Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/PEPatch detected - svchost.exe using all the cpu


  • This topic is locked This topic is locked
37 replies to this topic

#1 derekwatters

derekwatters

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 07 March 2013 - 05:14 PM

The computer runs so slow and the cpu usuage is up to nearly 100% most of the time with svchost.exe using up most of it.

 

I ran malwarebytes and it detected nothing. Ran avg and it found Win32/PEPatch but the svchost.exe is still using up all the cpu. Terminating the process does nothing and it returns a few minutes later.

 

DDS notepad files zipped and attached.

Attached Files

  • Attached File  dds.zip   9.08KB   2 downloads


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:59 AM

Posted 07 March 2013 - 05:36 PM

Hello derekwatters,

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Toipic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

 

1.

Do you have a USB Flash Drive you can use?

 

2.

  •    
  • Download RogueKiller on the desktop
       
  • Close all the running processes
       
  • Under Vista/Seven, right click -> Run as Administrator
       
  • Otherwise just double-click on RogueKiller.exe
       
  • When prompted, Click Scan 
       
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
       
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 derekwatters

derekwatters
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 07 March 2013 - 08:13 PM

1) yes I have a usb

 

2 here is the RKreport

 

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Anne [Admin rights]
Mode : Scan -- Date : 03/08/2013 02:06:29
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] mbbService.exe -- C:\ProgramData\MobileBrServ\mbbservice.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST950032 5AS SATA Disk Device +++++
--- User ---
[MBR] 5861aff4036301b2e819cb1387b76305
[BSP] 5c72a8213e128f8b94b24ce180538ca3 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 461838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: JetFlash TS4GJFV20 USB Device +++++
--- User ---
[MBR] 6a4a387552f79e5958e59894ba56f166
[BSP] bbd47739998fddc82edbda2d919d2d0d : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 3829 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_03082013_02d0206.txt >>
RKreport[1]_S_03082013_02d0206.txt


 



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:59 AM

Posted 09 March 2013 - 08:32 PM

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 derekwatters

derekwatters
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 09 March 2013 - 09:03 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10-03-2013
Ran by SYSTEM at 10-03-2013 03:59:36
Running from E:\
Windows 7 Home Premium  Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [608112 2011-03-29] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-05-27] (IDT, Inc.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3668336 2011-03-24] (Dell Inc.)
HKLM\...\Run: [Stage Remote] C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe -Quiet [2022976 2011-06-27] ()
HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe" [627360 2011-05-20] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe" [379552 2011-05-20] (Atheros Commnucations)
HKLM\...\Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup [483424 2012-02-01] ()
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [503942 2011-04-13] (Creative Technology Ltd)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-08-06] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Dell Registration] C:\Program Files (x86)\System Registration\prodreg.exe /boot [4165440 2011-08-04] (Dell, Inc.)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM-x32\...\Run: [NeroLauncher] C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe 900 [66872 2012-02-06] ()
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [38112 2012-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup [2835443 2012-02-01] ()
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-10] (AVG Technologies CZ, s.r.o.)
HKU\Anne\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18705664 2013-01-08] (Skype Technologies S.A.)
Tcpip\Parameters: [DhcpNameServer] 80.58.61.250 80.58.61.254

==================== Services (Whitelisted) ===================

2 Atheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [146592 2011-05-20] (Atheros)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814904 2012-11-15] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
2 Mobile Broadband HL Service; "C:\ProgramData\MobileBrServ\mbbservice.exe" [230240 2012-08-10] ()
2 RapportMgmtService; "C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe" [976728 2012-07-29] (Trusteer Ltd.)

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-14] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-01] (AVG Technologies CZ, s.r.o.)
0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-20] (AVG Technologies CZ, s.r.o.)
0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111968 2012-11-15] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-13] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-20] (AVG Technologies CZ, s.r.o.)
0 pavboot; C:\Windows\System32\drivers\pavboot64.sys [33800 2009-06-30] (Panda Security, S.L.)
1 RapportCerberus_43926; \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys [505720 2012-10-24] ()
1 RapportEI64; \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [55096 2012-07-29] (Trusteer Ltd.)
0 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [101688 2012-07-29] (Trusteer Ltd.)
1 RapportPG64; \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [297240 2012-07-29] (Trusteer Ltd.)
3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-03-10 03:59 - 2013-03-10 03:59 - 00000000 ____D C:\FRST
2013-03-07 20:06 - 2013-03-07 20:06 - 00001859 ____A C:\Users\Anne\Desktop\RKreport[1]_S_03082013_02d0206.txt
2013-03-07 20:00 - 2013-03-07 20:06 - 00000000 ____D C:\Users\Anne\Desktop\RK_Quarantine
2013-03-07 19:55 - 2013-03-07 19:56 - 00816640 ____A C:\Users\Anne\Desktop\RogueKiller.exe
2013-03-07 17:11 - 2013-03-07 17:11 - 00009302 ____A C:\Users\Anne\Desktop\dds.zip
2013-03-07 17:08 - 2013-03-07 17:08 - 00000000 ____D C:\Program Files\7-Zip
2013-03-07 16:02 - 2013-03-07 16:02 - 00011140 ____A C:\Users\Anne\Desktop\attach.txt
2013-03-07 16:02 - 2013-03-07 16:01 - 00021011 ____A C:\Users\Anne\Desktop\dds.txt
2013-03-07 15:59 - 2013-03-07 15:59 - 00688992 ____R (Swearware) C:\Users\Anne\Downloads\dds.com
2013-03-06 17:05 - 2013-03-06 17:05 - 00000967 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-03-06 17:05 - 2013-03-06 17:05 - 00000967 ____A C:\ProgramData\Desktop\AVG 2013.lnk
2013-03-06 17:05 - 2013-03-06 17:05 - 00000000 ____D C:\Users\Anne\Application Data\TuneUp Software
2013-03-06 17:05 - 2013-03-06 17:05 - 00000000 ____D C:\Users\Anne\Application Data\AVG2013
2013-03-06 17:05 - 2013-03-06 17:05 - 00000000 ____D C:\Users\Anne\AppData\Roaming\TuneUp Software
2013-03-06 17:05 - 2013-03-06 17:05 - 00000000 ____D C:\Users\Anne\AppData\Roaming\AVG2013
2013-03-06 17:04 - 2013-03-06 17:05 - 00000000 ____D C:\ProgramData\AVG2013
2013-03-06 17:04 - 2013-03-06 17:05 - 00000000 ____D C:\ProgramData\Application Data\AVG2013
2013-03-06 17:04 - 2013-03-06 17:04 - 00000000 ___HD C:\$AVG
2013-03-06 17:03 - 2013-03-06 17:03 - 00000000 ____D C:\Program Files (x86)\AVG
2013-03-06 17:02 - 2013-03-06 17:02 - 00000000 ____D C:\Program Files (x86)\Panda Security
2013-03-06 17:02 - 2009-06-30 04:37 - 00033800 ____A (Panda Security, S.L.) C:\Windows\System32\Drivers\pavboot64.sys
2013-03-06 16:55 - 2013-03-09 20:46 - 00000000 ____D C:\ProgramData\MFAData
2013-03-06 16:55 - 2013-03-09 20:46 - 00000000 ____D C:\ProgramData\Application Data\MFAData
2013-03-06 16:55 - 2013-03-06 17:15 - 00000000 ____D C:\Users\Anne\Local Settings\Avg2013
2013-03-06 16:55 - 2013-03-06 17:15 - 00000000 ____D C:\Users\Anne\Local Settings\Application Data\Avg2013
2013-03-06 16:55 - 2013-03-06 17:15 - 00000000 ____D C:\Users\Anne\AppData\Local\Avg2013
2013-03-06 16:55 - 2013-03-06 16:55 - 00000000 ____D C:\Users\Anne\Local Settings\MFAData
2013-03-06 16:55 - 2013-03-06 16:55 - 00000000 ____D C:\Users\Anne\Local Settings\Application Data\MFAData
2013-03-06 16:55 - 2013-03-06 16:55 - 00000000 ____D C:\Users\Anne\AppData\Local\MFAData
2013-02-27 21:19 - 2013-02-27 21:19 - 00000000 ____D C:\Users\Anne\Application Data\Malwarebytes
2013-02-27 21:19 - 2013-02-27 21:19 - 00000000 ____D C:\Users\Anne\AppData\Roaming\Malwarebytes
2013-02-27 21:18 - 2013-02-27 21:18 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-02-27 21:18 - 2013-02-27 21:18 - 00001111 ____A C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2013-02-27 21:18 - 2013-02-27 21:18 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-02-27 21:18 - 2013-02-27 21:18 - 00000000 ____D C:\ProgramData\Application Data\Malwarebytes
2013-02-27 21:18 - 2013-02-27 21:18 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-02-27 21:18 - 2012-12-14 10:49 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-02-27 21:16 - 2013-03-07 16:30 - 00002360 ____A C:\Users\Anne\Desktop\Rkill.txt
2013-02-27 21:16 - 2013-02-27 21:16 - 00000000 ____D C:\Users\Anne\Desktop\rkill
2013-02-27 20:59 - 2013-02-27 20:59 - 01752992 ____A (Bleeping Computer, LLC) C:\Users\Anne\Desktop\iExplore.exe
2013-02-27 20:57 - 2013-02-27 20:58 - 10156344 ____A (Malwarebytes Corporation                                    ) C:\Users\Anne\Desktop\mbam-setup-1.70.0.1100.exe
2013-02-15 12:03 - 2013-01-08 20:48 - 17812992 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-02-15 12:03 - 2013-01-08 20:22 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-02-15 12:03 - 2013-01-08 20:19 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-02-15 12:03 - 2013-01-08 20:12 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-02-15 12:03 - 2013-01-08 20:12 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-02-15 12:03 - 2013-01-08 20:11 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-02-15 12:03 - 2013-01-08 20:10 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-02-15 12:03 - 2013-01-08 20:09 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-02-15 12:03 - 2013-01-08 20:07 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-02-15 12:03 - 2013-01-08 20:07 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-02-15 12:03 - 2013-01-08 20:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-02-15 12:03 - 2013-01-08 20:06 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-02-15 12:03 - 2013-01-08 20:05 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-02-15 12:03 - 2013-01-08 20:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-02-15 12:03 - 2013-01-08 20:04 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-02-15 12:03 - 2013-01-08 20:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-02-15 12:03 - 2013-01-08 17:23 - 12321280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-02-15 12:03 - 2013-01-08 17:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-02-15 12:03 - 2013-01-08 17:09 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-02-15 12:03 - 2013-01-08 17:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-02-15 12:03 - 2013-01-08 17:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-02-15 12:03 - 2013-01-08 17:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-02-15 12:03 - 2013-01-08 17:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-02-15 12:03 - 2013-01-08 17:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-02-15 12:03 - 2013-01-08 16:59 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-02-15 12:03 - 2013-01-08 16:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-02-15 12:03 - 2013-01-08 16:58 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-02-15 12:03 - 2013-01-08 16:57 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-02-15 12:03 - 2013-01-08 16:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-02-15 12:03 - 2013-01-08 16:56 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-02-15 12:03 - 2013-01-08 16:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-02-15 12:03 - 2013-01-08 16:53 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-02-13 06:54 - 2013-01-05 00:53 - 05553512 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-02-13 06:54 - 2013-01-05 00:00 - 03967848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-02-13 06:54 - 2013-01-05 00:00 - 03913064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-02-13 06:53 - 2013-01-03 22:26 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-02-13 06:50 - 2013-01-04 00:46 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-02-13 06:50 - 2013-01-03 23:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-02-13 06:50 - 2013-01-03 21:47 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-02-13 06:50 - 2013-01-03 21:47 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-02-13 06:50 - 2013-01-03 21:47 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-02-13 06:50 - 2013-01-03 21:47 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-02-13 06:49 - 2013-01-03 01:00 - 01913192 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-02-13 06:49 - 2013-01-03 01:00 - 00288088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS

==================== One Month Modified Files and Folders =======

2013-03-09 20:51 - 2012-06-27 03:32 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-03-09 20:51 - 2011-12-09 22:54 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-03-09 20:50 - 2012-02-28 08:36 - 00000000 ____D C:\Users\Anne\Application Data\Skype
2013-03-09 20:50 - 2012-02-28 08:36 - 00000000 ____D C:\Users\Anne\AppData\Roaming\Skype
2013-03-09 20:50 - 2011-12-09 23:05 - 00000000 ____D C:\Users\Default\Local Settings\SoftThinks
2013-03-09 20:50 - 2011-12-09 23:05 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks
2013-03-09 20:50 - 2011-12-09 23:05 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2013-03-09 20:50 - 2011-12-09 23:05 - 00000000 ____D C:\Users\Default User\Local Settings\SoftThinks
2013-03-09 20:50 - 2011-12-09 23:05 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks
2013-03-09 20:50 - 2011-12-09 23:05 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2013-03-09 20:49 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-09 20:49 - 2009-07-13 23:51 - 00060361 ____A C:\Windows\setupact.log
2013-03-09 20:48 - 2011-12-09 21:11 - 01957744 ____A C:\Windows\WindowsUpdate.log
2013-03-09 20:47 - 2009-07-14 00:13 - 00779788 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-09 20:46 - 2013-03-06 16:55 - 00000000 ____D C:\ProgramData\MFAData
2013-03-09 20:46 - 2013-03-06 16:55 - 00000000 ____D C:\ProgramData\Application Data\MFAData
2013-03-07 20:09 - 2012-02-28 08:20 - 00000000 ____D C:\Users\Anne\Local Settings\Nero
2013-03-07 20:09 - 2012-02-28 08:20 - 00000000 ____D C:\Users\Anne\Local Settings\Application Data\Nero
2013-03-07 20:09 - 2012-02-28 08:20 - 00000000 ____D C:\Users\Anne\AppData\Local\Nero
2013-03-07 20:06 - 2013-03-07 20:06 - 00001859 ____A C:\Users\Anne\Desktop\RKreport[1]_S_03082013_02d0206.txt
2013-03-07 20:06 - 2013-03-07 20:00 - 00000000 ____D C:\Users\Anne\Desktop\RK_Quarantine
2013-03-07 20:01 - 2009-07-13 23:45 - 00020720 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-07 20:01 - 2009-07-13 23:45 - 00020720 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-07 19:56 - 2013-03-07 19:55 - 00816640 ____A C:\Users\Anne\Desktop\RogueKiller.exe
2013-03-07 19:54 - 2011-12-09 22:26 - 00000000 ____D C:\ProgramData\Sonic
2013-03-07 19:54 - 2011-12-09 22:26 - 00000000 ____D C:\ProgramData\Application Data\Sonic
2013-03-07 17:11 - 2013-03-07 17:11 - 00009302 ____A C:\Users\Anne\Desktop\dds.zip
2013-03-07 17:08 - 2013-03-07 17:08 - 00000000 ____D C:\Program Files\7-Zip
2013-03-07 17:06 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\NDF
2013-03-07 16:30 - 2013-02-27 21:16 - 00002360 ____A C:\Users\Anne\Desktop\Rkill.txt
2013-03-07 16:02 - 2013-03-07 16:02 - 00011140 ____A C:\Users\Anne\Desktop\attach.txt
2013-03-07 16:01 - 2013-03-07 16:02 - 00021011 ____A C:\Users\Anne\Desktop\dds.txt
2013-03-07 15:59 - 2013-03-07 15:59 - 00688992 ____R (Swearware) C:\Users\Anne\Downloads\dds.com
2013-03-06 18:28 - 2012-06-27 03:32 - 00691568 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-03-06 18:28 - 2011-12-09 21:28 - 00071024 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-03-06 17:15 - 2013-03-06 16:55 - 00000000 ____D C:\Users\Anne\Local Settings\Avg2013
2013-03-06 17:15 - 2013-03-06 16:55 - 00000000 ____D C:\Users\Anne\Local Settings\Application Data\Avg2013
2013-03-06 17:15 - 2013-03-06 16:55 - 00000000 ____D C:\Users\Anne\AppData\Local\Avg2013
2013-03-06 17:05 - 2013-03-06 17:05 - 00000967 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-03-06 17:05 - 2013-03-06 17:05 - 00000967 ____A C:\ProgramData\Desktop\AVG 2013.lnk
2013-03-06 17:05 - 2013-03-06 17:05 - 00000000 ____D C:\Users\Anne\Application Data\TuneUp Software
2013-03-06 17:05 - 2013-03-06 17:05 - 00000000 ____D C:\Users\Anne\Application Data\AVG2013
2013-03-06 17:05 - 2013-03-06 17:05 - 00000000 ____D C:\Users\Anne\AppData\Roaming\TuneUp Software
2013-03-06 17:05 - 2013-03-06 17:05 - 00000000 ____D C:\Users\Anne\AppData\Roaming\AVG2013
2013-03-06 17:05 - 2013-03-06 17:04 - 00000000 ____D C:\ProgramData\AVG2013
2013-03-06 17:05 - 2013-03-06 17:04 - 00000000 ____D C:\ProgramData\Application Data\AVG2013
2013-03-06 17:04 - 2013-03-06 17:04 - 00000000 ___HD C:\$AVG
2013-03-06 17:03 - 2013-03-06 17:03 - 00000000 ____D C:\Program Files (x86)\AVG
2013-03-06 17:02 - 2013-03-06 17:02 - 00000000 ____D C:\Program Files (x86)\Panda Security
2013-03-06 16:55 - 2013-03-06 16:55 - 00000000 ____D C:\Users\Anne\Local Settings\MFAData
2013-03-06 16:55 - 2013-03-06 16:55 - 00000000 ____D C:\Users\Anne\Local Settings\Application Data\MFAData
2013-03-06 16:55 - 2013-03-06 16:55 - 00000000 ____D C:\Users\Anne\AppData\Local\MFAData
2013-03-06 16:50 - 2011-12-09 22:50 - 00000000 ____D C:\ProgramData\McAfee
2013-03-06 16:50 - 2011-12-09 22:50 - 00000000 ____D C:\ProgramData\Application Data\McAfee
2013-03-06 16:50 - 2010-11-20 22:47 - 00028536 ____A C:\Windows\PFRO.log
2013-02-27 21:19 - 2013-02-27 21:19 - 00000000 ____D C:\Users\Anne\Application Data\Malwarebytes
2013-02-27 21:19 - 2013-02-27 21:19 - 00000000 ____D C:\Users\Anne\AppData\Roaming\Malwarebytes
2013-02-27 21:18 - 2013-02-27 21:18 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-02-27 21:18 - 2013-02-27 21:18 - 00001111 ____A C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2013-02-27 21:18 - 2013-02-27 21:18 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-02-27 21:18 - 2013-02-27 21:18 - 00000000 ____D C:\ProgramData\Application Data\Malwarebytes
2013-02-27 21:18 - 2013-02-27 21:18 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-02-27 21:16 - 2013-02-27 21:16 - 00000000 ____D C:\Users\Anne\Desktop\rkill
2013-02-27 20:59 - 2013-02-27 20:59 - 01752992 ____A (Bleeping Computer, LLC) C:\Users\Anne\Desktop\iExplore.exe
2013-02-27 20:58 - 2013-02-27 20:57 - 10156344 ____A (Malwarebytes Corporation                                    ) C:\Users\Anne\Desktop\mbam-setup-1.70.0.1100.exe
2013-02-19 13:46 - 2009-07-13 23:45 - 00322280 ____A C:\Windows\System32\FNTCACHE.DAT
2013-02-15 12:24 - 2012-03-10 07:00 - 00000000 ____D C:\ProgramData\PCDr
2013-02-15 12:24 - 2012-03-10 07:00 - 00000000 ____D C:\ProgramData\Application Data\PCDr
2013-02-15 12:23 - 2012-05-04 08:50 - 70004024 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-02-08 12:07 - 2012-04-08 03:43 - 00000000 ____D C:\Users\Anne\Local Settings\CrashDumps
2013-02-08 12:07 - 2012-04-08 03:43 - 00000000 ____D C:\Users\Anne\Local Settings\Application Data\CrashDumps
2013-02-08 12:07 - 2012-04-08 03:43 - 00000000 ____D C:\Users\Anne\AppData\Local\CrashDumps
2013-02-08 04:32 - 2009-07-14 00:08 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2012-11-15 07:23:05
Restore point made on: 2012-12-08 05:40:33
Restore point made on: 2012-12-12 06:07:25
Restore point made on: 2012-12-24 06:35:19
Restore point made on: 2013-01-13 05:45:22
Restore point made on: 2013-02-15 12:02:44
Restore point made on: 2013-03-06 17:03:30
Restore point made on: 2013-03-06 17:04:21
Restore point made on: 2013-03-07 17:08:34

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 3692.02 MB
Available physical RAM: 2909.41 MB
Total Pagefile: 3690.22 MB
Available Pagefile: 2900.17 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:408.47 GB) NTFS
2 Drive d: (Recovery) (Fixed) (Total:14.65 GB) (Free:5.65 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: () (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B         
  Disk 1    Online         3830 MB      0 B         
  Disk 2    No Media           0 B      0 B         

Partitions of Disk 0:
===============

Disk ID: F2766988

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                100 MB  1024 KB
  Partition 2    Primary             14 GB   101 MB
  Partition 3    Primary            451 GB    14 GB

==================================================================================

Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5         DELLUTILITY  FAT    Partition    100 MB  Healthy    Hidden  

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     D   Recovery     NTFS   Partition     14 GB  Healthy            

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    451 GB  Healthy            

=========================================================

Partitions of Disk 1:
===============

Disk ID: 6B7B225A

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3829 MB    31 KB

==================================================================================

Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E                FAT32  Removable   3829 MB  Healthy            

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: F2766988

Partition 1:
===========
Hex: 00202100DEDF130C0008000000200300
Active: NO
Type: DE
Size: 100 MB

Partition 2:
===========
Hex: 80DF140C07FEFFFF0028030000C0D401
Active: YES
Type: 07 (NTFS)
Size: 15 GB

Partition 3:
===========
Hex: 00FEFFFF07FEFFFF00E8D70130706038
Active: NO
Type: 07 (NTFS)
Size: 451 GB

==============================
Partitions of Disk 1:
===============
Disk ID: 6B7B225A

Partition 1:
===========
Hex: 800101000BFE7FE73F000000C1AF7700
Active: YES
Type: 0B
Size: 4 GB


Last Boot: 2011-02-23 08:08

==================== End Of Log =============================



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:59 AM

Posted 09 March 2013 - 10:43 PM

1.

Please download the latest version of TDSSKiller from and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

 

 

2.

Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop



  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • RcAuto1.gif
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
 

 

Things to include in your next reply::

TdssKiller log

Combofix.txt

Still getting the messages?  if so can you please write down the path of the file it is saying is infected.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:59 AM

Posted 13 March 2013 - 05:33 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 1-2 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 derekwatters

derekwatters
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 13 March 2013 - 05:41 PM

I ran TDSSKiller.exe and it did not find anything. Thought I posted the log. I did not want to run Combofix because what not sure if I should since the other found nothing.



#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:59 AM

Posted 13 March 2013 - 05:47 PM

yes please run COmbofix and post its log


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 derekwatters

derekwatters
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 13 March 2013 - 05:48 PM

ok the reason it did not post the log was that it was too long. Will I go ahead and just run Combofix?



#11 derekwatters

derekwatters
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 13 March 2013 - 06:47 PM

ComboFix 13-03-10.02 - Anne 14/03/2013   1:32.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.3692.2320 [GMT 1:00]
Running from: c:\users\Anne\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\programdata\PCDr\6032\AddOnDownloaded\5b35a8f1-54bf-4743-8fd7-358ffc15372a.dll
c:\programdata\PCDr\6032\AddOnDownloaded\63acf506-979e-4b72-a7ce-2af6dc2b98c4.dll
c:\programdata\PCDr\6032\AddOnDownloaded\9192d3e9-aa66-4560-a2e3-209867aafd30.dll
c:\programdata\PCDr\6032\AddOnDownloaded\dfc97e68-74cd-4807-807f-ac146d81ec5d.dll
Y:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-14 to 2013-03-14  )))))))))))))))))))))))))))))))
.
.
2013-03-14 00:41 . 2013-03-14 00:41    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-03-10 08:59 . 2013-03-10 08:59    --------    d-----w-    C:\FRST
2013-03-07 22:08 . 2013-03-07 22:08    --------    d-----w-    c:\program files\7-Zip
2013-03-06 22:05 . 2013-03-06 22:05    --------    d-----w-    c:\users\Anne\AppData\Roaming\AVG2013
2013-03-06 22:05 . 2013-03-06 22:05    --------    d-----w-    c:\users\Anne\AppData\Roaming\TuneUp Software
2013-03-06 22:04 . 2013-03-06 22:05    --------    d-----w-    c:\programdata\AVG2013
2013-03-06 22:04 . 2013-03-06 22:04    --------    d-----w-    C:\$AVG
2013-03-06 22:03 . 2013-03-06 22:03    --------    d-----w-    c:\program files (x86)\AVG
2013-03-06 22:02 . 2009-06-30 09:37    33800    ----a-w-    c:\windows\system32\drivers\pavboot64.sys
2013-03-06 22:02 . 2013-03-06 22:02    --------    d-----w-    c:\program files (x86)\Panda Security
2013-03-06 21:55 . 2013-03-13 23:47    --------    d-----w-    c:\programdata\MFAData
2013-03-06 21:55 . 2013-03-06 22:15    --------    d-----w-    c:\users\Anne\AppData\Local\Avg2013
2013-03-06 21:55 . 2013-03-06 21:55    --------    d--h--w-    c:\programdata\Common Files
2013-03-06 21:55 . 2013-03-06 21:55    --------    d-----w-    c:\users\Anne\AppData\Local\MFAData
2013-02-28 02:19 . 2013-02-28 02:19    --------    d-----w-    c:\users\Anne\AppData\Roaming\Malwarebytes
2013-02-28 02:18 . 2013-02-28 02:18    --------    d-----w-    c:\programdata\Malwarebytes
2013-02-28 02:18 . 2013-02-28 02:18    --------    d-----w-    c:\program files (x86)\Malwarebytes' Anti-Malware
2013-02-28 02:18 . 2012-12-14 15:49    24176    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-02-28 02:18 . 2013-02-28 02:18    --------    d-----w-    c:\users\Anne\AppData\Local\Programs
2013-02-15 17:08 . 2013-01-09 01:10    996352    ----a-w-    c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-15 17:08 . 2013-01-08 22:01    768000    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 11:54 . 2013-01-05 05:53    5553512    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-02-13 11:54 . 2013-01-05 05:00    3967848    ----a-w-    c:\windows\SysWow64\ntkrnlpa.exe
2013-02-13 11:54 . 2013-01-05 05:00    3913064    ----a-w-    c:\windows\SysWow64\ntoskrnl.exe
2013-02-13 11:53 . 2013-01-04 03:26    3153408    ----a-w-    c:\windows\system32\win32k.sys
2013-02-13 11:50 . 2013-01-04 05:46    215040    ----a-w-    c:\windows\system32\winsrv.dll
2013-02-13 11:50 . 2013-01-04 02:47    14336    ----a-w-    c:\windows\SysWow64\ntvdm64.dll
2013-02-13 11:50 . 2013-01-04 02:47    25600    ----a-w-    c:\windows\SysWow64\setup16.exe
2013-02-13 11:50 . 2013-01-04 02:47    7680    ----a-w-    c:\windows\SysWow64\instnm.exe
2013-02-13 11:50 . 2013-01-04 04:51    5120    ----a-w-    c:\windows\SysWow64\wow32.dll
2013-02-13 11:50 . 2013-01-04 02:47    2048    ----a-w-    c:\windows\SysWow64\user.exe
2013-02-13 11:49 . 2013-01-03 06:00    1913192    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-02-13 11:49 . 2013-01-03 06:00    288088    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-06 23:28 . 2012-06-27 08:32    691568    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-06 23:28 . 2011-12-10 02:28    71024    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-15 17:23 . 2012-05-04 13:50    70004024    ----a-w-    c:\windows\system32\MRT.exe
2013-01-04 04:43 . 2013-02-13 11:50    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2012-12-16 17:11 . 2012-12-24 11:35    46080    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-24 11:35    367616    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-24 11:35    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-24 11:35    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-01-08 18705664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2011-04-13 503942]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-08-06 336384]
"Dell Registration"="c:\program files (x86)\System Registration\prodreg.exe" [2011-08-04 4165440]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"NeroLauncher"="c:\program files (x86)\Nero\SyncUP\NeroLauncher.exe" [2012-02-06 66872]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-12-18 38112]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2012-02-01 968048]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"midi2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-15 5814904]
R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.exe [2012-06-11 193616]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Mobile Broadband HL Service;Mobile Broadband HL Service;c:\programdata\MobileBrServ\mbbservice.exe [2012-08-10 230240]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-10-30 250984]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-02-29 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [2011-06-16 79488]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [2011-06-16 40064]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-10-15 63328]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys [2012-09-21 225120]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2012-11-15 111968]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-09-14 40800]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot64.sys [2009-06-30 33800]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys [2012-07-29 101688]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2012-10-22 154464]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-10-02 185696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-09-21 200032]
S1 RapportCerberus_43926;RapportCerberus_43926;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys [2012-10-24 505720]
S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2012-07-29 55096]
S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2012-07-29 297240]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-08-06 204288]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-08-06 365568]
S2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;c:\program files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [2011-05-20 146592]
S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [2011-05-20 80032]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400]
S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2012-07-29 976728]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
S3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys [2011-05-20 36000]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-03-30 114704]
S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe [2012-06-11 240208]
S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys [2011-05-20 298656]
S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys [2011-05-20 29344]
S3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys [2011-05-20 201376]
S3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys [2011-05-20 55456]
S3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys [2011-05-20 154272]
S3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys [2011-05-20 282272]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2011-01-20 176096]
S3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0;PCDSRVC{1E208CE0-FB7451FF-06020200}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2012-08-17 25584]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-05-17 533096]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-11-29 44672]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 50152284
*NewlyCreated* - 84688941
*NewlyCreated* - PCDSRVC{1E208CE0-FB7451FF-06020200}_0
*Deregistered* - 50152284
*Deregistered* - 84688941
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-27 23:28]
.
2012-08-11 c:\windows\Tasks\PCDoctorBackgroundMonitorTask-Delay.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-11-29 23:23]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-03-29 608112]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-05-27 1128448]
"Stage Remote"="c:\program files (x86)\Dell\Stage Remote\StageRemote.exe" [2011-06-28 2022976]
"AtherosBtStack"="c:\program files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe" [2011-05-20 627360]
"AthBtTray"="c:\program files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe" [2011-05-20 379552]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2012-02-01 2195824]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.co.uk/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 80.58.61.250 80.58.61.254
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-84688941.sys
AddRemove-WT089446 - c:\program files (x86)\WildTangent\Dell Games\Wedding Dash - Ready
.
.
.
Completion time: 2013-03-14  01:44:15
ComboFix-quarantined-files.txt  2013-03-14 00:44
.
Pre-Run: 439,330,045,952 bytes free
Post-Run: 439,220,699,136 bytes free
.
- - End Of File - - EDBC3B80B5552C63BB03DF89D94F0594
 



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:59 AM

Posted 13 March 2013 - 08:58 PM

How is the machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 derekwatters

derekwatters
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 14 March 2013 - 07:04 AM

Yes it seems to be fixed. The CPU usage has dropped right down. Thanks very much



#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:59 AM

Posted 15 March 2013 - 10:39 PM

Please run the following to look for any leftovers.

 

1.

Download AdwCleaner

  • Double click on AdwCleaner.exe to run the tool.
    ***Note: Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select
    Run%20as%20admin.png
  • Click the Delete button.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your next reply.
  • Or you can find the logfile at C:\AdwCleaner[R1].txt.

 

2.

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
       icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

 

Things to include in your next reply::

AdwCleaner log

Eset log

How is the machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 derekwatters

derekwatters
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 18 March 2013 - 06:13 PM

Can't do the ESET online scan because the computer now won't connect to the interent.

 

Here is the AdwCleaner log

 

# AdwCleaner v2.114 - Logfile created 03/17/2013 at 05:59:01
# Updated 05/03/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Anne - ANNE-PC
# Boot Mode : Normal
# Running from : C:\Users\Anne\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\Public\Desktop\eBay.lnk

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D7E97865-918F-41E4-9CD0-25AB1C574CE8}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16464

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [879 octets] - [17/03/2013 05:59:01]

########## EOF - C:\AdwCleaner[S1].txt - [938 octets] ##########
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users