Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan keeps restoring after removal.


  • This topic is locked This topic is locked
17 replies to this topic

#1 omh

omh

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 01 February 2013 - 05:58 PM

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 7.0.6000.17037
Run by FRASER at 22:46:53 on 2013-02-01
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.894.439 [GMT 0:00]
.
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Users\FRASER\Desktop\mbar\mbar.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uProxyOverride = <local>
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
mWinlogon: Userinit = userinit.exe
BHO: MyWebSearch Search Assistant BHO: {00A6FAF1-072E-44cf-8957-5838F569A31D} -
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} -
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} -
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -
BHO: BandooIEPlugin Class: {EB5CEE80-030A-4ED8-8E20-454E9C68380F} -
TB: Orange Toolbar: {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} -
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} -
TB: Orange Toolbar: {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} -
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
EB: Orange Toolbar: {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} -
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [MobileConnect] c:\program files\vodafone\vodafone mobile connect\bin\MobileConnect.exe /silent
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
mRunOnce: [Z1] cmd /c "c:\users\fraser\desktop\mbar\mbar.exe" /cleanup /s
uPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/SmileyCentralFWBInitialSetup1.0.1.0.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{B7C90078-4269-4335-8B36-EDAD2F1609DF} : DHCPNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} -
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-11-11 26984]
R3 mbamswissarmy;mbamswissarmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-2-1 142152]
R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr61.sys [2009-6-10 335872]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg2013\avgidsagent.exe" --> c:\program files\avg\avg2013\avgidsagent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\avg\avg2013\avgwdsvc.exe" --> c:\program files\avg\avg2013\avgwdsvc.exe [?]
S2 Fun4IM Coordinator;Fun4IM Coordinator;"c:\progra~1\fun4im\bandoo.exe" --> c:\progra~1\fun4im\Bandoo.exe [?]
S2 VMCService;Vodafone Mobile Connect Service;"c:\program files\vodafone\vodafone mobile connect\bin\vmcservice.exe" --> c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [?]
S2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\toolbarupdater.exe --> c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\ToolbarUpdater.exe [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-16 1025352]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-1-30 31560]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2008-1-17 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2008-1-17 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\drivers\stppp.sys [2008-1-17 35328]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2006-11-2 19968]
S4 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
.
=============== Created Last 30 ================
.
2013-02-01 22:38:51 54016 ----a-w- c:\windows\system32\drivers\imofugc.sys
2013-02-01 22:23:40 142152 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-02-01 22:02:36 -------- d-sh--w- C:\$RECYCLE.BIN
2013-02-01 21:40:22 -------- d-s---w- C:\ComboFix
2013-02-01 21:07:55 177496 ----a-w- c:\windows\system32\drivers\01999595.sys
2013-02-01 16:50:09 54016 ----a-w- c:\windows\system32\drivers\anaf.sys
2013-02-01 01:06:16 12872 ----a-w- c:\windows\system32\bootdelete.exe
2013-02-01 01:02:56 -------- d-----w- c:\program files\HitmanPro
2013-02-01 01:02:45 -------- d-----w- c:\programdata\HitmanPro
2013-02-01 00:59:18 -------- d-----w- C:\TDSSKiller_Quarantine
2013-02-01 00:04:38 -------- d-----w- c:\program files\CCleaner
2013-01-31 20:42:26 -------- d-----w- c:\windows\pss
2013-01-31 20:36:13 -------- d-----w- c:\users\fraser\appdata\local\temp
2013-01-31 20:17:48 24448 ----a-w- c:\windows\system32\drivers\rkhdrv40.sys
2013-01-31 20:17:29 -------- d-----w- C:\RkUnhooker
2013-01-31 20:10:19 -------- d-----w- C:\_OTL
2013-01-30 22:19:28 98816 ----a-w- c:\windows\sed.exe
2013-01-30 22:19:28 256000 ----a-w- c:\windows\PEV.exe
2013-01-30 22:19:28 208896 ----a-w- c:\windows\MBR.exe
2013-01-30 21:17:05 -------- d-----w- c:\users\fraser\appdata\roaming\SUPERAntiSpyware.com
2013-01-30 21:16:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-01-30 21:16:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-01-30 21:05:23 31560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-01-30 19:54:16 54016 ----a-w- c:\windows\system32\drivers\bfopksnw.sys
2013-01-30 19:03:41 -------- d-----w- c:\users\fraser\appdata\roaming\Malwarebytes
2013-01-30 19:03:35 -------- d-----w- c:\programdata\Malwarebytes
2013-01-30 19:03:34 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-30 19:03:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2012-12-15 14:01:25 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-15 14:01:25 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-11 01:30:17 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
.
============= FINISH: 22:48:51.11 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 omh

omh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 02 February 2013 - 08:06 AM

Malware bytes log

HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E} (PUP.MyWebSearch) -> No action taken.
HKCR\CLSID\{E79DFBCA-5697-4fbd-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> No action taken.
HKCR\TypeLib\{E79DFBC0-5697-4fbd-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> No action taken.
HKCR\Interface\{72EE7F04-15BD-4845-A005-D6711144D86A} (PUP.MyWebSearch) -> No action taken.
HKCR\MyWebSearch.ChatSessionPlugin.1 (PUP.MyWebSearch) -> No action taken.
HKCR\MyWebSearch.ChatSessionPlugin (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E79DFBCA-5697-4FBD-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> No action taken.
HKCR\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (PUP.MyWebSearch) -> No action taken.
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (PUP.MyWebSearch) -> No action taken.
HKCR\Typelib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D} (PUP.MyWebSearch) -> No action taken.
HKCR\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495} (PUP.MyWebSearch) -> No action taken.
HKCR\Typelib\{F42228FB-E84E-479E-B922-FBBD096E792C} (PUP.MyWebSearch) -> No action taken.
HKCR\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\FocusInteractive (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\FunWebProducts (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (PUP.MyWebSearch) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D} (Trojan.BHO) -> No action taken.
HKCR\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D} (Trojan.BHO) -> No action taken.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources|f3PopularScreensavers (PUP.MyWebSearch) -> Data: C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform|FunWebProducts (PUP.MyWebSearch) -> Data: -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\TDSSKiller_Quarantine\01.02.2013_21.06.48\tdlfs0000\tsk0007.dta (Rootkit.Agent) -> No action taken.
C:\TDSSKiller_Quarantine\01.02.2013_21.06.48\tdlfs0000\tsk0008.dta (Rootkit.TDSS) -> No action taken.

(end)

#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:21 AM

Posted 04 February 2013 - 01:36 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.



Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Note:
If you are unable to run a Gmer scan due the fact you are running a 64bit machine please run the following tool and post its log.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:21 AM

Posted 07 February 2013 - 11:56 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 omh

omh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 09 February 2013 - 09:09 AM

Hello, I have been away this week. Will do what you have said today and report back .

Thanks

#6 omh

omh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 09 February 2013 - 02:54 PM

Windows Vista Home Premium 32 Bit

 

No available CD available

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 7.0.6000.17037
Run by FRASER at 19:42:06 on 2013-02-09
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.44.1033.18.894.467 [GMT 0:00]
.
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uProxyOverride = <local>
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
mWinlogon: Userinit = userinit.exe
BHO: MyWebSearch Search Assistant BHO: {00A6FAF1-072E-44cf-8957-5838F569A31D} - 
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - 
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - 
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - 
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - 
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - 
BHO: BandooIEPlugin Class: {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - 
TB: Orange Toolbar: {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - 
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - 
TB: Orange Toolbar: {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - 
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - 
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - 
EB: Orange Toolbar: {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - 
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_5_502_135_ActiveX.exe -update activex
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [MobileConnect] c:\program files\vodafone\vodafone mobile connect\bin\MobileConnect.exe /silent
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
uPolicies-Explorer: NoDrives = dword:0
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/SmileyCentralFWBInitialSetup1.0.1.0.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{B7C90078-4269-4335-8B36-EDAD2F1609DF} : DHCPNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - 
AppInit_DLLs= c:\progra~1\fun4im\bndhook.dll 
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-11-11 26984]
R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr61.sys [2009-6-10 335872]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg2013\avgidsagent.exe" --> c:\program files\avg\avg2013\avgidsagent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\avg\avg2013\avgwdsvc.exe" --> c:\program files\avg\avg2013\avgwdsvc.exe [?]
S2 Fun4IM Coordinator;Fun4IM Coordinator;"c:\progra~1\fun4im\bandoo.exe" --> c:\progra~1\fun4im\Bandoo.exe [?]
S2 VMCService;Vodafone Mobile Connect Service;"c:\program files\vodafone\vodafone mobile connect\bin\vmcservice.exe" --> c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [?]
S2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\toolbarupdater.exe --> c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\ToolbarUpdater.exe [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-16 1025352]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2008-1-17 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2008-1-17 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\drivers\stppp.sys [2008-1-17 35328]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2006-11-2 19968]
S4 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
.
=============== Created Last 30 ================
.
2013-02-09 10:12:11    77824    ----a-w-    c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2013-02-09 10:12:11    32768    ----a-w-    c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2013-02-09 10:12:11    225280    ----a-w-    c:\program files\common files\installshield\iscript\iscript.dll
2013-02-09 10:12:11    176128    ----a-w-    c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2013-02-03 18:04:22    54016    ----a-w-    c:\windows\system32\drivers\fbrq.sys
2013-02-01 22:38:51    54016    ----a-w-    c:\windows\system32\drivers\imofugc.sys
2013-02-01 22:02:36    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-02-01 21:40:22    --------    d-s---w-    C:\ComboFix
2013-02-01 21:07:55    177496    ----a-w-    c:\windows\system32\drivers\01999595.sys
2013-02-01 16:50:09    54016    ----a-w-    c:\windows\system32\drivers\anaf.sys
2013-02-01 01:06:16    12872    ----a-w-    c:\windows\system32\bootdelete.exe
2013-02-01 01:02:56    --------    d-----w-    c:\program files\HitmanPro
2013-02-01 01:02:45    --------    d-----w-    c:\programdata\HitmanPro
2013-02-01 00:59:18    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-02-01 00:04:38    --------    d-----w-    c:\program files\CCleaner
2013-01-31 20:42:26    --------    d-----w-    c:\windows\pss
2013-01-31 20:36:13    --------    d-----w-    c:\users\fraser\appdata\local\temp
2013-01-31 20:17:48    24448    ----a-w-    c:\windows\system32\drivers\rkhdrv40.sys
2013-01-31 20:17:29    --------    d-----w-    C:\RkUnhooker
2013-01-31 20:10:19    --------    d-----w-    C:\_OTL
2013-01-30 22:19:28    98816    ----a-w-    c:\windows\sed.exe
2013-01-30 22:19:28    256000    ----a-w-    c:\windows\PEV.exe
2013-01-30 22:19:28    208896    ----a-w-    c:\windows\MBR.exe
2013-01-30 21:17:05    --------    d-----w-    c:\users\fraser\appdata\roaming\SUPERAntiSpyware.com
2013-01-30 21:16:33    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2013-01-30 21:16:33    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-01-30 19:54:16    54016    ----a-w-    c:\windows\system32\drivers\bfopksnw.sys
2013-01-30 19:03:41    --------    d-----w-    c:\users\fraser\appdata\roaming\Malwarebytes
2013-01-30 19:03:35    --------    d-----w-    c:\programdata\Malwarebytes
2013-01-30 19:03:34    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-01-30 19:03:34    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M  ====================
.
2012-12-15 14:01:25    73656    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-15 14:01:25    697272    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 19:43:16.85 ===============
 
 
 

Attached Files



#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:21 AM

Posted 09 February 2013 - 09:44 PM

Hello,

1.

  • Download Malwarebytes Anti-Rootkit from HERE
  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

    2.
    Download AdwCleaner
    • Double click on AdwCleaner.exe to run the tool.
      ***Note: Windows Vista and Windows 7 users:
      Right click in the adwCleaner.exe and select
      Run%20as%20admin.png
    • Click the Delete button.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your next reply.
    • Or you can find the logfile at C:\AdwCleaner[R1].txt.
    3.4. Under the Custom Scan box paste this in
    c:\windows\*. /SL
    c:\windows\*. /RP 
    netsvcs
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav 
    %systemroot%\system32\drivers\*.sys /90
    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

    Things to include in your next reply::
    MBAR log
    AdwCleaner log
    OTL.txt
    Extra.txt
    Still detecting that trojan? if so can you tell me which file it is saying is the trojan.

Edited by fireman4it, 09 February 2013 - 09:55 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 omh

omh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 10 February 2013 - 06:09 AM

I am only able to do these tests in Safe mode, when finished the testing and rebooting I get to the "home page" with my icons on , then after 10-15 seconds maybe longer i get a Blue Screen with no error codes just blue screen. Which when i restart in safe mode again and do the tests again the Trojan.BHO are back etc. 

 

 

Ive attached the logs requested.

 

Just to Note: I ran Malware Bytes Anti Root twice , first one cleaned the trojan . Second one showed system clear. But after reboot once again it returned. 

 

 

The Trojan.BHO locations ----

 

 

HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{00A6FAF1-072E-44cf-8957-5838F569A31D} (Trojan.BHO) 
 
HKLM\SOFTWARE\CLASSES\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Trojan.BHO) 

Attached Files


Edited by omh, 10 February 2013 - 07:57 AM.


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:21 AM

Posted 10 February 2013 - 08:35 PM

1.
We need to run an OTL Fix
  • Please reopen otlDesktopIcon.png on your desktop.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word
     

    :Otl
    SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe -- (vToolbarUpdater13.2.0)
    SRV - File not found [Auto | Stopped] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)
    SRV - File not found [Disabled | Stopped] -- C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe -- (MyWebSearchService)
    SRV - File not found [Auto | Stopped] -- C:\PROGRA~1\Fun4IM\Bandoo.exe -- (Fun4IM Coordinator)
    SRV - File not found [Auto | Stopped] -- C:\Program Files\AVG\AVG2013\avgwdsvc.exe -- (avgwd)
    SRV - File not found [Auto | Stopped] -- C:\Program Files\AVG\AVG2013\avgidsagent.exe -- (AVGIDSAgent)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\vodafone_K3805-z_dc_enum.sys -- (vodafone_K3805-z_dc_enum)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\vodafone_K3805-z_cpo.sys -- (vodafone_K3805-z_cpo)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\vodafone_K3805-z_cdc_ecm.sys -- (vodafone_K3805-z_cdc_ecm)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\vodafone_K3805-z_cdc_acm.sys -- (vodafone_K3805-z_cdc_acm)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\btwusb.sys -- (BTWUSB)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\btwhid.sys -- (btwhid)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\btaudio.sys -- (btaudio)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
    DRV - File not found [Kernel | System | Stopped] -- system32\DRIVERS\avgtdix.sys -- (Avgtdix)
    DRV - File not found [File_System | Boot | Stopped] -- system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
    DRV - File not found [File_System | Boot | Stopped] -- system32\DRIVERS\avgmfx86.sys -- (Avgmfx86)
    DRV - File not found [Kernel | Boot | Stopped] -- system32\DRIVERS\avglogx.sys -- (Avglogx)
    DRV - File not found [Kernel | System | Stopped] -- system32\DRIVERS\avgldx86.sys -- (Avgldx86)
    DRV - File not found [Kernel | System | Stopped] -- system32\DRIVERS\avgidsshimx.sys -- (AVGIDSShim)
    DRV - File not found [Kernel | Boot | Stopped] -- system32\DRIVERS\avgidshx.sys -- (AVGIDSHX)
    DRV - File not found [Kernel | System | Stopped] -- system32\DRIVERS\avgidsdriverx.sys -- (AVGIDSDriver)
    IE - HKLM\..\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}: "URL" = http://www.searchqu.com/web?src=ieb&systemid=402&q={searchTerms}
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll File not found
    O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll File not found
    O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll File not found
    O2 - BHO: (BandooIEPlugin Class) - {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - C:\Program Files\Fun4IM\Plugins\IE\ieplugin.dll File not found
    O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
    O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll File not found
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Orange Toolbar) - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer255.dll File not found
    O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
    O3 - HKCU\..\Toolbar\WebBrowser: (Orange Toolbar) - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer255.dll File not found
    O4 - HKLM..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY File not found
    O4 - HKLM..\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent File not found
    O4 - HKLM..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" File not found
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/SmileyCentralFWBInitialSetup1.0.1.0.cab (Reg Error: Key error.)
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll File not found
    O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll File not found
    O34 - HKLM BootExecute: (avgrmbr.nt /mbr C:\Windows\System32\avgrmbr.bin)
    [2011/01/03 20:13:26 | 000,000,000 | ---D | M] -- C:\Users\FRASER\AppData\Roaming\WhiteSmoke
    @Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:0B4227B4

  • Push runFixbutton.png
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click btnOK.png.
  • A report will open. Copy and Paste that report in your next reply.

    2.
    Download Windows Repair (all in one) from this site

    Install the program then run it.

    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    p22001645.gif



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    p22001646.gif


    Go to Step 4 and under "System Restore" click on Create button:

    p22001644.gif


    Go to Start Repairs tab and click Start button.

    p22001166.gif


    Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

    p22001647.gif

    Click on box next to the Restart System when Finished. Then click on Start.
     
     
    Things to include in your next reply::
    OTL fix.txt
    Do you have a USB Flash Drive you can use?
    How is your machine running now?

Edited by fireman4it, 10 February 2013 - 08:39 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 omh

omh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 11 February 2013 - 04:15 PM

OTL seems to crash and not respond at this point 
 
O34 - HKLM BootExecute: (avgrmbr.nt /mbr C:\Windows\System32\avgrmbr.bin)
 
Since the above OTL crashed i continued with windows repair. Still the same blue screen and trojan. Ive attached a copy of the a new OTL quick scan , after I did the windows repair.

Thanks Ollie

Attached Files


Edited by omh, 11 February 2013 - 05:34 PM.


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:21 AM

Posted 11 February 2013 - 08:26 PM

Have you tried to run the OTL fix in Safemode?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 omh

omh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 12 February 2013 - 01:34 AM

I can only run the computer in safe mode as in normal it blue screens (no error writing)

 

And yes i have acces to a USB Flash Drive.


Edited by omh, 12 February 2013 - 04:14 PM.


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:21 AM

Posted 12 February 2013 - 10:40 PM

  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 omh

omh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 13 February 2013 - 02:03 PM

Rogue Killer report Attached.

Attached Files


Edited by omh, 13 February 2013 - 03:44 PM.


#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:21 AM

Posted 13 February 2013 - 04:27 PM

Hello,
 
I see no action taken in your Malwarebytes log. Please run it again and allow MAlwareBytes to delete those entries.


For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users