:57 - 2010-02-02 05:45 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-27 10:57 - 2008-10-04 23:40 - 00000000 ____A C:\Windows\System32\LogConfigTemp.xml
2012-11-27 01:51 - 2012-11-27 01:51 - 00002086 ____A C:\Users\Dan\Desktop\aswMBR27.11.12.txt
2012-11-27 01:51 - 2012-05-31 11:47 - 00000512 ____A C:\Users\Dan\Desktop\MBR.dat
2012-11-27 01:28 - 2012-11-27 01:28 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Dan\Downloads\tdsskiller.exe
2012-11-26 11:24 - 2012-11-26 11:24 - 00000000 ____D C:\Users\Dan\Doctor Web
2012-11-26 11:24 - 2012-11-26 11:23 - 104820304 ____A C:\Users\Dan\Downloads\6rom8j5g.exe
2012-11-26 11:24 - 2008-11-24 02:04 - 00000000 ____D C:\users\Dan
2012-11-23 01:02 - 2012-04-10 03:57 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-11-23 01:02 - 2011-06-10 02:52 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-11-23 01:01 - 2008-04-17 07:53 - 00000000 ____D C:\Users\All Users\Adobe
2012-11-22 04:59 - 2012-11-22 04:59 - 00000000 ____D C:\Users\Dan\DoctorWeb
2012-11-22 04:57 - 2012-11-22 04:56 - 99969752 ____A C:\Users\Dan\Downloads\4schc524.exe
2012-11-22 04:25 - 2009-02-06 10:16 - 00001356 ____A C:\Users\Dan\AppData\Local\d3d9caps.dat
2012-11-19 11:46 - 2009-09-24 09:39 - 00000000 ____D C:\Users\Dan\AppData\Roaming\Skype
2012-11-17 08:12 - 2012-11-17 08:11 - 00000000 ____D C:\Program Files\QuickTime
2012-11-17 08:11 - 2012-11-17 08:11 - 00001730 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-11-17 08:06 - 2012-11-17 08:06 - 00001668 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-11-17 08:06 - 2012-11-17 08:04 - 00000000 ____D C:\Users\All Users\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-11-17 08:06 - 2012-11-17 08:04 - 00000000 ____D C:\Program Files\iTunes
2012-11-17 08:04 - 2012-11-17 08:04 - 00000000 ____D C:\Program Files\iPod
2012-11-17 08:04 - 2008-11-29 15:34 - 00000000 ____D C:\Program Files\Common Files\Apple
2012-11-17 04:12 - 2006-11-02 02:24 - 64010424 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-11-17 04:11 - 2008-04-17 07:58 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-11-09 03:03 - 2012-08-29 04:19 - 00026984 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
2012-11-09 03:03 - 2012-05-13 10:02 - 00000000 ____D C:\Program Files\AVG Secure Search
2012-11-09 03:03 - 2012-01-12 11:40 - 00000000 ____D C:\Users\All Users\AVG Secure Search
2012-11-06 03:59 - 2009-05-03 03:12 - 00000000 ____D C:\Program Files\SUPERAntiSpyware


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-21 05:42:31
Restore point made on: 2012-11-22 02:25:52
Restore point made on: 2012-11-23 11:31:33
Restore point made on: 2012-11-26 07:34:46
Restore point made on: 2012-11-27 11:07:55

==================== Memory info ===========================

Percentage of memory in use: 8%
Total physical RAM: 4024.07 MB
Available physical RAM: 3694.6 MB
Total Pagefile: 3891.8 MB
Available Pagefile: 3756.09 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.72 MB

==================== Partitions =============================

1 Drive c: (ACER) (Fixed) (Total:69.52 GB) (Free:10.83 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Removable) (Total:0.95 GB) (Free:0.94 GB) FAT
3 Drive e: (DATA) (Fixed) (Total:69.52 GB) (Free:64.07 GB) NTFS
5 Drive x: (PQSERVICE) (Fixed) (Total:10 GB) (Free:2.16 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 1849 KB
Disk 1 Online 970 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 1024 KB
Partition 2 Primary 70 GB 10 GB
Partition 3 Primary 70 GB 80 GB

=========================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 X PQSERVICE NTFS Partition 10 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C ACER NTFS Partition 70 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E DATA NTFS Partition 70 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 970 MB 16 KB

=========================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D FAT Removable 970 MB Healthy

=========================================================

Last Boot: 2012-11-27 12:33

==================== End Of Log ============================

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:40 AM

Posted 30 November 2012 - 07:59 PM

Please run the following

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 SWIM_GOOD

SWIM_GOOD
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 03 December 2012 - 06:52 PM

Hey, I've been really busy today so I'll run ComboFix tomorrow and post the results..

Thanks for your help so far :)

#8 SWIM_GOOD

SWIM_GOOD
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 04 December 2012 - 07:28 AM

Here's the ComboFix log:


ComboFix 12-12-02.01 - Dan 04/12/2012 12:08:57.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.3000.1613 [GMT 0:00]
Running from: c:\users\Dan\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Dan\AppData\Roaming\.#
c:\users\Dan\AppData\Roaming\.#\MBX@118C@17D2990.###
c:\users\Dan\AppData\Roaming\.#\MBX@118C@17D29C0.###
c:\users\Dan\AppData\Roaming\.#\MBX@118C@17D29F0.###
c:\users\Dan\AppData\Roaming\.#\MBX@11B4@17A2990.###
c:\users\Dan\AppData\Roaming\.#\MBX@11B4@17A29C0.###
c:\users\Dan\AppData\Roaming\.#\MBX@11B4@17A29F0.###
c:\users\Dan\AppData\Roaming\.#\MBX@15E4@162990.###
c:\users\Dan\AppData\Roaming\.#\MBX@15E4@1629C0.###
c:\users\Dan\AppData\Roaming\.#\MBX@15E4@1629F0.###
c:\users\Dan\AppData\Roaming\.#\MBX@468@1792990.###
c:\users\Dan\AppData\Roaming\.#\MBX@468@17929C0.###
c:\users\Dan\AppData\Roaming\.#\MBX@468@17929F0.###
.
.
((((((((((((((((((((((((( Files Created from 2012-11-04 to 2012-12-04 )))))))))))))))))))))))))))))))
.
.
2012-12-04 12:04 . 2012-12-04 11:58 740840 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CFC72660-7ECC-4067-887E-3912D45B6918}\gapaengine.dll
2012-12-04 12:00 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2A056C8-D3B8-4F69-8049-F9FC9EDB73E4}\mpengine.dll
2012-12-01 08:41 . 2012-12-01 08:41 -------- d-----w- C:\FRST
2012-11-27 19:21 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-26 19:24 . 2012-11-26 19:24 -------- d-----w- c:\users\Dan\Doctor Web
2012-11-22 12:59 . 2012-11-22 12:59 -------- d-----w- c:\users\Dan\DoctorWeb
2012-11-17 16:06 . 2012-08-21 13:01 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-11-17 16:04 . 2012-11-17 16:04 -------- d-----w- c:\program files\iPod
2012-11-17 16:04 . 2012-11-17 16:06 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-11-17 16:04 . 2012-11-17 16:06 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-23 09:02 . 2012-04-10 11:57 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-23 09:02 . 2011-06-10 10:52 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-09 11:03 . 2012-08-29 12:19 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2012-10-25 03:12 . 2012-10-25 03:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-25 03:12 . 2012-10-25 03:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-10-04 07:59 . 2012-10-20 15:12 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AAC17F21-4EC7-47D3-A28E-AEE9EB0F3BE1}\gapaengine.dll
2012-10-04 07:59 . 2012-06-12 18:48 740784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-09-29 18:54 . 2011-06-21 18:48 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-27 10:10 . 2012-10-27 10:08 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-11-09 11:03 1796552 ----a-w- c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [2012-11-09 1796552]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-03-05 06:38 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-06 4763008]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-08-29 59280]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-24 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-28 6111232]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 526896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-02 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-02 145944]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-11-09 997320]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280]
"ROC_ROC_JULY_P1"="c:\program files\AVG Secure Search\ROC_ROC_JULY_P1.exe" [2012-08-29 1022048]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-09 421776]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\DRIVERS\AVerA310USB.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 13:45]
.
2012-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=1008&m=aspire_7730
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=1008&m=aspire_7730
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
FF - ProfilePath - c:\users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\fd18cl6k.default\
FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid=%7Bd200bae3-f2ee-41a6-8a95-0d80d5b0c527%7D&mid=5707b6f446eaa431ba19f2c3599b2f1f-0d3e1b47427d0730047c4a6dcbba385ec7ecaafe&ds=AVG&v=12.2.5.32&lang=en&pr=pr&d=2012-05-13%2019%3A02%3A37&sap=ku&q=
FF - ExtSQL: !HIDDEN! 2009-08-07 12:29; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-04 12:20
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-12-04 12:23:16
ComboFix-quarantined-files.txt 2012-12-04 12:23
.
Pre-Run: 11,491,479,552 bytes free
Post-Run: 11,644,456,960 bytes free
.
- - End Of File - - 578D084D496B01DFAC3CF77E54C44DDC

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:40 AM

Posted 04 December 2012 - 06:45 PM

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 SWIM_GOOD

SWIM_GOOD
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 05 December 2012 - 09:14 PM

Please find the logs for the Junkware Removal Tool and Malwarebytes below and the AdwCleaner log attached. The ESET scan and Malwarebytes scans came back clean (with no log produced from ESET) :)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 3.8.6 (12.05.2012:2)
OS: Windows Vista ™ Home Basic x86
Ran by Dan on 05/12/2012 at 21:07:51.31
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{95b7759c-8c7f-4bf1-b163-73684a933233}
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\abouturls\\Tabs



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{95b7759c-8c7f-4bf1-b163-73684a933233}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{95b7759c-8c7f-4bf1-b163-73684a933233}



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted the following from C:\Users\Dan\AppData\Roaming\mozilla\firefox\profiles\fd18cl6k.default\prefs.js

user_pref("keyword.URL", "https://isearch.avg.com/search?cid=%7Bd200bae3-f2ee-41a6-8a95-0d80d5b0c527%7D&mid=5707b6f446eaa431ba19f2c3599b2f1f-0d3e1b47427d0730047c4a6dcbba385ec7ecaafe&ds=AVG&v=12.2.5.32



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 05/12/2012 at 21:13:50.00
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.05.09

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
Dan :: DAN-PC [administrator]

05/12/2012 21:39:27
mbam-log-2012-12-05 (21-39-27).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213912
Time elapsed: 15 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Attached Files



#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:40 AM

Posted 05 December 2012 - 09:23 PM

How is the computer running now?

Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 SWIM_GOOD

SWIM_GOOD
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 06 December 2012 - 03:02 PM

Hey, it doesn't feel as laggy now.. Do you reckon it's clean ?

A couple of things;

My laptop background changed by itself a couple of times, once during the initial realisation that something was lurking on the system and then again during the running of the various programmes suggested (could it be one of those just having an effect?)

I've got REVO Uninstaller on my laptop, should I use that to uninstall any of the programmes you suggested to me ?

Also, did you notice anything on my system that I could get rid of (old programmes etc.) ?

Dan

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:40 AM

Posted 06 December 2012 - 05:30 PM

make sure you can set your background to whatever you choose now

as for what to get rid of, you need to go through your installed programs list and see if there is anything you no longer use

this may be a help

try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve performance.


we just need to clean up our tools


You can delete the DDS, JRT and the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    PC Safety and Security--What Do I Need?.
  • Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 SWIM_GOOD

SWIM_GOOD
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 08 December 2012 - 12:27 PM

I was able to change my background back :)

I'll give StartupLite a whirl and crack on with the other recommendations..

I've already got CCleaner, would I be ok to run this instead of TFC ?

Thanks for all of your help,

Dan

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:40 AM

Posted 08 December 2012 - 12:32 PM

yes, CCleaner is just fine, just don't use the registry cleaning feature, it's not necessary to do anything with the registry

stay safe

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users