Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Server busy – Switch to… This action cannot be completed… - Virus?


  • This topic is locked This topic is locked
33 replies to this topic

#1 Expert Novice

Expert Novice

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 02 September 2013 - 05:24 PM

Recently an issue has appeared on my laptop, an HP Pvilion G6 running Windows 7 64 bit with SP1 and all latest updates with an Intel Core i5 2.3 processor and 4.Gb RAM.

 

Shortly after booting and arriving at the desktop and before opening any programs a dial up connection window opens with no input from myself, prompting me to choose which service I want to connect to followed soon after by anther window with the title ‘Server Busy’ and the following text. ‘This action cannot be completed because the other program is busy Choose ‘Switch to’ to activate the busy program and correct the problem.’ Beneath this are three buttons, from left to right they’re labelled Switch To… , Retry and Cancel. Cancel is greyed out. Pressing Switch To… opens the start menu, presumably to allow me to select the busy program but there’s no indication of which is the problematic program so I just close the start menu. When the start menu opens the Server Busy window closes briefly but reappears after a second and the loop continues. Pressing the retry button makes the window disappear briefly only to immediately reappear. It seems impossible to get rid of this window.

 

I uninstalled Nokia Ovi Suite which I sometimes use to use my phone as a modem. I thought it was something to do with this because that was the service listed in the Dial Up Connection window. The problem persisted so I performed scans using Avira, Malwarebytes, and Spybot, all up to date. Avira found 1, Malwarebytes 21 and Spybot 19 threats. I removed all the threats except one Spybot found. Access was denied when attempting to fix this one. Further scans with all three program come up clean except for the one Spybot is being denied access to.

 

I did an HJT scan and will post the log from that below.

 

I’d like to know how to tell if this is legitimate message or a symptom of a virus and if it’s a virus how should I go about dealing with it.

The machine usually runs well. I’ve had a couple of issues on which I’ve found help on here. Glad to see you’re still around.

 

HJT log to follow.

 

Thanks for reading.

 

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:50:07, on 02/09/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16660)
Boot mode: Normal
 
Running processes:
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\David\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\GamesBar\update\SearchEngineProtection.exe
C:\Users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\program files (x86)\avira\antivir desktop\ipmGui.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
D:\Spybot - Search & Destroy\SpybotSD.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPNOT/2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.gamesagogo.iplay.com/?o=shp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.28.43.205:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: GamesBar (W) - {2e94b700-eafb-4c9e-a696-77200aa3f89b} - C:\Program Files (x86)\gamesagogo_w3i\encyclopediabritannicagamesbarX.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O2 - BHO: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
O3 - Toolbar: GamesBar (W) - {2e94b700-eafb-4c9e-a696-77200aa3f89b} - C:\Program Files (x86)\gamesagogo_w3i\encyclopediabritannicagamesbarX.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe
O4 - HKLM\..\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
O4 - HKLM\..\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Quicktime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\David\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKCU\..\Run: [SearchEngineProtection] C:\Program Files (x86)\GamesBar\update\SearchEngineProtection.exe
O4 - HKCU\..\Run: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe
O4 - Startup: Dropbox.lnk = David\AppData\Roaming\Dropbox\bin\Dropbox.exe
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-103 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-102 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
O9 - Extra button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\vsocklib.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Real-Time Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Easybits Services for Windows (ezSharedSvc) - EasyBits Software AS - C:\Windows\System32\ezSharedSvcHost.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HP Support Assistant Service - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
O23 - Service: HP Client Services (HPClientSvc) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
O23 - Service: HP Connection Manager 4.0 Service (hpCMSrv) - Hewlett-Packard Development Company L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: HPWMISVC - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: IconMan_R - Realsil Microelectronics Inc. - C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService.exe) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\stlang64.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV64.exe
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Users\David\Teamviewer\Version7\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 14130 bytes


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:34 AM

Posted 07 September 2013 - 10:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • ===

    Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

    Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.

  • IMPORTANT

  • If you click the Clean button all items listed in the report will be removed.

  • If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).

  • thisisujrt.gif Please download
    Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
  • ===

    Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
    Link 1
    Link 2

    IMPORTANT !!! Save ComboFix.exe to your Desktop

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. Do not install any other programs until this if fixed.


    How to : Disable Anti-virus and Firewall...
    http://www.bleepingcomputer.com/forums/topic114351.html

    Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
  • Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

    Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

    Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
    ===

    HijackThis doesn't handle Windows 7 well. In your case I need to see a final DDS Log.
    You should remove HijackThis using the Add/Remove Programs list. Use the DDS tool from now on.

    Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

    Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.

    1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
    2: DDS.pif
    3: DDS.COM

    Double click on the DDS icon, allow it to run.
    A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    Notepad will open with the results.
    Follow the instructions that pop up for posting the results.[/list]Please note: You may have to disable any script protection running if the scan fails to run.

    dds_scr.gif

    Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
    ===

    Please paste the logs in your next reply DO NOT ATTACH THEM.
    Let me know what problem persists.


#3 Expert Novice

Expert Novice
  • Topic Starter

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 07 September 2013 - 07:07 PM

Hi Nasdaq and thanks for your reply. I'm going to be busy for the next couple of days but I'll go through the steps you've given me as soon a I get time and post back with the logs you asked for and let you know how the machine's running.

 

Cheers :-)



#4 Expert Novice

Expert Novice
  • Topic Starter

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 09 September 2013 - 05:45 AM

Hi Nasdaq,

 

I’ve started to work through the steps you provided.

 

RogueKiller competed its scan  and I deleted everything it suggested. I’ve copied the log from that scan here.

 

I scanned with ADW and it came up with quite a few things in the registry which I’m not sure about. I had a read through the list and there’s nothing there I recognise that I might want to keep but I’m not really sure what I'm looking at and don’t want to delete anything important. I've copied the log here. Could you have a look through the list please

and tell me if there’s anything that should definitely not be deleted? Anything else that remains I'm happy to take a chance on.

 

The good news is that the Server Busy and Dial Up Connection windows seem to have gone away. I guess RK fixed them. Once I know what to delete from ADW I’ll follow up the rest of your instructions and complete cleaning. That way everything’s getting done in the right order.

 

Many thanks

 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:34 AM

Posted 09 September 2013 - 09:18 AM

You need to post the logs for my review.

#6 Expert Novice

Expert Novice
  • Topic Starter

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 09 September 2013 - 12:43 PM

Yes, of course. I thought I'd edited the post earlier. Maybe I got distracted. Sorry.

 

Here are the logs.

 

 

RogueKiller V8.6.9 _x64_ [Sep  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : David [Admin rights]
Mode : Remove -- Date : 09/09/2013 06:36:29
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] GoogleUpdate.exe -- C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe [7] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Google Update ("C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-3040668642-3432914605-94698964-1001\[...]\Run : Google Update ("C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> [0x2] The system cannot find the file specified. 
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3040668642-3432914605-94698964-1001UA.job : C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> DELETED
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3040668642-3432914605-94698964-1001Core.job : C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> DELETED
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3040668642-3432914605-94698964-1001Core : C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> DELETED
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3040668642-3432914605-94698964-1001UA : C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> ERROR DELETING TASK
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 2 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: Hitachi HTS547564A9E384 +++++
--- User ---
[MBR] 27f2dd0f96744f69f456de1f05bcd945
[BSP] bfb9c82d7aa9e39f90d8124ba528b9d2 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 130006 Mo
2 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 266662935 | Size: 107364 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 486544590 | Size: 271842 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_09092013_063629.txt >>
RKreport[0]_S_09092013_063147.txt
 
-----------------
 
# AdwCleaner v3.003 - Report created 09/09/2013 at 06:47:55
# Updated 07/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : David - DAVID-LAPTOP
# Running from : C:\Users\David\Desktop\adwcleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Found : C:\END
Folder Found C:\Program Files (x86)\GamesBar
Folder Found C:\Program Files (x86)\Red Sky
Folder Found C:\Users\David\AppData\Local\Temp\AirInstaller
Folder Found C:\Users\David\AppData\Roaming\DefaultTab
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\AppDataLow\Software\DefaultTab
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Default Tab
Key Found : HKCU\Software\DefaultTab
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Found : [x64] HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\Default Tab
Key Found : [x64] HKCU\Software\DefaultTab
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Found : HKLM\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL
Key Found : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX
Key Found : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\Default Tab
Key Found : HKLM\Software\Iminent
Key Found : HKLM\Software\InstallIQ
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [SearchEngineProtection]
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16660
 
 
-\\ Mozilla Firefox v9.0.1 (en-GB)
 
[ File : C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\k39hoqt1.default\prefs.js ]
 
 
-\\ Google Chrome v
 
[ File : C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [3529 octets] - [09/09/2013 06:47:55]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3589 octets] ##########


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:34 AM

Posted 09 September 2013 - 01:18 PM

Delete all items from the ADWCleaner log.

Restart the Computer normally.

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Let me know of the remaining issues with this computer.

#8 Expert Novice

Expert Novice
  • Topic Starter

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 09 September 2013 - 02:33 PM

Ok, thanks. I'll post that up soon. Do I still need to continue with the original steps following on from deleting the ADW detections?



#9 Expert Novice

Expert Novice
  • Topic Starter

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 09 September 2013 - 02:48 PM

Ok, I've deleted the ADW detections and scanned with Security check. Further logs as requested below.

 

On restarting after deleting ADW the Server Busy window and Dial up connection windows popped back up. I closed them and they seem to be staying closed rather than immediately reopening so that's already some improvement :-)

Otherwise the machine seems to be running well.

 

Should I carry on with the further steps from your first post?

 

Thanks

 

 

# AdwCleaner v3.003 - Report created 09/09/2013 at 20:36:43
# Updated 07/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : David - DAVID-LAPTOP
# Running from : C:\Users\David\Desktop\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Program Files (x86)\GamesBar
Folder Deleted : C:\Program Files (x86)\Red Sky
Folder Deleted : C:\Users\David\AppData\Local\Temp\AirInstaller
Folder Deleted : C:\Users\David\AppData\Roaming\DefaultTab
File Deleted : C:\END
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [SearchEngineProtection]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Default Tab
Key Deleted : HKCU\Software\DefaultTab
Key Deleted : HKCU\Software\AppDataLow\Software\DefaultTab
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16660
 
 
-\\ Mozilla Firefox v9.0.1 (en-GB)
 
[ File : C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\k39hoqt1.default\prefs.js ]
 
 
-\\ Google Chrome v
 
[ File : C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [3705 octets] - [09/09/2013 06:47:55]
AdwCleaner[S0].txt - [3217 octets] - [09/09/2013 20:36:43]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3277 octets] ##########
 

 

 

-------------

 

 Results of screen317's Security Check version 0.99.73  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Avira Desktop   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Spybot - Search & Destroy 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 25  
 Adobe Flash Player 11.8.800.94  
 Adobe Reader 10.1.7 Adobe Reader out of Date!  
 Mozilla Firefox (9.0.1) 
 Google Chrome 29.0.1547.62  
 Google Chrome 29.0.1547.66  
````````Process Check: objlist.exe by Laurent````````  
 Avira Antivir avgnt.exe 
 Avira Antivir avguard.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:34 AM

Posted 10 September 2013 - 08:13 AM

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.mydigitallife.info/2007/02/17/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/

Restart the computer normally.
===

You can now continue with the Download and running of the ComboFix tool.

Post also a fresh DDS log for my review.

#11 Expert Novice

Expert Novice
  • Topic Starter

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 10 September 2013 - 10:01 AM

Ok, after flushing DNS and renewing in Command Prompt I restarted the machine. I wasn't asked to select any elevated privileges so i assume the flush and renew completed properly but upon restarting the Server Busy window appeared again, same as before and is once again proving impossible to close. Should I go ahead with Combofix anyway? 



#12 Expert Novice

Expert Novice
  • Topic Starter

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 10 September 2013 - 10:04 AM

DDS.txt below...

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16660  BrowserJavaVersion: 10.25.2
Run by David at 16:02:12 on 2013-09-10
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.4044.2198 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Users\David\Teamviewer\Version7\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
D:\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\David\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\program files (x86)\avira\antivir desktop\ipmGui.exe
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE
Q:\140066.enu\Office14\WINWORDC.EXE
C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
Q:\140066.enu\Office14\OffSpon.EXE
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.gamesagogo.iplay.com/?o=shp
uProxyServer = 61.28.43.205:8080
mWinlogon: Userinit = userinit.exe,
BHO: AutorunsDisabled - <orphaned>
BHO: GamesBar (W): {2e94b700-eafb-4c9e-a696-77200aa3f89b} - C:\Program Files (x86)\gamesagogo_w3i\encyclopediabritannicagamesbarX.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
TB: GamesBar (W): {2e94b700-eafb-4c9e-a696-77200aa3f89b} - C:\Program Files (x86)\gamesagogo_w3i\encyclopediabritannicagamesbarX.dll
uRun: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
uRun: [Spotify Web Helper] "C:\Users\David\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRun: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe
mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "D:\Quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
StartupFolder: C:\Users\David\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: EnableShellExecuteHooks = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
LSP: C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll
LSP: %SystemRoot%\system32\vsocklib.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{0EB62942-BFC3-4AA5-82E4-F11DACD45D81} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{0EB62942-BFC3-4AA5-82E4-F11DACD45D81}\35B4957353432313 : DHCPNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: EasyBits ShellExecute Hook - {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWOW64\ezUPBHook.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\k39hoqt1.default\
FF - prefs.js: network.proxy.http - 190.92.87.85
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\David\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - plugin: D:\Quicktime\Plugins\npqtplugin.dll
FF - plugin: D:\Quicktime\Plugins\npqtplugin2.dll
FF - plugin: D:\Quicktime\Plugins\npqtplugin3.dll
FF - plugin: D:\Quicktime\Plugins\npqtplugin4.dll
FF - plugin: D:\Quicktime\Plugins\npqtplugin5.dll
FF - plugin: D:\Quicktime\Plugins\npqtplugin6.dll
FF - plugin: D:\Quicktime\Plugins\npqtplugin7.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2013-4-25 56208]
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2013-7-29 28600]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2013-7-29 84024]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2013-7-29 108088]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2013-7-29 105344]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-27 86528]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-6-15 13336]
R2 ReflectService.exe;Macrium Reflect Image Mounting Service;C:\Program Files\Macrium\Reflect\ReflectService.exe [2012-2-20 301720]
R2 SBSDWSCService;SBSD Security Center Service;D:\Spybot - Search & Destroy\SDWinSec.exe [2012-2-16 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 TeamViewer7;TeamViewer 7;C:\Users\David\Teamviewer\Version7\TeamViewer_Service.exe [2012-7-16 2673064]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-6-15 2656280]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-7-28 31088]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-5-3 317440]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2012-12-6 2350176]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-15 425064]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-2 183560]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2012-1-21 16776]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2012-1-21 9096]
S3 ezSharedSvc;Easybits Services for Windows;C:\Windows\System32\ezSharedSvcHost.exe --> C:\Windows\System32\ezSharedSvcHost.exe [?]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-6 291896]
S3 hpCMSrv;HP Connection Manager 4.0 Service;C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-2-15 1071160]
S3 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-6-15 2372096]
S3 PSMounter;Macrium Reflect Image Explorer Service;C:\Windows\System32\drivers\psmounter.sys [2012-2-20 43672]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-3-24 19456]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2011-6-15 335464]
S3 RT80x86;Ralink 802.11n Wireless Driver;C:\Windows\System32\drivers\rt2860.sys [2012-1-21 2240864]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-3-24 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-3-24 30208]
S3 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-8-29 846448]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-1-6 1255736]
S4 AntiVirWebService;Avira Web Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avwebgrd.exe [2013-7-29 815160]
S4 SgtSch2Svc;Seagate Scheduler2 Service;"C:\Program Files (x86)\Common Files\Seagate\Schedule2\schedul2.exe" --> C:\Program Files (x86)\Common Files\Seagate\Schedule2\schedul2.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-23 57184]
.
=============== Created Last 30 ================
.
2013-09-09 05:45:22 -------- d-----w- C:\AdwCleaner
2013-09-02 21:12:05 3913664 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-09-02 21:12:04 5550528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-09-02 21:12:04 3968960 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-09-02 21:12:03 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-09-02 21:12:03 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-09-02 21:12:03 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-09-02 21:12:03 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-09-02 21:12:03 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-09-02 21:12:02 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-09-02 21:12:02 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-09-02 21:12:02 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-09-02 19:38:42 388096 ----a-r- C:\Users\David\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-09-02 19:38:42 -------- d-----w- C:\Program Files (x86)\Trend Micro
2013-08-31 08:16:14 224256 ----a-w- C:\Windows\System32\wintrust.dll
2013-08-31 08:16:14 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-08-31 08:16:14 175104 ----a-w- C:\Windows\SysWow64\wintrust.dll
2013-08-31 08:16:14 1472512 ----a-w- C:\Windows\System32\crypt32.dll
2013-08-31 08:16:14 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-08-31 08:16:14 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-08-31 08:16:14 1166848 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-08-31 08:16:14 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-08-31 08:15:47 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-08-31 08:15:47 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-08-31 08:15:37 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-08-31 08:15:37 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-08-31 08:15:36 663552 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2013-08-31 08:15:36 1217024 ----a-w- C:\Windows\System32\rpcrt4.dll
2013-08-31 08:14:56 39936 ----a-w- C:\Windows\System32\drivers\tssecsrv.sys
2013-08-31 08:14:56 1910208 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
==================== Find3M  ====================
.
2013-09-10 11:31:44 16 ----a-w- C:\Users\David\AppData\Roaming\msregsvv.dll
2013-09-03 09:01:06 81112 ----a-w- C:\Windows\System32\drivers\avnetflt.sys
2013-09-03 09:01:06 105344 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2013-08-21 17:50:17 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-21 17:50:17 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-07-29 09:43:29 28600 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2013-07-26 05:13:37 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-07-26 05:12:08 3958784 ----a-w- C:\Windows\System32\jscript9.dll
2013-07-26 05:12:04 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-07-26 05:12:03 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-07-26 03:35:08 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-07-26 03:13:24 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-07-26 03:12:04 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-07-26 03:12:00 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-07-26 03:12:00 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-07-26 02:49:14 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-07-26 02:39:38 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-26 01:59:38 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-07-09 04:45:07 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2013-06-12 20:48:23 867240 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2013-06-12 20:48:17 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-06-12 20:47:57 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
.
============= FINISH: 16:02:58.00 ===============


#13 Expert Novice

Expert Novice
  • Topic Starter

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 10 September 2013 - 10:12 AM

This might be relevant... I've just been away from the machine for a few minutes. When I left it the sever busy window was on the screen but when I returned it had gone.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:34 AM

Posted 10 September 2013 - 01:37 PM


I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with changes we are try to do. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
In Windows Vista Right click on the ResetTeaTimer.bat and select Run As Administrator.
Please don't forget this step to disable teatimer.
=*=

Repeat the ipconfig command on post No 10.

Restart the computer when completed.
===

Did you set this proxy?

FF - prefs.js: network.proxy.http - 190.92.87.85
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0


===

What are the remaining issues?

#15 Expert Novice

Expert Novice
  • Topic Starter

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 10 September 2013 - 01:52 PM

Yes, I set the proxy. 

 

I tried to download teatimerreset.bat but the page your link takes me to, http://downloads.subratam.org/ResetTeaTimer.bat says the domain name may be for sale etc and show me a lot of related (sponsored?) links.

 

I had a quick google for Teatimerreset.bat but didn't come up with much, apart from someone else who found the same page I did. Is there an alternative download site?

 

I have tuned off Teatimer.






13 user(s) are reading this topic

0 members, 13 guests, 0 anonymous users