Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

bank says i have malware(?) - Kaspersky and online software unable to detect - no odd PC behaviour


  • This topic is locked This topic is locked
19 replies to this topic

#1 quo

quo

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:13 AM

Posted 13 February 2013 - 05:01 AM

Hello and thank-you,

 

My bank says I have "malware" of some sort. They said it was likely a "Zeus" and/or a "Zbot" of some sort. Occassionally, prior to that in the past, my Kaspersky has noted that it was going to allow keylogger behaviour without giving me time nor explanation as to what this was. I have tried hours and hours of installing and running free online anti-malware programs to no avail. I have had to uninstall all of them. I have even had to uninstall Kaspersky because it conflicted with AVG. No odd behaviour my by PC. Here's my DDS.txt ...

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514
Run by Sam at 20:43:05 on 2013-02-13
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.61.1033.18.1787.823 [GMT 11:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll
uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Bing Bar] "C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{B6B7410A-B83A-4827-9B47-F0D8299BB111} : DHCPNameServer = 192.168.2.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\d9jokd9f.default\
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-11-20 98208]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-11-20 202752]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-1-25 92216]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-6-30 27192]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-2 2804568]
R2 RtVOsdService;RtVOsdService Installer;C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [2010-4-20 315392]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-11-20 347680]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2010-11-20 38456]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-11 5434368]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-11-20 245792]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-14 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-14 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-14 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-10 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-5-14 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-11 389120]
.
=============== Created Last 30 ================
.
2013-02-13 08:57:47    9161176    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{64D82070-2E9B-4FC7-B6A6-FE7F57EEBF5C}\mpengine.dll
2013-02-11 09:19:30    9161176    ------w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-02-10 09:14:29    --------    d-----w-    C:\Program Files\Enigma Software Group
2013-02-10 09:12:58    --------    d-----w-    C:\Windows\22B3AE667A374118BADB3680C15CA366.TMP
2013-02-10 09:12:55    --------    d-----w-    C:\Program Files (x86)\Common Files\Wise Installation Wizard
2013-02-08 14:08:34    --------    d-----w-    C:\Users\Sam\AppData\Roaming\SUPERAntiSpyware.com
2013-02-08 14:08:34    --------    d-----w-    C:\Users\Sam\AppData\Local\Google
2013-02-08 13:02:23    --------    d-----w-    C:\Users\Sam\AppData\Local\NPE
2013-02-07 10:39:22    --------    d-----w-    C:\Users\Sam\AppData\Roaming\TuneUp Software
2013-02-07 09:53:38    --------    d--h--w-    C:\ProgramData\Common Files
2013-02-07 09:53:38    --------    d-----w-    C:\Users\Sam\AppData\Local\MFAData
2013-02-07 09:53:38    --------    d-----w-    C:\Users\Sam\AppData\Local\Avg2013
2013-02-07 09:53:38    --------    d-----w-    C:\ProgramData\MFAData
2013-02-06 09:19:59    917400    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
2013-02-06 09:19:59    277400    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\freebl3.dll
2013-02-06 09:19:47    262552    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
2013-02-06 09:19:47    2106216    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2013-02-06 09:19:47    1998168    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
2013-02-06 09:19:47    116120    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe
2013-02-06 09:19:46    74136    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2013-02-06 09:19:46    19352    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\AccessibleMarshal.dll
2013-01-31 14:59:56    0    ----a-w-    C:\Windows\SysWow64\sho987E.tmp
2013-01-31 12:07:25    --------    d-----w-    C:\Users\Sam\AppData\Local\{F48A1604-4E45-4942-819A-1D1A672C7DF8}
2013-01-29 23:12:58    17    ----a-w-    C:\Windows\SysWow64\shoE1E7.tmp
2013-01-28 09:58:16    972264    ------w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{73B1563E-C503-40D1-9A6E-AAD17C01B612}\gapaengine.dll
2013-01-28 09:53:59    --------    d-----w-    C:\Program Files (x86)\Microsoft Security Client
2013-01-28 09:53:50    --------    d-----w-    C:\Program Files\Microsoft Security Client
2013-01-28 09:33:14    0    ----a-w-    C:\Windows\SysWow64\shoB05B.tmp
2013-01-28 09:25:30    --------    d-----w-    C:\Program Files (x86)\Mozilla Maintenance Service
2013-01-27 16:31:57    0    ----a-w-    C:\Windows\SysWow64\sho286.tmp
2013-01-27 14:24:04    --------    d-----w-    C:\ProgramData\AVAST Software
2013-01-27 14:24:04    --------    d-----w-    C:\Program Files\AVAST Software
2013-01-27 11:11:37    --------    d-----w-    C:\Users\Sam\AppData\Roaming\Malwarebytes
2013-01-27 11:11:06    --------    d-----w-    C:\ProgramData\Malwarebytes
2013-01-27 11:08:36    --------    d-----w-    C:\Users\Sam\AppData\Local\Programs
2013-01-26 12:05:29    0    ----a-w-    C:\Windows\SysWow64\sho2F6B.tmp
2013-01-25 09:09:04    9161176    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E4A9A616-2F61-4959-90B1-0C463D75C99E}\mpengine.dll
2013-01-14 13:29:32    17    ----a-w-    C:\Windows\SysWow64\sho7AC1.tmp
.
==================== Find3M  ====================
.
2013-01-30 10:53:22    273840    ------w-    C:\Windows\System32\MpSigStub.exe
2013-01-10 09:39:16    0    ----a-w-    C:\Windows\SysWow64\sho5DCD.tmp
2013-01-05 12:45:55    17    ----a-w-    C:\Windows\SysWow64\shoF46D.tmp
2012-12-17 14:31:49    17    ----a-w-    C:\Windows\SysWow64\shoFC9E.tmp
2012-12-16 17:11:22    46080    ----a-w-    C:\Windows\System32\atmlib.dll
2012-12-16 14:45:03    367616    ----a-w-    C:\Windows\System32\atmfd.dll
2012-12-16 14:13:28    295424    ----a-w-    C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20    34304    ----a-w-    C:\Windows\SysWow64\atmlib.dll
2012-12-16 12:49:27    0    ----a-w-    C:\Windows\SysWow64\shoE0DC.tmp
2012-12-07 13:20:16    441856    ----a-w-    C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31    2746368    ----a-w-    C:\Windows\System32\gameux.dll
2012-12-07 12:26:17    308736    ----a-w-    C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43    2576384    ----a-w-    C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04    30720    ----a-w-    C:\Windows\System32\usk.rs
2012-12-07 11:20:03    43520    ----a-w-    C:\Windows\System32\csrr.rs
2012-12-07 11:20:03    23552    ----a-w-    C:\Windows\System32\oflc.rs
2012-12-07 11:20:01    45568    ----a-w-    C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01    44544    ----a-w-    C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01    20480    ----a-w-    C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00    20480    ----a-w-    C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59    20480    ----a-w-    C:\Windows\System32\pegi.rs
2012-12-07 11:19:58    46592    ----a-w-    C:\Windows\System32\fpb.rs
2012-12-07 11:19:57    40960    ----a-w-    C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57    21504    ----a-w-    C:\Windows\System32\grb.rs
2012-12-07 11:19:57    15360    ----a-w-    C:\Windows\System32\djctq.rs
2012-12-07 11:19:56    55296    ----a-w-    C:\Windows\System32\cero.rs
2012-12-07 11:19:55    51712    ----a-w-    C:\Windows\System32\esrb.rs
2012-11-30 05:45:35    362496    ----a-w-    C:\Windows\System32\wow64win.dll
2012-11-30 05:45:35    243200    ----a-w-    C:\Windows\System32\wow64.dll
2012-11-30 05:45:35    13312    ----a-w-    C:\Windows\System32\wow64cpu.dll
2012-11-30 05:45:14    215040    ----a-w-    C:\Windows\System32\winsrv.dll
2012-11-30 05:43:12    16384    ----a-w-    C:\Windows\System32\ntvdm64.dll
2012-11-30 05:41:07    424448    ----a-w-    C:\Windows\System32\KernelBase.dll
2012-11-30 04:54:00    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2012-11-30 04:53:59    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48    338432    ----a-w-    C:\Windows\System32\conhost.exe
2012-11-30 02:44:06    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2012-11-30 02:44:04    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2012-11-30 02:44:04    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2012-11-30 02:44:03    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2012-11-30 02:38:59    6144    ---ha-w-    C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59    4608    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59    3584    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59    3072    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-23 03:26:31    3149824    ----a-w-    C:\Windows\System32\win32k.sys
2012-11-23 03:13:57    68608    ----a-w-    C:\Windows\System32\taskhost.exe
2012-11-22 05:44:23    800768    ----a-w-    C:\Windows\System32\usp10.dll
2012-11-22 04:45:03    626688    ----a-w-    C:\Windows\SysWow64\usp10.dll
2012-11-20 05:48:49    307200    ----a-w-    C:\Windows\System32\ncrypt.dll
2012-11-20 04:51:09    220160    ----a-w-    C:\Windows\SysWow64\ncrypt.dll
2012-11-17 13:41:17    17    ----a-w-    C:\Windows\SysWow64\sho135B.tmp
2012-11-16 10:55:08    17    ----a-w-    C:\Windows\SysWow64\sho49FE.tmp
.
============= FINISH: 20:44:15.63 ===============
 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:13 PM

Posted 15 February 2013 - 11:00 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
 
Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
 
* IMPORTANT !!! Save ComboFix.exe to your Desktop
 
IMPORTANT....
 
1. Close any open browsers.
 
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
 
3. Do not install any other programs until this if fixed.
 
How to : Disable Anti-virus and Firewall...
 
Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.

  • Please post the C:\ComboFix.txt

Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall
 
Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
 
 
Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===
 
Third party programs if not up to date can be the cause infiltration of an infection.
 
Please run this security check for my review.
 
Download Security Check by screen317 from here.
  • Save it to your Desktop.

  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===
 
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
Please download AdwCleaner by Xplode onto your Desktop.

  •  


  • Close all open programs and internet browsers.


  • Double click on AdwCleaner.exe to run the tool.


  • Click on Delete tab follow the prompts.


  • A log file will automatically open after the scan has finished.


  • Please post the content of that log file with your next answer.


  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

 
 
Please post the logs for my review.


#3 quo

quo
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:13 AM

Posted 20 February 2013 - 06:20 AM

Thank-you nasdaq, your time and attention are most appreciated.

 

 

Here is the ComboFix log report...

 

 

ComboFix 13-02-18.02 - Sam 20/02/2013  21:41:41.3.1 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.61.1033.18.1787.774 [GMT 11:00]
Running from: c:\users\Sam\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-20 to 2013-02-20  )))))))))))))))))))))))))))))))
.
.
2013-02-20 10:55 . 2013-02-20 10:55    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-20 08:41 . 2013-02-08 00:28    9162192    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4D835528-9CCD-45FB-A598-74BC2E575D24}\mpengine.dll
2013-02-18 09:01 . 2013-01-07 10:32    9161176    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-02-14 05:50 . 2013-01-05 05:53    5553512    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-02-14 05:50 . 2013-01-05 05:00    3967848    ----a-w-    c:\windows\SysWow64\ntkrnlpa.exe
2013-02-14 05:50 . 2013-01-05 05:00    3913064    ----a-w-    c:\windows\SysWow64\ntoskrnl.exe
2013-02-14 05:48 . 2013-01-04 05:46    215040    ----a-w-    c:\windows\system32\winsrv.dll
2013-02-14 05:48 . 2013-01-04 02:47    25600    ----a-w-    c:\windows\SysWow64\setup16.exe
2013-02-14 05:48 . 2013-01-04 02:47    14336    ----a-w-    c:\windows\SysWow64\ntvdm64.dll
2013-02-14 05:48 . 2013-01-04 04:51    5120    ----a-w-    c:\windows\SysWow64\wow32.dll
2013-02-14 05:48 . 2013-01-04 02:47    7680    ----a-w-    c:\windows\SysWow64\instnm.exe
2013-02-14 05:48 . 2013-01-04 02:47    2048    ----a-w-    c:\windows\SysWow64\user.exe
2013-02-14 05:48 . 2013-01-03 06:00    1913192    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-02-14 05:48 . 2013-01-03 06:00    288088    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
2013-02-14 05:48 . 2012-12-26 04:49    760320    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 05:48 . 2012-12-26 05:47    1111040    ----a-w-    c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-10 09:14 . 2013-02-10 09:14    --------    d-----w-    c:\program files\Enigma Software Group
2013-02-10 09:12 . 2013-02-12 08:31    --------    d-----w-    c:\windows\22B3AE667A374118BADB3680C15CA366.TMP
2013-02-10 09:12 . 2013-02-10 09:12    --------    d-----w-    c:\program files (x86)\Common Files\Wise Installation Wizard
2013-02-08 17:51 . 2013-02-14 06:19    70004024    ----a-w-    c:\windows\system32\MRT.exe
2013-02-08 14:08 . 2013-02-08 14:14    --------    d-----w-    c:\users\Sam\AppData\Local\Google
2013-02-08 14:08 . 2013-02-08 14:08    --------    d-----w-    c:\users\Sam\AppData\Roaming\SUPERAntiSpyware.com
2013-02-08 14:08 . 2013-02-08 14:25    --------    d-----w-    c:\program files (x86)\Google
2013-02-08 13:02 . 2013-02-08 13:25    --------    d-----w-    c:\users\Sam\AppData\Local\NPE
2013-02-07 10:39 . 2013-02-07 10:39    --------    d-----w-    c:\users\Sam\AppData\Roaming\TuneUp Software
2013-02-07 09:53 . 2013-02-08 12:45    --------    d-----w-    c:\programdata\MFAData
2013-02-07 09:53 . 2013-02-08 11:55    --------    d-----w-    c:\users\Sam\AppData\Local\Avg2013
2013-02-07 09:53 . 2013-02-07 09:53    --------    d--h--w-    c:\programdata\Common Files
2013-02-07 09:53 . 2013-02-07 09:53    --------    d-----w-    c:\users\Sam\AppData\Local\MFAData
2013-01-31 14:59 . 2013-01-31 14:59    0    ----a-w-    c:\windows\SysWow64\sho987E.tmp
2013-01-29 23:12 . 2013-01-29 23:12    17    ----a-w-    c:\windows\SysWow64\shoE1E7.tmp
2013-01-28 09:58 . 2013-01-28 09:58    972264    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{73B1563E-C503-40D1-9A6E-AAD17C01B612}\gapaengine.dll
2013-01-28 09:53 . 2013-01-28 09:54    --------    d-----w-    c:\program files (x86)\Microsoft Security Client
2013-01-28 09:53 . 2013-01-28 09:54    --------    d-----w-    c:\program files\Microsoft Security Client
2013-01-28 09:33 . 2013-01-28 09:33    0    ----a-w-    c:\windows\SysWow64\shoB05B.tmp
2013-01-28 09:25 . 2013-02-07 10:27    --------    d-----w-    c:\program files (x86)\Mozilla Maintenance Service
2013-01-27 16:31 . 2013-01-27 16:31    0    ----a-w-    c:\windows\SysWow64\sho286.tmp
2013-01-27 14:25 . 2012-10-30 22:50    285328    ----a-w-    c:\windows\system32\aswBoot.exe
2013-01-27 14:24 . 2013-01-29 08:39    --------    d-----w-    c:\programdata\AVAST Software
2013-01-27 14:24 . 2013-01-27 14:24    --------    d-----w-    c:\program files\AVAST Software
2013-01-27 11:11 . 2013-01-27 11:11    --------    d-----w-    c:\users\Sam\AppData\Roaming\Malwarebytes
2013-01-27 11:11 . 2013-01-27 11:11    --------    d-----w-    c:\programdata\Malwarebytes
2013-01-27 11:08 . 2013-01-27 11:08    --------    d-----w-    c:\users\Sam\AppData\Local\Programs
2013-01-26 12:05 . 2013-01-26 12:05    0    ----a-w-    c:\windows\SysWow64\sho2F6B.tmp
2013-01-25 09:09 . 2013-01-08 05:32    9161176    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{E4A9A616-2F61-4959-90B1-0C463D75C99E}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-30 10:53 . 2011-07-03 11:46    273840    ------w-    c:\windows\system32\MpSigStub.exe
2013-01-14 13:29 . 2013-01-14 13:29    17    ----a-w-    c:\windows\SysWow64\sho7AC1.tmp
2013-01-10 09:39 . 2013-01-10 09:39    0    ----a-w-    c:\windows\SysWow64\sho5DCD.tmp
2013-01-05 12:45 . 2013-01-05 12:45    17    ----a-w-    c:\windows\SysWow64\shoF46D.tmp
2013-01-04 04:43 . 2013-02-14 05:48    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2012-12-17 14:31 . 2012-12-17 14:31    17    ----a-w-    c:\windows\SysWow64\shoFC9E.tmp
2012-12-16 17:11 . 2012-12-21 11:14    46080    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-21 11:14    367616    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 11:14    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-21 11:14    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2012-12-16 12:49 . 2012-12-16 12:49    0    ----a-w-    c:\windows\SysWow64\shoE0DC.tmp
2012-12-07 13:20 . 2013-01-09 11:22    441856    ----a-w-    c:\windows\system32\Wpc.dll
2012-12-07 13:15 . 2013-01-09 11:22    2746368    ----a-w-    c:\windows\system32\gameux.dll
2012-12-07 12:26 . 2013-01-09 11:21    308736    ----a-w-    c:\windows\SysWow64\Wpc.dll
2012-12-07 12:20 . 2013-01-09 11:21    2576384    ----a-w-    c:\windows\SysWow64\gameux.dll
2012-12-07 11:20 . 2013-01-09 11:22    30720    ----a-w-    c:\windows\system32\usk.rs
2012-12-07 11:20 . 2013-01-09 11:22    43520    ----a-w-    c:\windows\system32\csrr.rs
2012-12-07 11:20 . 2013-01-09 11:21    23552    ----a-w-    c:\windows\system32\oflc.rs
2012-12-07 11:20 . 2013-01-09 11:22    45568    ----a-w-    c:\windows\system32\oflc-nz.rs
2012-12-07 11:20 . 2013-01-09 11:22    44544    ----a-w-    c:\windows\system32\pegibbfc.rs
2012-12-07 11:20 . 2013-01-09 11:21    20480    ----a-w-    c:\windows\system32\pegi-fi.rs
2012-12-07 11:20 . 2013-01-09 11:22    20480    ----a-w-    c:\windows\system32\pegi-pt.rs
2012-12-07 11:19 . 2013-01-09 11:22    20480    ----a-w-    c:\windows\system32\pegi.rs
2012-12-07 11:19 . 2013-01-09 11:22    46592    ----a-w-    c:\windows\system32\fpb.rs
2012-12-07 11:19 . 2013-01-09 11:22    40960    ----a-w-    c:\windows\system32\cob-au.rs
2012-12-07 11:19 . 2013-01-09 11:22    15360    ----a-w-    c:\windows\system32\djctq.rs
2012-12-07 11:19 . 2013-01-09 11:22    21504    ----a-w-    c:\windows\system32\grb.rs
2012-12-07 11:19 . 2013-01-09 11:21    55296    ----a-w-    c:\windows\system32\cero.rs
2012-12-07 11:19 . 2013-01-09 11:21    51712    ----a-w-    c:\windows\system32\esrb.rs
2012-12-07 10:46 . 2013-01-09 11:22    43520    ----a-w-    c:\windows\SysWow64\csrr.rs
2012-12-07 10:46 . 2013-01-09 11:22    30720    ----a-w-    c:\windows\SysWow64\usk.rs
2012-12-07 10:46 . 2013-01-09 11:22    45568    ----a-w-    c:\windows\SysWow64\oflc-nz.rs
2012-12-07 10:46 . 2013-01-09 11:22    44544    ----a-w-    c:\windows\SysWow64\pegibbfc.rs
2012-12-07 10:46 . 2013-01-09 11:22    20480    ----a-w-    c:\windows\SysWow64\pegi-pt.rs
2012-12-07 10:46 . 2013-01-09 11:21    23552    ----a-w-    c:\windows\SysWow64\oflc.rs
2012-12-07 10:46 . 2013-01-09 11:21    20480    ----a-w-    c:\windows\SysWow64\pegi-fi.rs
2012-12-07 10:46 . 2013-01-09 11:22    46592    ----a-w-    c:\windows\SysWow64\fpb.rs
2012-12-07 10:46 . 2013-01-09 11:22    20480    ----a-w-    c:\windows\SysWow64\pegi.rs
2012-12-07 10:46 . 2013-01-09 11:22    21504    ----a-w-    c:\windows\SysWow64\grb.rs
2012-12-07 10:46 . 2013-01-09 11:22    40960    ----a-w-    c:\windows\SysWow64\cob-au.rs
2012-12-07 10:46 . 2013-01-09 11:22    15360    ----a-w-    c:\windows\SysWow64\djctq.rs
2012-12-07 10:46 . 2013-01-09 11:21    51712    ----a-w-    c:\windows\SysWow64\esrb.rs
2012-12-07 10:46 . 2013-01-09 11:21    55296    ----a-w-    c:\windows\SysWow64\cero.rs
2012-11-30 05:45 . 2013-01-09 11:13    362496    ----a-w-    c:\windows\system32\wow64win.dll
2012-11-30 05:45 . 2013-01-09 11:13    243200    ----a-w-    c:\windows\system32\wow64.dll
2012-11-30 05:45 . 2013-01-09 11:13    13312    ----a-w-    c:\windows\system32\wow64cpu.dll
2012-11-30 05:43 . 2013-01-09 11:13    16384    ----a-w-    c:\windows\system32\ntvdm64.dll
2012-11-30 05:41 . 2013-01-09 11:13    424448    ----a-w-    c:\windows\system32\KernelBase.dll
2012-11-30 05:41 . 2013-01-09 11:13    1161216    ----a-w-    c:\windows\system32\kernel32.dll
2012-11-30 05:38 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    6144    ---ha-w-    c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    5120    ---ha-w-    c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:12    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 11:12    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-11-30 04:53 . 2013-01-09 11:13    274944    ----a-w-    c:\windows\SysWow64\KernelBase.dll
2012-11-30 04:45 . 2013-01-09 11:13    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    4608    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:12    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    5120    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 11:13    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-17 98304]
"Bing Bar"="c:\program files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe" [2010-04-14 243544]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-06-30 602168]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-30 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-12 368896]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-05-07 245792]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-13 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-06-17 202752]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-01-25 92216]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-06-30 27192]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [2010-04-20 315392]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-09-30 508776]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-23 347680]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-09-30 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-09-30 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-09-30 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-09-30 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-09-30 219496]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-12-22 38456]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 18:36    451872    ----a-w-    c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-06 c:\windows\Tasks\HPCeeScheduleForSam.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-05-26 6245408]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 1289704]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\d9jokd9f.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{E92D47A1-D27D-430A-8368-0BAFD956507D} - c:\program files (x86)\InstallShield Installation Information\{E92D47A1-D27D-430A-8368-0BAFD956507D}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-20  22:15:02
ComboFix-quarantined-files.txt  2013-02-20 11:14
ComboFix2.txt  2013-02-20 10:08
.
Pre-Run: 422,346,977,280 bytes free
Post-Run: 422,058,348,544 bytes free
.
- - End Of File - - 02538FD1C507216423BD02278DF9ACDF
 



#4 quo

quo
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:13 AM

Posted 20 February 2013 - 06:25 AM

Nasdaq, and here is the 317 CheckUp txt report...

 

 Results of screen317's Security Check version 0.99.58  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
Microsoft Security Essentials   
  (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Java™ 6 Update 20  
 Java version out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (18.0.2)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Symantec Norton Online Backup NOBuAgent.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 18% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 



#5 quo

quo
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:13 AM

Posted 20 February 2013 - 06:40 AM

And finally, nasdaq, here is the AdwCleaner txt...

 

 

# AdwCleaner v2.112 - Logfile created 02/20/2013 at 22:32:25
# Updated 10/02/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Sam - COMPAQ
# Boot Mode : Normal
# Running from : C:\Users\Sam\Downloads\adwcleaner0.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.2 (en-GB)

File : C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\d9jokd9f.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Sam\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1020 octets] - [20/02/2013 21:32:06]
AdwCleaner[S2].txt - [315 octets] - [20/02/2013 22:31:46]
AdwCleaner[S3].txt - [934 octets] - [20/02/2013 22:32:25]

########## EOF - C:\AdwCleaner[S3].txt - [993 octets] ##########
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:13 PM

Posted 20 February 2013 - 10:43 AM

Secure your system by updating 3rd party programs.
 
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
 
Be careful not to install malware posing as Java update!
Important read this blog.
 
Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
 
How to disable Java in your browsers
 
You can manually check your present version and update as recommended.
 
If present remove the old version(s) of Java using the Add/Remove Programs applet.
 
Java™ 6 Update 20  
 
Java 7 update 10 introduced important new security controls
You can read about it here.
 
Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===
 
Critical vulnerabilities have been identified in Adobe Flash Player v11.3.300.264 and earlier versions... being exploited in the wild in active targeted attacks... 
 
 
On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.
 
You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.
 
For the users of Internet Explorer download version 11.
===
 
Get the latest version of the  Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
 
When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===
 
Please let me know if the problem persists.


#7 quo

quo
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:13 AM

Posted 22 February 2013 - 06:17 AM

nasdaq,

 

I do believe I have done as you have suggested.

 

Is there a way of telling you that me following your advice has been successful?

 

I ask this because my bank has given me two options.

 

The first is to re-format which is a drastic last resort as far as I can tell.

The second is professional cleaning.

 

From my bank...

"Once your device has been re-formatted or professionally cleaned, please
install a suitable Antivirus software and firewall and ensure this is kept
up to date. An IT Professional can recommend appropriate software that will
detect and remove any malicious software that may attempt to infect your
device in the future."

Back to your advice, as above. I do believe I have followed your suggestion correctly. Is there a way to verify? Pls advise. Obviously, I can't go to the bank and say take our word for it :/ seeing as they rightly gave me a stern talking to over the phone regarding financial security. That's the thing: I'm willing to take all this step-by-step via process of elimination as i do believe re-formatting is a drastic last option step. What if it's not a virus but my PC just being not updated? Pls let me know if my response and applications to your suggestions have been met successfully and I/we can take it from there to increasingly drastic and/or expensive options by process of elimination.

 

I do appreciate all your assistance. I am also on a steep learning curve myself, so pls bear with me. Thanks again :)



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:13 PM

Posted 22 February 2013 - 11:35 AM

What I have identified with the tools we used was removed.
 
I suggest you run these 2 online scans when you have the time.
 
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
  • ===

    Please download the Kaspersky Virus Removal Tool from here to your Desktop.
     
    Double-click the Removal Tool.
    Click the cog in the upper right corner:
     
     
    Select down to and including your main drive.
    Once done please select the Automatic Scan tab and press Start Scan.
     
     
    Allow AVP to delete all infections found.
    Once it has finished select the Report tab.
    Select the Detected threats report from the left and press the Save button.
    Save it to your Desktop and post the contents in your next reply.
     
    ===
     
    You can the tell the bank what you did.
     
    I would not call them back, unless they call again.
     
    If they are sure that you are infected ask them to tell you with what and what did they find.
     
     


    #9 quo

    quo
    • Topic Starter

    • Members
    • 35 posts
    • OFFLINE
    •  
    • Gender:Not Telling
    • Local time:05:13 AM

    Posted 23 February 2013 - 05:21 AM

    nasdaq,

     

     

    Thanks again.

     

    I will proceed with the above soon but with Windows firewall and MSE running. Is that okay? You mention AVP, is that part of Kaspersky?

     

    However, before that, here's what my bank's security operation division emailled me...

     

    "We have placed a temporary hold on your [online account].
    
    [Bank] has received information that an electronic device that you use to
    access your online banking is infected with a form of malicious software,
    which has obtained your online banking data, including your password. Your
    accounts are at risk from being accessed by an unauthorised third party.
    
    We have taken the precaution of placing a temporary hold on your [online account]. The
    type of virus appears to be Zeus or a similar type of malware, which poses
    a serious risk to the security of your computer and needs to be removed.
    The virus can be removed by either having your computer re-formatted or
    professionally cleaned as standard Antivirus products may not detect the
    malware.
    
    Once your device has been re-formatted or professionally cleaned, please
    install a suitable Antivirus software and firewall and ensure this is kept
    up to date. An IT Professional can recommend appropriate software that will
    detect and remove any malicious software that may attempt to infect your
    device in the future.
    
    Please contact [bank] on xx xx xx xx once this has been completed and we
    will reinstate your [online account] to allow you to access your online banking."

     

    I do believe my bank requires some sort of response from me via either email or phone if I am to get online access back. I will say my PC was professionally cleaned and leave it at that. Through all this I now know how to do phone banking.

     

     

    The 317 CheckUp reported...

     

    "Defragment your hard drive soon! (Do NOT defrag if SSD!)

     

    I'd like to defrag but what is SSD? Does my PC have it? How do I find out?

     

     

    Again, thanks for bearing with me and this steep learning curve.



    #10 nasdaq

    nasdaq

    • Malware Response Team
    • 38,788 posts
    • ONLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:02:13 PM

    Posted 23 February 2013 - 09:19 AM

    You mention AVP, is that part of Kaspersky?
    Yes!
     
    SSD stands for Solid-state drive/hard disk.
     
    Additional information of Hard Disk.
    Check the model of the Computer with the Manufacturer. You may be able to find out what type of HD is installed.
    ===
     
    I would install this free Firewall.
     
    After having run the On-line scans, install the Firewall you should contact the bank and see if they are satisfied as to what you have done.


    #11 quo

    quo
    • Topic Starter

    • Members
    • 35 posts
    • OFFLINE
    •  
    • Gender:Not Telling
    • Local time:05:13 AM

    Posted 24 February 2013 - 05:53 AM

    nasdaq,

     

    Oops, of course AVP is part of Kaspersky. I was tired and got it confused with AVG.

     

    Just before scanning with ESET I unchecked the "remove found threats" box and checked the "scan archives" box. There was also a message under a "hide" link... "Another antivirus software was detected. This may affect the performance and quality of the scan." The vendor was identified as "ALWIL Software" though there was no entry in the product column.

     

    Pls advise as I have searched my PC programs and files for ALWIL and found nothing.



    #12 nasdaq

    nasdaq

    • Malware Response Team
    • 38,788 posts
    • ONLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:02:13 PM

    Posted 24 February 2013 - 09:33 AM

    AVAST Software was formerly known as ALWIL Software a.s.
     
    There could be some traces of ALWIL in the registry.
    You can continue with the scan.
     
    If you want to check before running ESET execute this.
     
    Please download SystemLook from one of the links below and save it to your Desktop.
     
    If your operating system is 64 bit download this tool:
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  •  
    :regfind
    ALWIL
     
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt


    #13 quo

    quo
    • Topic Starter

    • Members
    • 35 posts
    • OFFLINE
    •  
    • Gender:Not Telling
    • Local time:05:13 AM

    Posted 26 February 2013 - 04:53 AM

    Hi,

     

     

    I was able to defrag.

    I will attempt post #10 (personal firewall) and #12 AVAST/ALWIL registry removal at a later date.

     

    But first, to sort #8...

     

    ESET There seemed to be no option to save it to desktop. It autmatically loaded itself and ran me throught he stages to scan. So I did. Zero threats detected (huzzah!). No "list of found threats" option and no "export to text file" option that I could see. I've just moved the entire file folder to desktop after a C-drive search, and upon opening it up, I am unsure how to run it from there. So how do I save ESET to desktop, present "list of found threats" and export to text file"?

     

    KASPERSKY Am scanning now and Kaspersky says it will take hours. What power state should I set my PC on so as to not to interfere with the scan? Gotta go to bed. I've set PC to "sleep" with password to wake-up function. I'm guessing that's the mosst secure and relevant.

     

     

    Thanks again.



    #14 nasdaq

    nasdaq

    • Malware Response Team
    • 38,788 posts
    • ONLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:02:13 PM

    Posted 26 February 2013 - 10:00 AM

    Eset does not create a log if  nothing is found.

     

    Has Kaspercky finished?



    #15 quo

    quo
    • Topic Starter

    • Members
    • 35 posts
    • OFFLINE
    •  
    • Gender:Not Telling
    • Local time:05:13 AM

    Posted 27 February 2013 - 04:40 AM

    Whoah. So I set my PC to go to "sleep" mode after 5 hours yesterday. At the time scan time to finish was wavering between 12-16 hours. Now, just started up PC and can't figure out how to retrieve report. Couldn't find Kaspersky in program/file search. Couldn't find report in report search. Found Kaspersky tool on downloads search and so have run Kaspersky again through that. After 12 minutes scanning the estimated finish time is a whopping 16 days and climbing. Nope, now it's down to 4 days. Oh, looky, it's 3 days. 2 days and counting after 15 minutes scanning. Now it's down to 1 day after 20 minutes scanning 1% completed. Sheesh. Where's the report?






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users