Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Safe Mode, Rkill Turned up Something


  • This topic is locked This topic is locked
15 replies to this topic

#1 stowie

stowie

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 08 February 2013 - 08:31 AM

Like the title said, these two things have led me to believe that I have an infection.

 

When I try to run safe mode, it stops loading at crcdisk.sys and just sits there.

 

Yesterday I was feeling a little paranoid over that and ran Rkill.exe. It terminated something that I should have written down, but it appeared to be somewhere important. All I remember is it looked like it had something to do with the system's boot settings. It may have said "ROOT" in the title, but I'm not sure. I apologize for not being prepared. If it comes up again I'll be sure to record it exactly. None of my virus scanning software turned up anything. Now when I run Rkill, it terminated known malware processes in.


C:\Windows\system32\svchost.exe
C:\C:\Windows\system32\svchost.exe
C:\Users\Ben\AppData\Roaming\Spotify\spotify.exe
C:\Users\Ben\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
s\System32\rundll32.exe

 

I don't know much, but I know that it's bad when it says something's rotten in important system files. Please help!

 

EDIT: I'm running Vista Home Premium 32 bit. It's an old Dell Inspiron 1525 laptop.


Edited by stowie, 08 February 2013 - 08:44 AM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 11 February 2013 - 10:29 AM

Greetings stowie and welcome.gif to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. thumbup2.gif


===================================================


Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. smile.png
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the StartNewTopic.gif button but use the AddReply.gif button instead.
  • In the upper right hand corner of the topic you will see the WatchTopic.gif button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started thumbup2.gif

 

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please run the following program for me. Although you don't say so, I am assuming you can not successfullly boot at all. Is that correct?


===================================================


Farbar's Recovery Scan Tool

--------------------

For this step you will need a USB flash drive and start on a clean computer.

  • Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

===================================================

 

Entering into the System Recovery Options


Option #1

To enter System Recovery Options in Windows 8:

 

Option #2

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

 

Option #3

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next

 

===================================================


Running Farbar's Recovery Scan Tool in System Recovery

  • Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.[/b]
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. icon_thumb.gif

  • FRST log

Edited by Oh My, 11 February 2013 - 10:39 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 stowie

stowie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 11 February 2013 - 09:58 PM

Hello Gary. You can call me Ben. Thanks for the response and your help.

 

My computer is able to boot just fine in normal mode. I was trying to run my usual scans in safe mode without networking when I discovered that it did not work.  I ran the scan you posted and have the log file. It gave me the option to fix whatever the scan turned up, but I did not since it was not mentioned in your post. If this was incorrect, just say so and I will run the program again.

 

Here is the log file you requested.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06-02-2013
Ran by SYSTEM at 11-02-2013 21:47:21
Running from E:\
Windows Vista ™ Home Premium  Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe [3444736 2007-12-08] (Dell Inc.)
HKU\Ben\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Ben\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Ben\...\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Ben\...\Run: [Spotify Web Helper] "C:\Users\Ben\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [x]
HKU\Ben\...\Run: [Google Update] "C:\Users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-05-14] (Google Inc.)
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [X]
HKLM\...\InprocServer32: [Default-wbemess] wbemess.dll ATTENTION! ====> ZeroAccess
Tcpip\Parameters: [DhcpNameServer] 10.0.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\SafeConnect.lnk
ShortcutTarget: SafeConnect.lnk -> C:\Program Files\SafeConnect\scClient.exe (Impulse Point, LLC)

==================== Services (Whitelisted) ===================

2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION)
2 McAfeeFramework; "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart [103744 2009-08-25] (McAfee, Inc.)
3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [115608 2013-02-05] (Mozilla Foundation)

==================== Drivers (Whitelisted) ====================

3 ampa; \??\C:\Windows\system32\ampa.sys [12728 2011-01-19] ()
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12872 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [12872 2010-02-17] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [66632 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
2 SCManager; C:\Program Files\SafeConnect\scManager.sys servicestart [175968 2012-10-12] (Impulse Point, LLC)
3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [13056 2008-11-11] (LG Electronics Inc.)
3 UsbDiag; C:\Windows\System32\DRIVERS\lgusbdiag.sys [19968 2008-11-11] (LG Electronics Inc.)
3 USBModem; C:\Windows\System32\DRIVERS\lgusbmodem.sys [24832 2008-11-11] (LG Electronics Inc.)
3 WinRing0_1_2_0; \??\C:\Program Files\IObit\Game Booster 3\Driver\WinRing0.sys [14416 2010-11-01] (OpenLibSys.org)
3 ACDaemon;  [x]
3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [x]
3 catchme; \??\C:\Users\Ben\AppData\Local\Temp\catchme.sys [x]
3 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [x]
3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [x]
2 gupdate;  [x]
3 gupdatem;  [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-02-11 21:47 - 2013-02-11 21:47 - 00000000 ____D C:\FRST
2013-02-09 10:55 - 2013-02-09 12:04 - 00000000 ____D C:\Users\Ben\Desktop\KDE
2013-02-06 21:22 - 2013-02-11 09:45 - 00000000 ____D C:\Users\Ben\AppData\Local\Adobe
2013-02-06 21:21 - 2013-02-06 21:21 - 00000000 ____D C:\Users\Ben\AppData\Local\Apple Computer
2013-02-06 19:44 - 2013-02-06 19:44 - 00000000 ____D C:\Users\Ben\AppData\Local\Apple
2013-02-06 17:14 - 2013-02-08 22:45 - 00000000 ____D C:\Users\Ben\Desktop\Old Firefox Data
2013-02-05 23:09 - 2013-02-08 22:45 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-02-05 23:09 - 2013-02-06 01:16 - 00000000 ____D C:\Program Files\Mozilla Firefox(13)
2013-01-30 09:20 - 2013-01-30 09:20 - 03827515 ____A C:\Users\Ben\Downloads\Myplestory-V.117.2-Launcher-18th-Jan-2013.rar
2013-01-30 08:21 - 2013-01-30 09:17 - 3491567298 ____A (Nexon) C:\Users\Ben\Downloads\MSSetupv116.exe
2013-01-29 22:13 - 2013-02-11 12:50 - 00000000 ____D C:\Users\Ben\AppData\Roaming\Skype
2013-01-29 22:12 - 2013-02-11 12:49 - 00002377 ____A C:\Users\Public\Desktop\Skype.lnk
2013-01-29 22:12 - 2013-01-29 22:13 - 00000000 ____D C:\Users\All Users\Skype
2013-01-29 22:12 - 2013-01-29 22:12 - 00000000 ___RD C:\Program Files\Skype
2013-01-29 22:12 - 2013-01-29 22:12 - 00000000 ____D C:\Program Files\Common Files\Skype
2013-01-29 22:09 - 2013-01-29 22:10 - 01335912 ____A (Skype Technologies S.A.) C:\Users\Ben\Downloads\SkypeSetup.exe
2013-01-29 18:37 - 2013-01-29 18:37 - 00677804 ____A C:\Users\Ben\Downloads\HaRepacker.zip
2013-01-29 18:18 - 2013-01-29 18:18 - 01168896 ____A (GameKiller.net) C:\Users\Ben\Downloads\iGK.exe
2013-01-29 18:18 - 2013-01-29 18:18 - 00000000 ____D C:\Users\Ben\AppData\Local\GameKiller.net
2013-01-29 17:52 - 2013-01-29 17:52 - 00073680 ____A C:\Users\Ben\Downloads\MB v1.0.3 FIXED.zip
2013-01-25 13:45 - 2010-04-30 10:56 - 00001798 ____A C:\Windows\System32\Drivers\etc\hosts.20130125-164532.backup
2013-01-25 12:48 - 2012-09-18 12:26 - 00365568 ____A C:\Windows\System32\ZSHP1020.EXE
2013-01-25 12:48 - 2012-09-18 12:26 - 00169472 ____A C:\Windows\System32\ZLhp1020.DLL
2013-01-25 11:50 - 2013-01-25 12:56 - 01102684 ____A C:\Users\Ben\Desktop\Untitled-2.psd
2013-01-19 19:57 - 2013-01-19 19:57 - 00379056 ____A (Softonic) C:\Users\Ben\Downloads\SoftonicDownloader_for_maplestory.exe
2013-01-19 12:07 - 2013-01-19 12:07 - 00193536 ____A () C:\Users\Ben\Downloads\GameLauncher.exe
2013-01-15 08:01 - 2013-01-30 10:10 - 00000000 ____D C:\Nexon
2013-01-15 06:58 - 2013-01-15 06:58 - 02013336 ____A C:\Users\Ben\Downloads\MapleStoryDownloader.exe
2013-01-15 00:13 - 2013-01-15 00:32 - 1396882863 ____A C:\Users\Ben\Downloads\MBII_V0.1.8_Full.zip
2013-01-14 23:59 - 2013-01-14 23:59 - 11624176 ____A (LucasArts) C:\Users\Ben\Downloads\jkacademy1_01.exe
2013-01-14 23:46 - 2013-01-14 23:47 - 45320313 ____A C:\Users\Ben\Downloads\MBII_V0.1.9_Patch.zip
2013-01-14 23:46 - 2013-01-14 23:46 - 00000000 ____D C:\Program Files\LucasArts
2013-01-14 12:52 - 2013-01-14 13:22 - 182166620 ____A C:\Users\Ben\Downloads\jka.rar.part
2013-01-12 12:00 - 2013-01-25 10:18 - 00000000 ____D C:\Users\Ben\Desktop\UC 2013 Winter Semester
2013-01-12 10:37 - 2013-01-12 10:38 - 10859511 ____A C:\Users\Ben\Downloads\Business_Card.psd

==================== One Month Modified Files and Folders ========

2013-02-11 18:45 - 2012-05-14 07:48 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3844386839-884374975-2851417358-1000UA.job
2013-02-11 18:45 - 2012-05-14 07:48 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3844386839-884374975-2851417358-1000Core.job
2013-02-11 18:45 - 2006-11-02 05:01 - 00032570 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-02-11 18:45 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-02-11 18:45 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-02-11 18:45 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-02-11 18:44 - 2011-06-30 03:18 - 01992526 ____A C:\Windows\PFRO.log
2013-02-11 18:44 - 2011-05-16 07:00 - 01190401 ____A C:\Windows\WindowsUpdate.log
2013-02-11 18:21 - 2011-10-13 06:23 - 00000000 ____D C:\Program Files\SafeConnect
2013-02-11 18:20 - 2011-04-16 18:07 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-02-11 13:15 - 2011-04-16 18:07 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-02-11 13:07 - 2012-03-30 16:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-02-11 12:50 - 2013-01-29 22:13 - 00000000 ____D C:\Users\Ben\AppData\Roaming\Skype
2013-02-11 12:49 - 2013-01-29 22:12 - 00002377 ____A C:\Users\Public\Desktop\Skype.lnk
2013-02-11 09:45 - 2013-02-06 21:22 - 00000000 ____D C:\Users\Ben\AppData\Local\Adobe
2013-02-11 08:58 - 2012-09-15 10:37 - 00000000 ____D C:\Users\Ben\AppData\Roaming\Spotify
2013-02-11 08:58 - 2012-09-15 10:37 - 00000000 ____D C:\Users\Ben\AppData\Local\Spotify
2013-02-11 08:48 - 2011-08-08 22:43 - 00000920 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3844386839-884374975-2851417358-1000UA.job
2013-02-11 02:02 - 2011-04-16 15:30 - 00000000 ____D C:\Users\Ben\AppData\Local\PMB Files
2013-02-11 00:34 - 2011-08-17 20:12 - 00000000 ____D C:\Users\Ben\AppData\Local\CrashDumps
2013-02-09 23:48 - 2011-08-08 22:43 - 00000898 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3844386839-884374975-2851417358-1000Core.job
2013-02-09 13:58 - 2011-04-16 16:25 - 00000000 ____D C:\Users\Ben\AppData\Roaming\FileZilla
2013-02-09 13:12 - 2011-05-13 12:14 - 00000132 ____A C:\Users\Ben\AppData\Roaming\Adobe PNG Format CS5 Prefs
2013-02-09 12:04 - 2013-02-09 10:55 - 00000000 ____D C:\Users\Ben\Desktop\KDE
2013-02-08 22:45 - 2013-02-06 17:14 - 00000000 ____D C:\Users\Ben\Desktop\Old Firefox Data
2013-02-08 22:45 - 2013-02-05 23:09 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-02-08 22:45 - 2012-12-08 20:05 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2013-02-08 22:45 - 2012-08-12 14:33 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-02-08 22:45 - 2012-01-22 14:02 - 00000000 ____D C:\Users\Ben\AppData\Roaming\Audacity
2013-02-08 22:45 - 2011-12-01 11:24 - 00000000 ____D C:\Users\Ben\AppData\Roaming\DVD Flick
2013-02-08 22:45 - 2011-04-18 10:29 - 00000000 ____D C:\Users\Ben\AppData\Roaming\vlc
2013-02-08 22:45 - 2011-04-16 15:30 - 00000000 ____D C:\Users\All Users\PMB Files
2013-02-08 22:45 - 2011-04-16 15:01 - 00000000 ____D C:\Users\Ben\AppData\Roaming\Mozilla
2013-02-08 22:45 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\spool
2013-02-08 22:45 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\Msdtc
2013-02-08 22:45 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\registration
2013-02-08 22:45 - 2006-11-02 02:22 - 50855936 ____A C:\Windows\System32\config\software_previous
2013-02-08 22:45 - 2006-11-02 02:22 - 21233664 ____A C:\Windows\System32\config\system_previous
2013-02-08 22:41 - 2006-11-02 02:22 - 35127296 ____A C:\Windows\System32\config\components_previous
2013-02-08 22:41 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2013-02-08 22:38 - 2011-04-16 15:57 - 00000000 ____D C:\Users\Ben\AppData\Roaming\Azureus
2013-02-08 21:07 - 2012-03-30 16:07 - 00697712 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-02-08 21:07 - 2011-05-30 04:55 - 00074096 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-02-08 19:20 - 2012-02-02 23:48 - 00000455 ____A C:\rkill.log
2013-02-06 21:21 - 2013-02-06 21:21 - 00000000 ____D C:\Users\Ben\AppData\Local\Apple Computer
2013-02-06 21:21 - 2011-06-04 06:40 - 00000000 ____D C:\Users\Ben\Calibre Library
2013-02-06 19:44 - 2013-02-06 19:44 - 00000000 ____D C:\Users\Ben\AppData\Local\Apple
2013-02-06 01:16 - 2013-02-05 23:09 - 00000000 ____D C:\Program Files\Mozilla Firefox(13)
2013-02-02 19:22 - 2006-11-02 02:33 - 00703388 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-31 16:07 - 2006-11-02 02:22 - 04980736 ____A C:\Windows\System32\config\default_previous
2013-01-31 15:03 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2013-01-30 10:10 - 2013-01-15 08:01 - 00000000 ____D C:\Nexon
2013-01-30 09:20 - 2013-01-30 09:20 - 03827515 ____A C:\Users\Ben\Downloads\Myplestory-V.117.2-Launcher-18th-Jan-2013.rar
2013-01-30 09:17 - 2013-01-30 08:21 - 3491567298 ____A (Nexon) C:\Users\Ben\Downloads\MSSetupv116.exe
2013-01-29 22:13 - 2013-01-29 22:12 - 00000000 ____D C:\Users\All Users\Skype
2013-01-29 22:12 - 2013-01-29 22:12 - 00000000 ___RD C:\Program Files\Skype
2013-01-29 22:12 - 2013-01-29 22:12 - 00000000 ____D C:\Program Files\Common Files\Skype
2013-01-29 22:10 - 2013-01-29 22:09 - 01335912 ____A (Skype Technologies S.A.) C:\Users\Ben\Downloads\SkypeSetup.exe
2013-01-29 18:37 - 2013-01-29 18:37 - 00677804 ____A C:\Users\Ben\Downloads\HaRepacker.zip
2013-01-29 18:18 - 2013-01-29 18:18 - 01168896 ____A (GameKiller.net) C:\Users\Ben\Downloads\iGK.exe
2013-01-29 18:18 - 2013-01-29 18:18 - 00000000 ____D C:\Users\Ben\AppData\Local\GameKiller.net
2013-01-29 17:52 - 2013-01-29 17:52 - 00073680 ____A C:\Users\Ben\Downloads\MB v1.0.3 FIXED.zip
2013-01-29 11:19 - 2011-07-27 09:11 - 00000000 ____D C:\Windows\Minidump
2013-01-29 11:19 - 2008-09-21 11:33 - 00146942 ____A C:\Windows\Minidump\Mini012913-01.dmp
2013-01-25 12:56 - 2013-01-25 11:50 - 01102684 ____A C:\Users\Ben\Desktop\Untitled-2.psd
2013-01-25 10:18 - 2013-01-12 12:00 - 00000000 ____D C:\Users\Ben\Desktop\UC 2013 Winter Semester
2013-01-21 19:42 - 2008-09-21 11:33 - 00146942 ____A C:\Windows\Minidump\Mini012113-01.dmp
2013-01-20 15:44 - 2011-04-18 10:30 - 00009728 ____A C:\Users\Ben\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-01-19 19:57 - 2013-01-19 19:57 - 00379056 ____A (Softonic) C:\Users\Ben\Downloads\SoftonicDownloader_for_maplestory.exe
2013-01-19 12:07 - 2013-01-19 12:07 - 00193536 ____A () C:\Users\Ben\Downloads\GameLauncher.exe
2013-01-15 06:58 - 2013-01-15 06:58 - 02013336 ____A C:\Users\Ben\Downloads\MapleStoryDownloader.exe
2013-01-15 06:52 - 2012-02-13 20:04 - 00000000 ____D C:\Program Files\Steam
2013-01-15 00:32 - 2013-01-15 00:13 - 1396882863 ____A C:\Users\Ben\Downloads\MBII_V0.1.8_Full.zip
2013-01-14 23:59 - 2013-01-14 23:59 - 11624176 ____A (LucasArts) C:\Users\Ben\Downloads\jkacademy1_01.exe
2013-01-14 23:47 - 2013-01-14 23:46 - 45320313 ____A C:\Users\Ben\Downloads\MBII_V0.1.9_Patch.zip
2013-01-14 23:47 - 2011-04-16 14:38 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-01-14 23:46 - 2013-01-14 23:46 - 00000000 ____D C:\Program Files\LucasArts
2013-01-14 23:46 - 2011-10-11 10:06 - 00000488 ____A C:\Windows\DirectX.log
2013-01-14 13:22 - 2013-01-14 12:52 - 182166620 ____A C:\Users\Ben\Downloads\jka.rar.part
2013-01-12 10:38 - 2013-01-12 10:37 - 10859511 ____A C:\Users\Ben\Downloads\Business_Card.psd


ZeroAccess:
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\@
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U

ZeroAccess:
C:\Users\Ben\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}
C:\Users\Ben\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\@
C:\Users\Ben\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L
C:\Users\Ben\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2012-12-12 09:14] - [2012-08-21 03:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-01-31 17:31:24
Restore point made on: 2013-02-02 04:11:29
Restore point made on: 2013-02-07 08:37:12
Restore point made on: 2013-02-07 21:00:18
Restore point made on: 2013-02-08 19:32:12
Restore point made on: 2013-02-10 01:12:48

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 2037.31 MB
Available physical RAM: 1763.96 MB
Total Pagefile: 1970.94 MB
Available Pagefile: 1837.82 MB
Total Virtual: 2047.88 MB
Available Virtual: 1966.31 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:136.74 GB) (Free:11.27 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: () (Removable) (Total:3.72 GB) (Free:3.36 GB) FAT32
4 Drive x: (RECOVERY) (Fixed) (Total:9.77 GB) (Free:4.88 GB) NTFS

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
  Disk 0    Online       149 GB      0 B         
  Disk 1    Online      3815 MB      0 B         

Partitions of Disk 0:
===============

Disk ID: 00000080

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    32 KB
  Partition 2    Primary             10 GB    40 MB
  Partition 3    Primary            137 GB    10 GB
  Partition 0    Extended          2559 MB   147 GB
  Partition 4    Logical           2558 MB   147 GB

=========================================================

Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4                      FAT    Partition     39 MB  Healthy    Hidden  

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     X   RECOVERY     NTFS   Partition     10 GB  Healthy    Boot    

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    137 GB  Healthy            

=========================================================

Disk: 0
Partition 4
Type  : DD
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3815 MB     8 KB

=========================================================

Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E                FAT32  Removable   3815 MB  Healthy            

=========================================================

Last Boot: 2013-02-11 18:26

==================== End Of Log ============================



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 12 February 2013 - 10:33 AM

Hi Ben,

Nice to meet you. I hate to jump right into it but I am afraid your computer is sick. I have some steps for you to take but I must first advise you of the following.


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


P2P Warning

--------------------

Going over your logs I noticed that you have evidence of P2P downloads. It is pretty much certain that if you continue to use P2P programs, you will get infected again.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities.


===================================================


Spybot S&D No Longer Recommended

--------------------

MVPS.org is no longer recommending Spybot S&D due to poor testing results. (scroll down on the web site and read under Freeware Antispyware Products)

Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and even prevent disinfection of malware by those tools.

I strongly recommend uninstalling Spybot Search & Destroy. The presence of this program can make cleaning your computer more difficult.

Please go to Start > Control Panel > Add/Remove Programs (or Programs and Features) and delete the program.

Reboot your computer prior to the next step.


===================================================


Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

sUBs, the author of Combofix, recommends you to uninstall AVG or CA Internet Security before running the program. If you have either of these programs on your computer please uninstall them using AppRemover which can be downloaded here. We will be sure to reinstall the Antivirus program once we are finished using Combofix.

  • Please download ComboFix from one of these locations:

BleepingComputer
ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.

Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.

  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running

Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

If Combofix fails to run properly using the above instructions please attempt the following:

  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it

 

===================================================


AdwCleaner by Xplode - Delete Adware

-------------------

  • Close all open programs and internet browser
  • Double click on adwcleaner.exe
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt

 

===================================================


Junkware Removal Tool by thisisu

-------------------

  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply

 

===================================================


Things I would like to see in your next reply. icon_thumb.gif

  • Combofix log
  • AdwCleaner log
  • Junkware log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 stowie

stowie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 12 February 2013 - 08:12 PM

Gary I would prefer to continue to attempt to clean up the computer with your assistance rather than reinstall windows. I ran combofix and the program ran successfully on the first attempt and created a log file which I have for you. Unfortunately, no .exe files are working since it rebooted my system. All of my internet browsers are not working so I am replying on another computer. In any case, I can't run adwcleaner.exe even though I was able to transfer it via flash drive.

 

The message reads "Illegal operation attempted on a registry key that has been marked for deletion."

 

Here is the log file from ComboFix.

 

 

ComboFix 13-02-12.01 - Ben 02/12/2013  19:25:00.3.2 - x86
MicrosoftÆ Windows Vistaô Home Premium   6.0.6002.2.1252.1.1033.18.2037.1112 [GMT -5:00]
Running from: c:\users\Ben\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-13 to 2013-02-13  )))))))))))))))))))))))))))))))
.
.
2013-02-13 00:38 . 2013-02-13 00:40    --------    d-----w-    c:\users\Ben\AppData\Local\temp
2013-02-13 00:38 . 2013-02-13 00:38    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-12 05:47 . 2013-02-12 05:47    --------    d-----w-    C:\FRST
2013-02-07 05:22 . 2013-02-11 17:45    --------    d-----w-    c:\users\Ben\AppData\Local\Adobe
2013-02-07 05:21 . 2013-02-07 05:21    --------    d-----w-    c:\users\Ben\AppData\Local\Apple Computer
2013-02-07 03:44 . 2013-02-07 03:44    --------    d-----w-    c:\users\Ben\AppData\Local\Apple
2013-01-30 06:13 . 2013-02-11 20:50    --------    d-----w-    c:\users\Ben\AppData\Roaming\Skype
2013-01-30 06:12 . 2013-01-30 06:12    --------    d-----w-    c:\program files\Common Files\Skype
2013-01-30 06:12 . 2013-01-30 06:12    --------    d-----r-    c:\program files\Skype
2013-01-30 06:12 . 2013-01-30 06:13    --------    d-----w-    c:\programdata\Skype
2013-01-30 02:18 . 2013-01-30 02:18    --------    d-----w-    c:\users\Ben\AppData\Local\GameKiller.net
2013-01-25 20:50 . 2012-09-18 20:26    59904    ----a-w-    c:\windows\system32\Spool\prtprocs\w32x86\PPhp1020.DLL
2013-01-25 20:48 . 2012-09-18 20:26    169472    ----a-w-    c:\windows\system32\ZLhp1020.DLL
2013-01-25 20:48 . 2012-09-18 20:26    365568    ----a-w-    c:\windows\system32\ZSHP1020.EXE
2013-01-15 16:01 . 2013-01-30 18:10    --------    d-----w-    C:\Nexon
2013-01-15 07:46 . 2013-01-15 07:46    --------    d-----w-    c:\program files\LucasArts
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-09 05:07 . 2012-03-31 00:07    697712    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-02-09 05:07 . 2011-05-30 12:55    74096    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 13:12 . 2012-12-21 23:30    34304    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2012-12-21 23:30    293376    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-14 21:49 . 2011-04-17 17:29    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-12-04 15:12 . 2012-12-04 15:12    245248    ----a-w-    c:\windows\system32\zshp1020s.dll
2012-11-23 01:35 . 2013-01-09 21:32    2048000    ----a-w-    c:\windows\system32\win32k.sys
2012-11-20 04:22 . 2013-01-09 21:31    204288    ----a-w-    c:\windows\system32\ncrypt.dll
2013-02-06 07:10 . 2013-02-06 07:09    262552    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2011-5-16 298368]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21    548352    ----a-w-    c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SideACT!.lnk]
backup=c:\windows\pss\SideACT!.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Ben^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Bloggie Watcher Utility.lnk]
backup=c:\windows\pss\Bloggie Watcher Utility.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AirPort Base Station Agent]
2009-11-11 20:17    771360    ----a-w-    c:\program files\AirPort\APAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-28 01:32    59280    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Artisan 700(Network)]
2008-04-06 23:00    188928    ----a-w-    c:\windows\System32\spool\drivers\w32x86\3\E_FATIENA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-05-14 15:47    116648    ----atw-    c:\users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22    3739648    ----a-w-    c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 03:30    421776    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-12-14 21:49    512360    ----a-w-    c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2009-08-25 21:00    136512    ----a-w-    c:\program files\McAfee\Common Framework\UdaterUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2013-01-15 14:59    3093624    ----a-w-    c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2011-06-15 06:19    307200    ----a-w-    c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2013-01-15 14:42    1354736    ----a-w-    c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04    252848    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-18 20:40    2012912    ----a-w-    c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23    1008184    ----a-w-    c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3844386839-884374975-2851417358-1000]
"EnableNotificationsRef"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 05:07]
.
2013-02-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3844386839-884374975-2851417358-1000Core.job
- c:\users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-14 15:47]
.
2013-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3844386839-884374975-2851417358-1000UA.job
- c:\users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-14 15:47]
.
.
------- Supplementary Scan -------
.
uStart Page = go.microsoft.com/fwlink/?linkid=69157
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.0.1.1
FF - ProfilePath - c:\users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\aldavo7c.default-1360199644062\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - ExtSQL: 2013-02-09 15:22; newtabgoogle@graememcc.co.uk; c:\users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\aldavo7c.default-1360199644062\extensions\newtabgoogle@graememcc.co.uk.xpi
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Spotify Web Helper - c:\users\Ben\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-Spotify Web Helper - c:\users\Ben\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-12 19:42
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3844386839-884374975-2851417358-1000\console_combofixbackup]
@DACL=(02 0000)
@SACL=
"ColorTable00"=dword:00000000
"ColorTable01"=dword:00800000
"ColorTable02"=dword:00008000
"ColorTable03"=dword:00808000
"ColorTable04"=dword:00000080
"ColorTable05"=dword:00800080
"ColorTable06"=dword:00008080
"ColorTable07"=dword:00c0c0c0
"ColorTable08"=dword:00808080
"ColorTable09"=dword:00ff0000
"ColorTable10"=dword:0000ff00
"ColorTable11"=dword:00ffff00
"ColorTable12"=dword:000000ff
"ColorTable13"=dword:00ff00ff
"ColorTable14"=dword:0000ffff
"ColorTable15"=dword:00ffffff
"CursorSize"=dword:00000019
"EnableColorSelection"=dword:00000000
"ExtendedEditKey"=dword:00000000
"ExtendedEditKeyCustom"=dword:00000000
"FontFamily"=dword:00000000
"FontSize"=dword:00000000
"FontWeight"=dword:00000000
"FullScreen"=dword:00000000
"HistoryBufferSize"=dword:00000032
"HistoryNoDup"=dword:00000000
"InsertMode"=dword:00000000
"LoadConIme"=dword:00000001
"NumberOfHistoryBuffers"=dword:00000004
"PopupColors"=dword:000000f5
"QuickEdit"=dword:00000000
"ScreenBufferSize"=dword:012c0050
"ScreenColors"=dword:00000007
"TrimLeadingZeros"=dword:00000000
"WindowSize"=dword:00190050
"WordDelimiters"=dword:00000000
.
[HKEY_USERS\S-1-5-21-3844386839-884374975-2851417358-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0AEA9663-34F7-6E0C-7625-8A8D5249908B}*]
"paajcdbhikdakmicdcjneapijblpkfde"=hex:6b,61,6c,6f,64,6d,6b,64,66,68,66,65,64,
   6c,66,6e,6c,6e,61,61,66,6c,00,76
"oagjajhgjnkfdppkpmofcjfnaibfec"=hex:6b,61,6a,6f,6c,6c,67,67,66,63,65,6f,6c,64,
   61,6a,6c,6b,6a,6f,68,69,00,77
.
[HKEY_USERS\S-1-5-21-3844386839-884374975-2851417358-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{439E00D8-2CAE-6BA8-AFDC-D287C38DFD11}*]
"jaadekmimlepanoekbjj"=hex:62,61,61,6e,00,00
"iaacggigcndaecdbla"=hex:6b,61,64,65,6b,6a,6d,64,6e,61,65,67,6b,62,6f,62,69,65,
   63,68,61,6c,00,00
"haecgeikamaohpil"=hex:6d,61,65,63,61,65,63,67,63,66,6a,68,66,6a,69,6a,6d,6f,
   63,64,6f,65,67,70,68,62,00,00
"jafcdlnojdgdheiokecf"=hex:65,62,67,63,69,62,68,64,62,6b,6a,63,69,61,64,67,64,
   61,6e,63,68,63,70,6e,6e,6a,65,6c,64,65,70,67,6b,70,67,61,70,6e,64,6b,70,62,\
"jaadekmimlepanoekbfj"=hex:62,61,65,65,00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
@SACL=
"AppDataDir"="c:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{85C70286-A56F-4834-BD24-B34EB76A93A2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.468.0"
"UniqueId"="00050CEB4DB362F2"
"ScannerBuild"=dword:00001672
"ScannerVersionId"=dword:00001175
"ScannerVersion"="Locked/open ESET for status."
"FixId"=dword:00000009
"ei2"=hex(B):c0,6b,57,e0,23,f8,d7,fa
"ei1"=hex(B):00,21,9b,ec,67,d3,00,00
"ei3"=hex(B):be,25,47,4e,00,00,00,00
"ei4"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\EPSON\eEBAPI\eEBSVC.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\SafeConnect\scManager.sys
c:\windows\system32\STacSV.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2013-02-12  19:50:01 - machine was rebooted
ComboFix-quarantined-files.txt  2013-02-13 00:49
ComboFix2.txt  2011-08-14 03:04
ComboFix3.txt  2011-07-28 00:32
.
Pre-Run: 11,931,021,312 bytes free
Post-Run: 11,528,663,040 bytes free
.
- - End Of File - - 84E6A1F860EA72A0387FDAFAC0EF905D
 


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 12 February 2013 - 08:16 PM

Hi Ben,

Please reboot your computer and see if the issue is resolved.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 stowie

stowie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 12 February 2013 - 09:09 PM

The restart worked, Gary. Here are the two log files for adwcleaner and jrt, respectively.

 

AdwCleaner

 

# AdwCleaner v2.112 - Logfile created 02/12/2013 at 20:53:56

# Updated 10/02/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Ben - BEN-PC
# Boot Mode : Normal
# Running from : C:\Users\Ben\Desktop\AdwCleaner.exe
# Option [Search]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Folder Found : C:\ProgramData\WeCareReminder
 
***** [Registry] *****
 
Key Found : HKCU\Software\AppDataLow\Software\Crossrider
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\wecarereminder
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Found : HKU\S-1-5-21-3844386839-884374975-2851417358-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16457
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v18.0.2 (en-US)
 
File : C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\aldavo7c.default-1360199644062\prefs.js
 
[OK] File is clean.
 
-\\ Google Chrome v24.0.1312.57
 
File : C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [1511 octets] - [12/02/2013 20:53:56]
 
########## EOF - C:\AdwCleaner[R1].txt - [1571 octets] ##########
 
 
JRT
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.6.3 (02.12.2013:1)
OS: Windows Vista ™ Home Premium x86
Ran by Ben on Tue 02/12/2013 at 21:00:08.56
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\Ben\AppData\Roaming\cleanmypc software"
Successfully deleted: [Folder] "C:\Program Files\free youtube downloader"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\free window registry repair"
Successfully deleted: [Folder] "C:\Users\Ben\AppData\Roaming\microsoft\windows\start menu\programs\free window registry repair"
 
 
 
~~~ FireFox
 
Emptied folder: C:\Users\Ben\AppData\Roaming\mozilla\firefox\profiles\aldavo7c.default-1360199644062\minidumps [13 files]
 
 
 
~~~ Chrome
 
Successfully deleted: [Registry Key] hkey_local_machine\software\google\chrome\extensions\pgmfkblbflahhponhjmkcnpjinenhlnc
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 02/12/2013 at 21:05:50.53
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 12 February 2013 - 09:31 PM

Hi Ben,

Nice work.  thumbup.gif

We need to run Combofix again. I will have you run an additional programs as well.

If you would please......


===================================================


Running Combofix Script

-------------------

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text below into the Notepad document
RegNull::
[HKEY_USERS\S-1-5-21-3844386839-884374975-2851417358-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0AEA9663-34F7-6E0C-7625-8A8D5249908B}*]
[HKEY_USERS\S-1-5-21-3844386839-884374975-2851417358-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{439E00D8-2CAE-6BA8-AFDC-D287C38DFD11}*]
  • Save this on your desktop as CFScript.txt

CFScriptB-4.gif

  • Referring to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.

 

===================================================



screen317's Security Check

--------------------

  • Please download screen317's Security Check to your desktop
  • Double-click screen317sSecurityCheck.jpg icon
  • Click OK
  • Select Run
  • Press any key to start the program
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply

 

===================================================



Things I would like to see in your next reply. icon_thumb.gif

  • Combofix log
  • Security check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 stowie

stowie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 12 February 2013 - 10:47 PM

Thank you for the swift replies!  love4u.gif

 

Gary, I'm noticing improvement already. It wasn't running slow before, but occasional glitches in windows explorer, random system restarts, and programs crashing were issues. I can't say for certain because these things always happened without warning.  I stopped using Firefox because I started getting prompts about viewing unencrypted pages (and the danger that a third party could view it) and strange IP addresses were appearing in the URL. Only on YouTube and Google, only in Firefox. All of that is fixed and working from what I can see.

 

Here are the log files you requested.

 

ComboFix

 

 

ComboFix 13-02-12.01 - Ben 02/12/2013  22:11:02.4.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2037.1337 [GMT -5:00]
Running from: c:\users\Ben\Desktop\ComboFix.exe
Command switches used :: c:\users\Ben\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-13 to 2013-02-13  )))))))))))))))))))))))))))))))
.
.
2013-02-13 03:19 . 2013-02-13 03:24    --------    d-----w-    c:\users\Ben\AppData\Local\temp
2013-02-13 03:19 . 2013-02-13 03:19    --------    d-----w-    c:\users\Public\AppData\Local\temp
2013-02-13 03:19 . 2013-02-13 03:19    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-13 02:00 . 2013-02-13 02:00    --------    d-----w-    c:\windows\ERUNT
2013-02-13 01:59 . 2013-02-13 01:59    --------    d-----w-    C:\JRT
2013-02-12 05:47 . 2013-02-12 05:47    --------    d-----w-    C:\FRST
2013-02-07 05:22 . 2013-02-11 17:45    --------    d-----w-    c:\users\Ben\AppData\Local\Adobe
2013-02-07 05:21 . 2013-02-07 05:21    --------    d-----w-    c:\users\Ben\AppData\Local\Apple Computer
2013-02-07 03:44 . 2013-02-07 03:44    --------    d-----w-    c:\users\Ben\AppData\Local\Apple
2013-01-30 06:13 . 2013-02-11 20:50    --------    d-----w-    c:\users\Ben\AppData\Roaming\Skype
2013-01-30 06:12 . 2013-01-30 06:12    --------    d-----w-    c:\program files\Common Files\Skype
2013-01-30 06:12 . 2013-01-30 06:12    --------    d-----r-    c:\program files\Skype
2013-01-30 06:12 . 2013-01-30 06:13    --------    d-----w-    c:\programdata\Skype
2013-01-30 02:18 . 2013-01-30 02:18    --------    d-----w-    c:\users\Ben\AppData\Local\GameKiller.net
2013-01-25 20:50 . 2012-09-18 20:26    59904    ----a-w-    c:\windows\system32\Spool\prtprocs\w32x86\PPhp1020.DLL
2013-01-25 20:48 . 2012-09-18 20:26    169472    ----a-w-    c:\windows\system32\ZLhp1020.DLL
2013-01-25 20:48 . 2012-09-18 20:26    365568    ----a-w-    c:\windows\system32\ZSHP1020.EXE
2013-01-15 16:01 . 2013-01-30 18:10    --------    d-----w-    C:\Nexon
2013-01-15 07:46 . 2013-01-15 07:46    --------    d-----w-    c:\program files\LucasArts
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-09 05:07 . 2012-03-31 00:07    697712    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-02-09 05:07 . 2011-05-30 12:55    74096    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 13:12 . 2012-12-21 23:30    34304    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2012-12-21 23:30    293376    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-14 21:49 . 2011-04-17 17:29    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-12-04 15:12 . 2012-12-04 15:12    245248    ----a-w-    c:\windows\system32\zshp1020s.dll
2012-11-23 01:35 . 2013-01-09 21:32    2048000    ----a-w-    c:\windows\system32\win32k.sys
2012-11-20 04:22 . 2013-01-09 21:31    204288    ----a-w-    c:\windows\system32\ncrypt.dll
2013-02-06 07:10 . 2013-02-06 07:09    262552    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2011-5-16 298368]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21    548352    ----a-w-    c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SideACT!.lnk]
backup=c:\windows\pss\SideACT!.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Ben^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Bloggie Watcher Utility.lnk]
backup=c:\windows\pss\Bloggie Watcher Utility.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AirPort Base Station Agent]
2009-11-11 20:17    771360    ----a-w-    c:\program files\AirPort\APAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-28 01:32    59280    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Artisan 700(Network)]
2008-04-06 23:00    188928    ----a-w-    c:\windows\System32\spool\drivers\w32x86\3\E_FATIENA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-05-14 15:47    116648    ----atw-    c:\users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22    3739648    ----a-w-    c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 03:30    421776    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-12-14 21:49    512360    ----a-w-    c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2009-08-25 21:00    136512    ----a-w-    c:\program files\McAfee\Common Framework\UdaterUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2013-01-15 14:59    3093624    ----a-w-    c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2011-06-15 06:19    307200    ----a-w-    c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2013-01-15 14:42    1354736    ----a-w-    c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04    252848    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-18 20:40    2012912    ----a-w-    c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23    1008184    ----a-w-    c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3844386839-884374975-2851417358-1000]
"EnableNotificationsRef"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 05:07]
.
2013-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3844386839-884374975-2851417358-1000Core.job
- c:\users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-14 15:47]
.
2013-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3844386839-884374975-2851417358-1000UA.job
- c:\users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-14 15:47]
.
.
------- Supplementary Scan -------
.
uStart Page = go.microsoft.com/fwlink/?linkid=69157
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.0.1.1
FF - ProfilePath - c:\users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\aldavo7c.default-1360199644062\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - ExtSQL: 2013-02-09 15:22; newtabgoogle@graememcc.co.uk; c:\users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\aldavo7c.default-1360199644062\extensions\newtabgoogle@graememcc.co.uk.xpi
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{A7E19604-93AF-4611-8C9F-CE509C2B286F}_is1 - c:\program files\Free YouTube Downloader\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-12 22:24
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3844386839-884374975-2851417358-1000\console_combofixbackup]
@DACL=(02 0000)
@SACL=
"ColorTable00"=dword:00000000
"ColorTable01"=dword:00800000
"ColorTable02"=dword:00008000
"ColorTable03"=dword:00808000
"ColorTable04"=dword:00000080
"ColorTable05"=dword:00800080
"ColorTable06"=dword:00008080
"ColorTable07"=dword:00c0c0c0
"ColorTable08"=dword:00808080
"ColorTable09"=dword:00ff0000
"ColorTable10"=dword:0000ff00
"ColorTable11"=dword:00ffff00
"ColorTable12"=dword:000000ff
"ColorTable13"=dword:00ff00ff
"ColorTable14"=dword:0000ffff
"ColorTable15"=dword:00ffffff
"CursorSize"=dword:00000019
"EnableColorSelection"=dword:00000000
"ExtendedEditKey"=dword:00000000
"ExtendedEditKeyCustom"=dword:00000000
"FontFamily"=dword:00000000
"FontSize"=dword:00000000
"FontWeight"=dword:00000000
"FullScreen"=dword:00000000
"HistoryBufferSize"=dword:00000032
"HistoryNoDup"=dword:00000000
"InsertMode"=dword:00000000
"LoadConIme"=dword:00000001
"NumberOfHistoryBuffers"=dword:00000004
"PopupColors"=dword:000000f5
"QuickEdit"=dword:00000000
"ScreenBufferSize"=dword:012c0050
"ScreenColors"=dword:00000007
"TrimLeadingZeros"=dword:00000000
"WindowSize"=dword:00190050
"WordDelimiters"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
@SACL=
"AppDataDir"="c:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{85C70286-A56F-4834-BD24-B34EB76A93A2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.468.0"
"UniqueId"="00050CEB4DB362F2"
"ScannerBuild"=dword:00001672
"ScannerVersionId"=dword:00001175
"ScannerVersion"="Locked/open ESET for status."
"FixId"=dword:00000009
"ei2"=hex(cool.png:c0,6b,57,e0,23,f8,d7,fa
"ei1"=hex(cool.png:00,21,9b,ec,67,d3,00,00
"ei3"=hex(cool.png:be,25,47,4e,00,00,00,00
"ei4"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\EPSON\eEBAPI\eEBSVC.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\SafeConnect\scManager.sys
c:\windows\system32\STacSV.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2013-02-12  22:30:45 - machine was rebooted
ComboFix-quarantined-files.txt  2013-02-13 03:30
ComboFix2.txt  2011-08-14 03:04
ComboFix3.txt  2011-07-28 00:32
.
Pre-Run: 10,756,493,312 bytes free
Post-Run: 11,145,297,920 bytes free
.
- - End Of File - - D9D4353303053882A3C5AA59635D9A58
 
Security Check
 

 Results of screen317's Security Check version 0.99.57  
 Windows Vista Service Pack 2 x86 (UAC is disabled!)
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 SpyHunter     
 SUPERAntiSpyware Free Edition   
 Malwarebytes Anti-Malware version 1.70.0.1100  
 CleanMyPC - Registry Cleaner  
 Java™ 6 Update 27  
 Java 7 Update 9  
 Java version out of Date!
 Adobe Flash Player     11.5.502.149  
 Adobe Reader 10.1.5 Adobe Reader out of Date!
 Mozilla Firefox (18.0.2) 
 Google Chrome 24.0.1312.56  
 Google Chrome 24.0.1312.57  
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 12 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

Edited by stowie, 12 February 2013 - 10:56 PM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 12 February 2013 - 11:11 PM

Hi Ben,

You are most welcome for the replies. I like to get to a state of peace of mind as soon as possible.

That looks very nice. I would like to ask you to perform 2 scans to look for malware remnants. After that we will update the programs identified in the Security Check log.

Please do this.


===================================================

Rerun Malwarebytes (MBAM)

--------------------

Temporarily disable your antivirus program.

  • Please locate your Malwarebytes icon 1208__malwarebytes.png and launch the program
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
 

 

===================================================

 

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. (If no malware was found you will not be presented with a log).
  • Click the Back button.
  • Click the Finish button.

 

===================================================
 

 

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. icon_thumb.gif

  • Malwarebytes results
  • ESET results (no log if nothing found)
  • How is your computer running now?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 12 February 2013 - 11:41 PM

Hi Ben,

 

I will be signing off for the evening.  I will review your logs first thing tomorrow morning if they are posted.

 

Talk to you soon.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 stowie

stowie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 13 February 2013 - 05:07 PM

Gary, I can't speak to any further difference in my computers visible performance. It's as responsive as it has been. It's just a relief to see these programs turning up results when I know there's a problem. At least I know they're working.

 

MBAM Results

 

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
 
Database version: v2013.02.06.09
 
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Ben :: BEN-PC [administrator]
 
2/12/2013 11:28:51 PM
mbam-log-2013-02-12 (23-28-51).txt
 
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 399897
Time elapsed: 2 hour(s), 3 minute(s), 39 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
 
ESET Results
 
C:\Program Files\Vuze\.install4j\i4j_extf_32_5p83tu.dll    a variant of Win32/Bunndle application    cleaned by deleting - quarantined
C:\Users\Ben\Downloads\MB v1.0.3 FIXED.zip    probably a variant of Win32/Agent.HGBEFEV trojan    deleted - quarantined
C:\Users\Ben\Downloads\SoftonicDownloader_for_maplestory.exe    a variant of Win32/SoftonicDownloader.E application    cleaned by deleting - quarantined


#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 13 February 2013 - 05:45 PM

Greetings Ben,

Those ESET detections are nothing to worry about.

Let's perform some important updates.


===================================================


Update Java

-------------------

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to update Java and remove any existing older versions:

  • Click here to evaluate your current version of Java
  • Click Free Java Download
  • Click the Agree and Start Free Download
  • Save jxpiinstall.exe to your desktop
  • Double click the icon then click Run
  • Click Install
  • Uncheck Install the Ask Toolbar and make Ask my default search provider
  • Click Next
  • You should be notified You have successfully installed Java

Go to StartBtn.gif > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.

To disable the JQS service if you don't want to use it:

  • Click Start, Control Panel, Java, then Advanced
  • Scroll down to Miscellaneous then uncheck the box for Java Quick Starter.
  • Click OK and reboot your computer.

 

===================================================


Update Adobe Reader

--------------------

Your Adobe Reader is out of date and a security concern. Here is some excellent information and a video which explains the importance of minimizing the risk of infection through compromised PDF files.

Adobe Reader Update

  • Please download Adobe Reader
  • After installing the latest Adobe Reader, uninstall all previous versions through Add/Remove Programs.
  • If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition

 

===================================================



Things I would like to see in your next reply. icon_thumb.gif

  • Updates go well?
  • Are there any remaining issues?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 stowie

stowie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 13 February 2013 - 06:18 PM

We're all updated and good to go. Computer is running great. Thank you so much!



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 13 February 2013 - 07:16 PM

Hi Ben,

Excellent! smile.png

Now that your computer is running well it is my great pleasure to proclaim to you the Good News!


===================================================


All Clean

--------------

Your machine appears to be clean. Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean thumbup.gif

Please do the following to remove the remaining tools we used from your PC: Following this step you may remove any other remaining tools or logs.


Delete the tools used during the disinfection:

  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time. In the run box type combofix /uninstall, then press OK.

run-box.jpg

  • This will remove Combofix and other tools we used from your computer.
  • You may also remove any leftover tools we used.

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read: Simple and easy ways to keep your computer safe and secure on the Internet.


In addition, here are some more links you might find of interest:

 

I will leave this topic open for just a couple of days in case you have any further issues then it will be closed shortly thereafter.

Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users