Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware Affecting One User


  • This topic is locked This topic is locked
29 replies to this topic

#1 Lifeseeker

Lifeseeker

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 02 February 2013 - 10:37 AM

Hello,

It's been a long time since I've needed your help so I hope I'm giving you enough info here to get started, or at least enough to get you interested...

I'm running windows vista home premium sp 2, 32 bit os. I use AVG 2013 free version for antivirus. There are four user accounts on my machine, two administrators, two limited accounts.

I use the main administrator account, user name Dad. The other day I was surfing and the screen became locked by what I later learned was a ransomware screen locker, which appears to be in Dutch, I'm in the US. I wasn't able to pull up task manager but was able to log off (or maybe I just did a forced boot< don't remember). I am able to log on to the other three user account without a problem, but the screen locker comes back if I log using my account. I am able to log in to the account in safe mode.

I first tryed to use a restore point to roll back, but that didn't work. So I came here and tried "Remove the Urausy FBI Ransomware Infection (Uninstall Guide)" posted here http://www.bleepingcomputer.com/virus-removal/remove-urausy-fbi-ransomware here's where I am:

system restore is off

I have followed all steps of "Automated Removal Instructions for Urausy Trojan using the Emsisoft Emergency Kit:" from the above post. I found 7 problems but Emsisoft only quarintined 6.

I ran avg in safe mode and it found a file that I am unable to delete, I have tried killbox and fileassassin. Neither can recognize the file. It is named "(Eroticvideoarchive)(Adult Video - Models Age 18)(Playboy Hustler Magazine Met-Art Ftvgirls Mplstudios Hegre-Art Watch4Beauty Ddgirls Angels Bodyinmind Girls G" and is a few folders down on the C drive. (bet that got your attention, it got mine) I'm no expert but I'm going to guess this is not a windows file.

Thanks for looking at this.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457
Run by Dad at 10:24:40 on 2013-02-02
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1506 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files\Roxio 2010\5.0\CPMonitor.exe
C:\Program Files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\AVG\AVG2013\avgidsagent.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
C:\Program Files\Kodak\CloudPrinting\KCPConnector.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
C:\Program Files\AVG\AVG2013\avgnsx.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Common Files\PX Storage Engine\VxBlockServer.exe
C:\Program Files\Hewlett-Packard\KBD\kbd.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [qcgce2mrvjq91kk1e7pnbb19m52fx] c:\users\dad\appdata\local\temp\bovf1a1egutetalzr9kz2b.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\program files\hewlett-packard\kbd\KbdStub.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [TSMAgent] "c:\program files\hewlett-packard\touchsmart\media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"
mRun: [SmartMenu] c:\program files\hewlett-packard\hp mediasmart\SmartMenu.exe
mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatchTray12.exe"
mRun: [CPMonitor] "c:\program files\roxio 2010\5.0\CPMonitor.exe"
mRun: [Desktop Disc Tool] "c:\program files\roxio 2010\roxio burn\RoxioBurnLauncher.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [Conime] c:\windows\system32\conime.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [EKStatusMonitor] c:\program files\kodak\aio\statusmonitor\EKStatusMonitor.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [KodakHomeCenter] "c:\program files\kodak\aio\center\AiOHomeCenter.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: cinemanow.com
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{66297DA6-2686-48FC-8B24-2C0E5DD92C53} : DHCPNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-10-15 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 177376]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-11-15 94048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-9-14 35552]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-11-27 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-11-27 15856]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-10-22 179936]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2012-9-21 19936]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-10-2 159712]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-9-21 164832]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-11-27 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2012-11-15 5814904]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2012-10-22 196664]
R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2012-10-19 395200]
R2 Kodak AiO Status Monitor Service;Kodak AiO Status Monitor Service;c:\program files\kodak\aio\statusmonitor\EKPrinterSDK.exe [2012-10-15 779200]
R2 Kodak Cloud Software Connector;Kodak Cloud Software Connector;c:\program files\kodak\cloudprinting\kcpconnector.exe -s --> c:\program files\kodak\cloudprinting\KCPConnector.exe -s [?]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader 2\NitroPDFReaderDriverService2.exe [2012-7-18 184848]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-11-26 1225312]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-11-26 659040]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2012-9-22 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2008-9-9 20640]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\roxio creator 2009 ultimate\digital home 11\roxioupnprenderer11.exe" --> c:\program files\roxio creator 2009 ultimate\digital home 11\RoxioUPnPRenderer11.exe [?]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2013-02-02 14:06:05 -------- d-----w- c:\program files\FileASSASSIN
2013-02-01 23:44:21 -------- d-----w- c:\users\dad\appdata\local\{7612106A-B29C-47C5-9891-93FF4F3A8CCA}
2013-02-01 17:06:05 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2013-02-01 16:57:05 -------- d-----w- c:\users\dad\appdata\local\Secunia PSI
2013-02-01 16:56:55 -------- d-----w- c:\program files\Secunia
2013-01-20 19:10:36 225792 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\EKIJ5000PPR.dll
2013-01-20 19:09:43 -------- d-----w- c:\programdata\Visan
2013-01-20 19:09:43 -------- d-----w- c:\programdata\PrintProjects
2013-01-20 19:09:43 -------- d-----w- c:\program files\PrintProjects
2013-01-20 19:00:30 -------- d-----w- c:\users\dad\appdata\roaming\KODAK AiO Home Center332047331
2013-01-20 18:59:57 -------- d-----w- c:\users\dad\appdata\roaming\KODAK AiO Home Center605735797
2013-01-20 16:46:37 -------- d-----w- c:\programdata\AVG January 2013 Campaign
2013-01-09 22:23:24 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 22:23:05 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 22:23:04 1400832 ----a-w- c:\windows\system32\msxml6.dll
.
==================== Find3M ====================
.
2013-02-01 17:05:57 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-09 23:13:09 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-09 23:13:09 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-16 13:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50:29 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-13 01:29:51 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-08 16:29:12 1402312 ----a-w- c:\windows\system32\msxml4.dll
.
============= FINISH: 10:25:27.27 ===============

Attached Files


Edited by bloopie, 02 February 2013 - 11:37 AM.
Moved from Vista to the Logs forum due to DDS log. ~bloopie


BC AdBot (Login to Remove)

 


#2 Lifeseeker

Lifeseeker
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 02 February 2013 - 10:39 AM

Oops,wrong forum. So sorry... Mod please move to correct forum.

Edited by Lifeseeker, 02 February 2013 - 10:44 AM.


#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:34 PM

Posted 02 February 2013 - 11:54 AM

Hello Lifeseeker, and welcome to the Malware Removal forum where I have moved your topic to! :thumbsup:

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.

==========

:step1:

I'd like you to try running MBAM from safemode if you still cannot access normal mode with the infected account:

Please download Malwarebytes Anti-Malware Posted Image and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Double-click on the renamed file to install, then follow these instructions for a scan...only be sure to change from Quick Scan to Full Scan!
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable these programs or permit them to allow the changes.

  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

==========

Please be sure to post the resultant MBAM log in your next reply, and let me know if normal mode is now accessible!

bloopie

Edited by bloopie, 02 February 2013 - 11:54 AM.


#4 Lifeseeker

Lifeseeker
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 02 February 2013 - 02:53 PM

Good news, I can now access the infected user profile in normal mode, weeeeeeeeee! You rock! BTW, I don't have the windows install disk. Have a look at the report and let me know if we found the root problem, please.

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.02.07

Windows Vista Service Pack 2 x86 NTFS (Safe Mode)
Internet Explorer 9.0.8112.16421
Dad :: DADS-PC [administrator]

2/2/2013 12:29:28 PM
mbam-log-2013-02-02 (12-29-28).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 483874
Time elapsed: 57 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Users\Cadence\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OE0JYYSM\IWON.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\Users\Public\Documents\Programs\Media-Monkey 3.0.3.1140 Gold + Keygen\keygen.exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.
C:\Users\Zane\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FM1KRXBY\oi_setup.exe (PUP.BundleInstaller.OI) -> Quarantined and deleted successfully.
C:\Users\Zane\Downloads\oi_setup (1).exe (PUP.BundleInstaller.OI) -> Quarantined and deleted successfully.
C:\Users\Zane\Downloads\oi_setup.exe (PUP.BundleInstaller.OI) -> Quarantined and deleted successfully.

(end)

#5 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:34 PM

Posted 02 February 2013 - 03:38 PM

Hello again,

Good work! :thumbup2:

I'm glad to hear you can access normal mode, but there are still some things from your DDS log that I didn't see MBAM cleanup.

So let's run another powerful automated tool from normal mode. This tool is not to be used lightly:

==========

Run Combofix (NORMAL boot mode please):

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job...this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

==========

In addition to the Combofix log, please let me know how the computer is running now!

bloopie

#6 Lifeseeker

Lifeseeker
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 03 February 2013 - 08:40 AM

Hey now, Bloopie. Things seem to be running fine. Have a look and see what you think. BTW, let me know when it's safe to turn system restore back on, okay? You da man! Oh yeah, I haven't tried to delete that file I mentioned in my first post, should I keep it as a souvenier? (that's probably not as funny as the fact that I can't spell souvenier.)

ComboFix 13-02-02.05 - Dad 02/03/2013 8:06.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1881 [GMT -5:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2013-01-03 to 2013-02-03 )))))))))))))))))))))))))))))))
.
.
2013-02-03 13:13 . 2013-02-03 13:14 -------- d-----w- c:\users\Dad\AppData\Local\temp
2013-02-03 13:13 . 2013-02-03 13:13 -------- d-----w- c:\users\Zane\AppData\Local\temp
2013-02-03 13:13 . 2013-02-03 13:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-03 13:13 . 2013-02-03 13:13 -------- d-----w- c:\users\Mom\AppData\Local\temp
2013-02-03 13:13 . 2013-02-03 13:13 -------- d-----w- c:\users\Cadence\AppData\Local\temp
2013-02-02 20:49 . 2013-02-02 21:07 -------- d-----w- c:\users\Mom\AppData\Roaming\vlc
2013-02-02 17:07 . 2013-02-02 17:07 -------- d-----w- c:\users\Dad\AppData\Roaming\Malwarebytes
2013-02-02 17:07 . 2013-02-02 17:07 -------- d-----w- c:\programdata\Malwarebytes
2013-02-02 17:07 . 2013-02-02 17:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-02-02 17:07 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-02 15:49 . 2013-02-02 15:49 -------- d-----w- c:\users\Cadence\AppData\Local\Google
2013-02-02 14:06 . 2013-02-02 14:06 -------- d-----w- c:\program files\FileASSASSIN
2013-02-01 17:06 . 2013-02-01 17:05 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin7.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin6.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin5.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin4.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin3.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin2.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin.dll
2013-02-01 16:57 . 2013-02-01 16:57 -------- d-----w- c:\users\Dad\AppData\Local\Secunia PSI
2013-02-01 16:56 . 2013-02-01 16:56 -------- d-----w- c:\program files\Secunia
2013-01-20 19:10 . 2012-10-08 15:05 225792 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
2013-01-20 19:09 . 2013-01-20 19:09 -------- d-----w- c:\program files\PrintProjects
2013-01-20 19:09 . 2013-01-20 19:09 -------- d-----w- c:\programdata\Visan
2013-01-20 19:09 . 2013-01-20 19:09 -------- d-----w- c:\programdata\PrintProjects
2013-01-20 19:00 . 2013-01-20 19:00 -------- d-----w- c:\users\Dad\AppData\Roaming\KODAK AiO Home Center332047331
2013-01-20 18:59 . 2013-01-20 18:59 -------- d-----w- c:\users\Dad\AppData\Roaming\KODAK AiO Home Center605735797
2013-01-20 16:46 . 2013-01-20 16:48 -------- d-----w- c:\programdata\AVG January 2013 Campaign
2013-01-09 22:23 . 2012-11-23 01:35 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 22:23 . 2012-11-20 04:22 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 22:23 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\system32\msxml6.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-01 17:05 . 2010-05-21 22:09 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-09 23:13 . 2012-04-04 10:43 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 23:13 . 2011-06-06 21:33 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 13:12 . 2012-12-21 19:48 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2012-12-21 19:48 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-11-16 04:33 . 2012-11-16 04:33 94048 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2012-11-14 02:09 . 2012-12-13 08:05 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58 . 2012-12-13 08:05 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57 . 2012-12-13 08:05 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49 . 2012-12-13 08:05 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48 . 2012-12-13 08:05 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44 . 2012-12-13 08:05 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-13 01:29 . 2012-12-13 04:02 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-08 16:29 . 2012-11-08 16:29 1402312 ----a-w- c:\windows\system32\msxml4.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\program files\Hewlett-Packard\KBD\KbdStub.EXE" [2008-07-21 12288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
"TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-10-18 1152296]
"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-10-18 189736]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2008-09-23 912688]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]
"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]
"Desktop Disc Tool"="c:\program files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-23 494064]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
"EKStatusMonitor"="c:\program files\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe" [2012-10-15 2844608]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2012-10-08 2804224]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KodakHomeCenter"="c:\program files\Kodak\AiO\Center\AiOHomeCenter.exe" [2012-10-19 2235840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R1 A2DDA;A2 Direct Disk Access Support Driver;f:\emsisoft\Run\a2ddax86.sys [x]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-01 11:36 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 23:13]
.
2013-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-14 23:26]
.
2013-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-14 23:26]
.
2012-11-26 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]
.
2013-01-20 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-20 16:07]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-03 08:14
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-02-03 08:16:05
ComboFix-quarantined-files.txt 2013-02-03 13:16
.
Pre-Run: 241,292,275,712 bytes free
Post-Run: 241,988,685,824 bytes free
.
- - End Of File - - 95E1381F1FE061DDBD0AFCB7DD4E250F

#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:34 PM

Posted 03 February 2013 - 01:14 PM

Hello again,

BTW, let me know when it's safe to turn system restore back on, okay?

Will do! :)

I haven't tried to delete that file I mentioned in my first post, should I keep it as a souvenier? (that's probably not as funny as the fact that I can't spell souvenier.)

That's funny indeed! :lol: Just lose the "e" and you've got the correct spelling. :thumbup2:

Does that file have an extension, or is it just as you posted? Personally I would delete it, but you can also upload it to VirusTotal for a second opinion: https://www.virustotal.com/

==========

Now let's do the following:

Step :step1:

Run a Combofix Script


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy the text in the codebox below, then paste it into the empty notepad:

File::
c:\users\dad\appdata\local\temp\bovf1a1egutetalzr9kz2b.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qcgce2mrvjq91kk1e7pnbb19m52fx"=-

ClearJavaCache::
Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Step :step2:

Please now run a fresh scan will DDS and post the log here.

==========

In your next reply, please include the following:

  • The latest Combofix log
  • The latest DDS log
bloopie

#8 Lifeseeker

Lifeseeker
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 03 February 2013 - 09:01 PM

Hello again. the file I mentioned doesn't have an extension other that I know of. If I try to delete or rename it it says file not found.

I may have botched this operation because I disabled AVG and told it to come back up on reboot, but the combofix rebooted the machine. Hope this is still a valid log...

ComboFix 13-02-03.03 - Dad 02/03/2013 20:28:02.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1855 [GMT -5:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
Command switches used :: c:\users\Dad\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\users\dad\appdata\local\temp\bovf1a1egutetalzr9kz2b.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\wininit.ini
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-01-04 to 2013-02-04 )))))))))))))))))))))))))))))))
.
.
2013-02-04 01:34 . 2013-02-04 01:37 -------- d-----w- c:\users\Dad\AppData\Local\temp
2013-02-04 01:34 . 2013-02-04 01:34 -------- d-----w- c:\users\Zane\AppData\Local\temp
2013-02-04 01:34 . 2013-02-04 01:34 -------- d-----w- c:\users\Mom\AppData\Local\temp
2013-02-04 01:34 . 2013-02-04 01:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-04 01:34 . 2013-02-04 01:34 -------- d-----w- c:\users\Cadence\AppData\Local\temp
2013-02-03 15:09 . 2013-02-03 15:09 -------- d-----w- c:\users\Mom\AppData\Roaming\Macrovision
2013-02-02 20:49 . 2013-02-02 21:07 -------- d-----w- c:\users\Mom\AppData\Roaming\vlc
2013-02-02 17:07 . 2013-02-02 17:07 -------- d-----w- c:\users\Dad\AppData\Roaming\Malwarebytes
2013-02-02 17:07 . 2013-02-02 17:07 -------- d-----w- c:\programdata\Malwarebytes
2013-02-02 17:07 . 2013-02-02 17:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-02-02 17:07 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-02 15:49 . 2013-02-02 15:49 -------- d-----w- c:\users\Cadence\AppData\Local\Google
2013-02-02 14:06 . 2013-02-02 14:06 -------- d-----w- c:\program files\FileASSASSIN
2013-02-01 17:06 . 2013-02-01 17:05 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin7.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin6.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin5.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin4.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin3.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin2.dll
2013-02-01 17:05 . 2013-02-01 17:05 159744 ----a-w- c:\program files\Internet Explorer\plugins\npqtplugin.dll
2013-02-01 16:57 . 2013-02-01 16:57 -------- d-----w- c:\users\Dad\AppData\Local\Secunia PSI
2013-02-01 16:56 . 2013-02-01 16:56 -------- d-----w- c:\program files\Secunia
2013-01-20 19:10 . 2012-10-08 15:05 225792 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
2013-01-20 19:09 . 2013-01-20 19:09 -------- d-----w- c:\program files\PrintProjects
2013-01-20 19:09 . 2013-01-20 19:09 -------- d-----w- c:\programdata\Visan
2013-01-20 19:09 . 2013-01-20 19:09 -------- d-----w- c:\programdata\PrintProjects
2013-01-20 19:00 . 2013-01-20 19:00 -------- d-----w- c:\users\Dad\AppData\Roaming\KODAK AiO Home Center332047331
2013-01-20 18:59 . 2013-01-20 18:59 -------- d-----w- c:\users\Dad\AppData\Roaming\KODAK AiO Home Center605735797
2013-01-20 16:46 . 2013-01-20 16:48 -------- d-----w- c:\programdata\AVG January 2013 Campaign
2013-01-09 22:23 . 2012-11-23 01:35 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 22:23 . 2012-11-20 04:22 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 22:23 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\system32\msxml6.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-01 17:05 . 2010-05-21 22:09 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-09 23:13 . 2012-04-04 10:43 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 23:13 . 2011-06-06 21:33 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 13:12 . 2012-12-21 19:48 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2012-12-21 19:48 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-11-16 04:33 . 2012-11-16 04:33 94048 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2012-11-14 02:09 . 2012-12-13 08:05 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58 . 2012-12-13 08:05 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57 . 2012-12-13 08:05 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49 . 2012-12-13 08:05 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48 . 2012-12-13 08:05 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44 . 2012-12-13 08:05 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-13 01:29 . 2012-12-13 04:02 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-08 16:29 . 2012-11-08 16:29 1402312 ----a-w- c:\windows\system32\msxml4.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\program files\Hewlett-Packard\KBD\KbdStub.EXE" [2008-07-21 12288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
"TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-10-18 1152296]
"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-10-18 189736]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2008-09-23 912688]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]
"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]
"Desktop Disc Tool"="c:\program files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-23 494064]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
"EKStatusMonitor"="c:\program files\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe" [2012-10-15 2844608]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2012-10-08 2804224]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KodakHomeCenter"="c:\program files\Kodak\AiO\Center\AiOHomeCenter.exe" [2012-10-19 2235840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R1 A2DDA;A2 Direct Disk Access Support Driver;f:\emsisoft\Run\a2ddax86.sys [x]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-01 11:36 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 23:13]
.
2013-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-14 23:26]
.
2013-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-14 23:26]
.
2012-11-26 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]
.
2013-01-20 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-20 16:07]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-03 20:38
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\WUDFHost.exe
c:\program files\AVG\AVG2013\avgwdsvc.exe
c:\program files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
c:\program files\Kodak\AiO\Center\EKAiOHostService.exe
c:\program files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
c:\program files\Kodak\CloudPrinting\KCPConnector.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmplayer.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\PX Storage Engine\VxBlockServer.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVG\AVG2013\avgcfgex.exe
.
**************************************************************************
.
Completion time: 2013-02-03 20:44:31 - machine was rebooted
ComboFix-quarantined-files.txt 2013-02-04 01:44
.
Pre-Run: 241,815,035,904 bytes free
Post-Run: 241,911,640,064 bytes free
.
- - End Of File - - 841B60D74DA06CB00EA0387B57CB5EE8



Here's the DDS log:


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457
Run by Dad at 20:50:13 on 2013-02-03
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1889 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
C:\Program Files\Kodak\CloudPrinting\KCPConnector.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files\Roxio 2010\5.0\CPMonitor.exe
C:\Program Files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\PX Storage Engine\VxBlockServer.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\AVG\AVG2013\avgcfgex.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\IELowutil.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\program files\hewlett-packard\kbd\KbdStub.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [TSMAgent] "c:\program files\hewlett-packard\touchsmart\media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"
mRun: [SmartMenu] c:\program files\hewlett-packard\hp mediasmart\SmartMenu.exe
mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatchTray12.exe"
mRun: [CPMonitor] "c:\program files\roxio 2010\5.0\CPMonitor.exe"
mRun: [Desktop Disc Tool] "c:\program files\roxio 2010\roxio burn\RoxioBurnLauncher.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [Conime] c:\windows\system32\conime.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [EKStatusMonitor] c:\program files\kodak\aio\statusmonitor\EKStatusMonitor.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [KodakHomeCenter] "c:\program files\kodak\aio\center\AiOHomeCenter.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: cinemanow.com
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{66297DA6-2686-48FC-8B24-2C0E5DD92C53} : DHCPNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-10-15 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 177376]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-11-15 94048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-9-14 35552]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-11-27 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-11-27 15856]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-10-22 179936]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2012-9-21 19936]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-10-2 159712]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-9-21 164832]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-11-27 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2012-10-22 196664]
R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2012-10-19 395200]
R2 Kodak AiO Status Monitor Service;Kodak AiO Status Monitor Service;c:\program files\kodak\aio\statusmonitor\EKPrinterSDK.exe [2012-10-15 779200]
R2 Kodak Cloud Software Connector;Kodak Cloud Software Connector;c:\program files\kodak\cloudprinting\kcpconnector.exe -s --> c:\program files\kodak\cloudprinting\KCPConnector.exe -s [?]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader 2\NitroPDFReaderDriverService2.exe [2012-7-18 184848]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2012-11-15 5814904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2012-9-22 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2008-9-9 20640]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\roxio creator 2009 ultimate\digital home 11\roxioupnprenderer11.exe" --> c:\program files\roxio creator 2009 ultimate\digital home 11\RoxioUPnPRenderer11.exe [?]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2013-02-04 01:44:33 -------- d-----w- c:\users\dad\appdata\local\temp
2013-02-04 01:37:05 -------- d-----w- C:\$RECYCLE.BIN
2013-02-03 13:04:39 98816 ----a-w- c:\windows\sed.exe
2013-02-03 13:04:39 256000 ----a-w- c:\windows\PEV.exe
2013-02-03 13:04:39 208896 ----a-w- c:\windows\MBR.exe
2013-02-02 17:07:33 -------- d-----w- c:\users\dad\appdata\roaming\Malwarebytes
2013-02-02 17:07:16 -------- d-----w- c:\programdata\Malwarebytes
2013-02-02 17:07:15 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-02 17:07:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-02-02 14:06:05 -------- d-----w- c:\program files\FileASSASSIN
2013-02-01 23:44:21 -------- d-----w- c:\users\dad\appdata\local\{7612106A-B29C-47C5-9891-93FF4F3A8CCA}
2013-02-01 17:06:05 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2013-02-01 17:05:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2013-02-01 16:57:05 -------- d-----w- c:\users\dad\appdata\local\Secunia PSI
2013-02-01 16:56:55 -------- d-----w- c:\program files\Secunia
2013-01-20 19:10:36 225792 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\EKIJ5000PPR.dll
2013-01-20 19:09:43 -------- d-----w- c:\programdata\Visan
2013-01-20 19:09:43 -------- d-----w- c:\programdata\PrintProjects
2013-01-20 19:09:43 -------- d-----w- c:\program files\PrintProjects
2013-01-20 19:00:30 -------- d-----w- c:\users\dad\appdata\roaming\KODAK AiO Home Center332047331
2013-01-20 18:59:57 -------- d-----w- c:\users\dad\appdata\roaming\KODAK AiO Home Center605735797
2013-01-20 16:46:37 -------- d-----w- c:\programdata\AVG January 2013 Campaign
2013-01-09 22:23:24 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 22:23:05 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 22:23:04 1400832 ----a-w- c:\windows\system32\msxml6.dll
.
==================== Find3M ====================
.
2013-02-01 17:05:57 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-09 23:13:09 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-09 23:13:09 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-16 13:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50:29 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-13 01:29:51 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-08 16:29:12 1402312 ----a-w- c:\windows\system32\msxml4.dll
.
============= FINISH: 20:50:22.80 ===============

#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:34 PM

Posted 03 February 2013 - 11:15 PM

Hi again,

Okay that's better, and well done! :)

Now let's run a couple of other programs from normal mode:

Step :step1:

Please update MalwareBytes Antimalware, and run a Full Scan...then post the log here.

==========

Step :step2:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

==========

In your next reply, please include the following:

The MBAM log
The ESET log

bloopie

#10 Lifeseeker

Lifeseeker
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 05 February 2013 - 07:43 PM

Hi Bloopie. Here's the logs you asked for:

ESET
C:\Users\Dad\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120722083613239.rsc multiple threats
C:\Users\Public\Documents\Programs\YouTube Downloader\YouTubeDownloaderSetup35.exe Win32/Toolbar.Widgi application

MWB
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.05.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Dad :: DADS-PC [administrator]

2/5/2013 6:54:21 AM
mbam-log-2013-02-05 (06-54-21).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 483090
Time elapsed: 1 hour(s), 24 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:34 PM

Posted 05 February 2013 - 08:40 PM

Hi again,

Now, lets remove what was found in the ESET scan with a batch, and then we'll do some updates:

Step :step1:
  • Hold the "WindowsPosted Image" key and press "R" to open the runbox and type in notepad and click Ok.
  • Copy the text in the code box below then paste it into the blank Notepad and save it to your Desktop as DelFile.bat
@echo off
del /f /s /q "C:\Users\Dad\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120722083613239.rsc"
del /f /s /q "C:\Users\Public\Documents\Programs\YouTube Downloader\YouTubeDownloaderSetup35.exe"
del %0
  • ---->>The batch file should now look like this: Posted Image<--in Windows Vista/7 and this:Posted Image<--in Windows XP
  • Now double click on the DelFile.bat on your Desktop and the batch will quickly run and delete itself for you.
  • Now reboot the machine.

==========

Step :step2:
Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!

==========

Step :step3:
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
    64-bit OS users, should read: Which Java download should I choose for my 64-bit Windows operating system?
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u7-windows-i586.exe (or jre-7u7-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

==========

Let me know if you had any trouble with the above steps! We're nearly finished! :thumbup2:

bloopie

#12 Lifeseeker

Lifeseeker
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 06 February 2013 - 06:00 PM

Hi Bloopie,

I followed your instructions and updated adobe, and removed old versions of java and put in the new version (32bit). Now IE runs really slowly and can't be used. I'm writing this with google chrome, which I never use. I double checked that I have the latest versions of java and adobe and checked windows update for good measure. All are current. The rest of my software is not affected as far as I can tell, only IE.

#13 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:34 PM

Posted 06 February 2013 - 06:13 PM

Hi again,

The updates shouldn't cause that. Try uninstalling IE, then reinstall it. Latest version for you should be IE9. Any changes?

bloopie

#14 Lifeseeker

Lifeseeker
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 06 February 2013 - 07:24 PM

Nope. IE still acting up.

#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:34 PM

Posted 06 February 2013 - 08:13 PM

That's interesting...

Let's get another log:

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users