Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep Seeing Pop up for Network Virus Blocked


  • This topic is locked This topic is locked
16 replies to this topic

#1 Lai Sim

Lai Sim

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:42 AM

Posted 17 September 2013 - 11:23 PM

Trend Micro is coming up with a "network Virus Blocked" window stating 'A network virus that tried to attack you has been stopped.
NAME: TROJ_ZBOT-HTTP_POST_REQUEST'

It pops this up about every minute. 

 

 

My PC is Dell Vostro 1320.

Intel ® Core ™ 2 Duo CPU,

Memory : 2.00 GB

System : 32-bit Operating System ; Window Vista TM Business

 

I don't know how to handle this irritating pop up.

 

Looking forward for your help.

 

regards,

Lai Sim

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 18 September 2013 - 03:40 AM

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Lai Sim

Lai Sim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:42 AM

Posted 18 September 2013 - 08:34 AM

Hi Sir,

 

I have done the scanning.

 

Please refer the attached file.

 

 

Regards,

Lai Sim

Attached Files

  • Attached File  ark.txt   4.17KB   0 downloads


#4 Lai Sim

Lai Sim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:42 AM

Posted 18 September 2013 - 08:36 AM

The contents of ark.text are as follows:

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-09-18 18:08:04
Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.HH10 149.05GB
Running: download[1].exe; Driver: C:\Users\NGLAIS~1\AppData\Local\Temp\fwldypow.sys

---- System - GMER 2.1 ----

SSDT            8F51F320                                                                                         ZwSetValueKey
SSDT            8F51EA20                                                                                         ZwTerminateProcess
SSDT            8F51ED20                                                                                         ZwTerminateThread
SSDT            8F521700                                                                                         ZwWriteVirtualMemory
SSDT            8F521AC0                                                                                         ZwCreateThreadEx
SSDT            8F51E120                                                                                         ZwCreateUserProcess

---- Devices - GMER 2.1 ----

AttachedDevice  \FileSystem\fastfat \Fat                                                                         fltmgr.sys

---- Threads - GMER 2.1 ----

Thread          System [4:2228]                                                                                  AD75E918

---- Processes - GMER 2.1 ----

Process          (*** hidden *** )                                                                               [4] 84420D90            

---- Threads - GMER 2.1 ----

Thread           [4:2228]                                                                                        AD75E918

---- Registry - GMER 2.1 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0ceee6f12753                     
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0ceee6f12753@9c18749e551d         0x87 0xA1 0x10 0xCC ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0ceee6f12753@002547e019c2         0xCA 0xA3 0xE0 0x70 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0ceee6f12753@a0f4190f21b9         0xEA 0xD4 0x94 0xBE ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0ceee6f12753@b8f934bd58e8         0x27 0xC1 0xE5 0x2F ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0ceee6f12753@5001bbbe2228         0x13 0x29 0xBA 0x30 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0ceee6f12753@90c115abe8e3         0xA0 0x37 0x67 0x6A ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0ceee6f12753@0025d08380be         0xA3 0xB7 0x02 0xE1 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\tmcomm@Version                                            5.50.0.1033
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0ceee6f12753 (not active ControlSet) 
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0ceee6f12753@9c18749e551d             0x87 0xA1 0x10 0xCC ...
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0ceee6f12753@002547e019c2             0xCA 0xA3 0xE0 0x70 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0ceee6f12753@a0f4190f21b9             0xEA 0xD4 0x94 0xBE ...
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0ceee6f12753@b8f934bd58e8             0x27 0xC1 0xE5 0x2F ...
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0ceee6f12753@5001bbbe2228             0x13 0x29 0xBA 0x30 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0ceee6f12753@90c115abe8e3             0xA0 0x37 0x67 0x6A ...
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0ceee6f12753@0025d08380be             0xA3 0xB7 0x02 0xE1 ...

---- Disk sectors - GMER 2.1 ----

Disk            \Device\Harddisk0\DR0                                                                            unknown MBR code

---- EOF - GMER 2.1 ----

 



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 19 September 2013 - 02:44 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 Lai Sim

Lai Sim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:42 AM

Posted 19 September 2013 - 11:12 AM

Completed Combofix.

 

Here are the contents:

 

ComboFix 13-09-17.01 - Ng Lai Sim 19/09/2013  18:27:12.1.2 - x86
Microsoft® Windows Vista™ Business   6.0.6001.1.1252.60.1033.18.2008.1022 [GMT 8:00]
Running from: c:\users\Ng Lai Sim\Downloads\ComboFix.exe
AV: Trend Micro Titanium Internet Security *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
FW: Trend Micro Firewall Booster *Disabled* {49A8346C-6900-54B6-B1B3-5F678736DDE9}
SP: Trend Micro Titanium Internet Security *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\gen1\COMMON.F3S
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\wbnotify\COMMON.F3S
c:\users\Ng Lai Sim\AppData\Local\assembly\tmp
c:\users\Ng Lai Sim\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\Ng Lai Sim\AppData\Roaming\Taol\afapb.exe
c:\users\Ng Lai Sim\Documents\~WRL1092.tmp
c:\users\Ng Lai Sim\Documents\~WRL2580.tmp
c:\users\Ng Lai Sim\Documents\~WRL3157.tmp
c:\windows\system32\Cache
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\89fa0b54aeb32553.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-19 to 2013-09-19  )))))))))))))))))))))))))))))))
.
.
2013-09-19 10:40 . 2013-09-19 10:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-19 10:00 . 2013-09-19 10:00 -------- d-----w- c:\users\Ng Lai Sim\AppData\Local\Apps
2013-09-19 10:00 . 2013-09-19 10:01 -------- d-----w- c:\users\Ng Lai Sim\AppData\Local\Deployment
2013-09-02 01:06 . 2013-09-02 01:06 -------- d-----w- c:\users\Ng Lai Sim\AppData\Local\WinZip Courier
2013-09-02 01:00 . 2013-09-02 01:00 -------- d-----w- c:\programdata\WinZipEC
2013-09-02 01:00 . 2013-09-19 10:39 -------- d-----w- c:\users\Ng Lai Sim\AppData\Local\assembly
2013-08-30 08:03 . 2013-09-18 08:34 -------- d-----w- c:\users\Ng Lai Sim\AppData\Local\WinZip
2013-08-30 07:47 . 2013-08-30 07:47 -------- d-----w- c:\users\Ng Lai Sim\AppData\Local\AVG Secure Search
2013-08-30 07:46 . 2013-08-31 08:16 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-08-30 07:46 . 2013-08-30 07:47 -------- d-----w- c:\programdata\AVG Secure Search
2013-08-30 07:46 . 2013-08-30 07:46 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2013-08-30 07:46 . 2013-08-31 08:16 -------- d-----w- c:\program files\AVG Secure Search
2013-08-30 07:35 . 2013-09-19 10:39 -------- d-----w- c:\users\Ng Lai Sim\AppData\Roaming\Taol
2013-08-30 07:35 . 2013-09-19 09:51 -------- d-----w- c:\users\Ng Lai Sim\AppData\Roaming\Siri
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-19 09:49 . 2009-11-09 07:28 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2013-09-19 09:48 . 2009-11-12 04:16 69792 ----a-w- c:\windows\system32\rpcnet.dll
2013-09-19 09:48 . 2009-11-09 07:30 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2013-09-13 05:37 . 2012-07-11 03:25 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-13 05:37 . 2011-08-31 15:16 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-23 07:53 . 2009-11-12 04:16 69792 ------w- c:\windows\system32\rpcnet.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn8\yt.dll" [2013-08-07 1561880]
"{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}"= "c:\program files\WinZipBar\prxtbWinZ.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CLASSES_ROOT\clsid\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
2011-05-09 08:49 176936 ----a-w- c:\program files\WinZipBar\prxtbWinZ.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}"= "c:\program files\WinZipBar\prxtbWinZ.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{50FAFAF0-70A9-419D-A109-FA4B4FFD4E37}"= "c:\program files\WinZipBar\prxtbWinZ.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-24 6595928]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2012-06-26 1516632]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2009-01-18 36864]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-31 483420]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-31 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-31 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-31 154136]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-11 3563520]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-05-12 842816]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-05 741376]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"NSU_agent"="c:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe" [2012-02-28 190768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2013-08-31 2314416]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-4 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-10-30 50688]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2013-7-15 685936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk /r \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ   scecli DPPWDFLT
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 05:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1359218560-3853572774-3915786677-1003]
"EnableNotificationsRef"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ec3a90dd\aestsrv.exe [2009-03-31 81920]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ   PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ   BthServ
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ   wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ   WcesComm RapiMgr
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-19 10:02 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 05:37]
.
2013-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-19 10:01]
.
2013-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-19 10:01]
.
2013-09-18 c:\windows\Tasks\User_Feed_Synchronization-{D387E09B-F81B-4919-9E2A-4767883E6CC7}.job
- c:\windows\system32\msfeedssync.exe [2012-11-29 04:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/?ilc=8
uInternet Settings,ProxyServer = 192.168.1.13:3128
uInternet Settings,ProxyOverride = 192.168.1.0;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: dagangnet.com\epermit
TCP: DhcpNameServer = 192.168.1.1 203.82.64.129 203.82.64.145
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\15.5.0\ViProtocol.dll
DPF: {173D9E48-B527-4AA0-A929-30B446002AA8} - hxxp://192.168.1.113:88/DVRemoteAx.cab
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
HKCU-Run-YSearchProtection - c:\program files\Yahoo!\Search Protection\YspService.exe
HKCU-Run-{DD7228F9-8B2B-9C16-5967-B8A994F7ECED} - c:\users\Ng Lai Sim\AppData\Roaming\Taol\afapb.exe
HKLM-Run-RegTask - c:\program files\RegTask\RegTask.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
MSConfigStartUp-WinSent Messenger - c:\program files\WinSent Messenger\winsent.exe
AddRemove-{223C0721-A6B0-4853-88C0-331029841734} - c:\program files\HP\Digital Imaging\{223C0721-A6B0-4853-88C0-331029841734}\setup\hpzscr01.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-19 18:40
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(652)
c:\windows\system32\DPPWDFLT.dll
.
Completion time: 2013-09-19  18:42:28
ComboFix-quarantined-files.txt  2013-09-19 10:42
.
Pre-Run: 25,288,372,224 bytes free
Post-Run: 27,201,609,728 bytes free
.
- - End Of File - - 6F77465FED5B8355A22651F6E7D2DF30
53484EF36F7F7DD82000C2B34A0AFEFF
 

 

 

thank you.

 

Regards,

Lai Sim



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 20 September 2013 - 02:11 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 Lai Sim

Lai Sim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:42 AM

Posted 21 September 2013 - 12:13 AM

Done the full scan with Malwarebytes Antimalware.

 

Here is the contents:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.09.20.06
 
Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Ng Lai Sim :: SALES1 [administrator]
 
20/9/2013 11:47:36 PM
mbam-log-2013-09-20 (23-47-36).txt
 
Scan type: Full scan (C:\|D:\|G:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 355337
Time elapsed: 1 hour(s), 22 minute(s), 46 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 3
HKCR\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB} (PUP.Optional.BabylonToolBar.A) -> No action taken.
HKCU\SOFTWARE\SWEETIM (PUP.Optional.SweetIM.A) -> No action taken.
HKLM\SOFTWARE\SWEETIM (PUP.Optional.SweetIM.A) -> No action taken.
 
Registry Values Detected: 3
HKCU\Software\SweetIM|simapp_id (PUP.Optional.SweetIM.A) -> Data: {7042D47C-077A-482E-BB9E-D05DF791F8CD} -> No action taken.
HKLM\Software\SweetIM|simapp_id (PUP.Optional.SweetIM.A) -> Data: {7042D47C-077A-482E-BB9E-D05DF791F8CD} -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{DD7228F9-8B2B-9C16-5967-B8A994F7ECED} (Trojan.ZbotR.Gen) -> Data: "C:\Users\Ng Lai Sim\AppData\Roaming\Taol\afapb.exe" -> Quarantined and deleted successfully.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 1
C:\Users\Ng Lai Sim\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> No action taken.
 
Files Detected: 3
C:\Users\Ng Lai Sim\AppData\Local\Conduit\CT3106777\WinZipBarAutoUpdateHelper.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Ng Lai Sim\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Ng Lai Sim\AppData\Roaming\Taol\afapb.exe.vir (Trojan.Zbot) -> Quarantined and deleted successfully.
 
(end)
 

 

Thank you.

 

Regards,

Lai Sim

 



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 21 September 2013 - 05:47 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 Lai Sim

Lai Sim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:42 AM

Posted 21 September 2013 - 03:51 PM

Hi,

 

Here are the report:

 

C:\Users\Ng Lai Sim\AppData\LocalLow\FunWebProducts\Installr\Cache\3872C75C.exe a variant of Win32/Toolbar.MyWebSearch.O application
C:\Users\Ng Lai Sim\AppData\Roaming\Mozilla\Firefox\Profiles\ysb3wjn2.default\user.js JS/SecurityDisabler.A.Gen application
D:\Windows\System32\autochk.exe a variant of Win32/CompuTrace.B application
 

 

 

thank you.

 

regards,

Lai Sim



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 23 September 2013 - 07:19 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Delete
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 Lai Sim

Lai Sim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:42 AM

Posted 23 September 2013 - 05:21 PM

Hi,

 

I have done the ADWCleaner, this is the report:

 

 

# AdwCleaner v3.005 - Report created 24/09/2013 at 06:12:56
# Updated 22/09/2013 by Xplode
# Operating System : Windows Vista ™ Business Service Pack 1 (32 bits)
# Username : Ng Lai Sim - SALES1
# Running from : C:\Users\Ng Lai Sim\Downloads\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Moozy
Folder Deleted : C:\Program Files\SweetIM
Folder Deleted : C:\Program Files\yourfiledownloader
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Users\Ng Lai Sim\AppData\Local\AVG Secure Search
Folder Deleted : C:\Users\Ng Lai Sim\AppData\Local\Conduit
Folder Deleted : C:\Users\Ng Lai Sim\AppData\Local\visi_coupon
Folder Deleted : C:\Users\Ng Lai Sim\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Ng Lai Sim\AppData\LocalLow\AVG Secure Search
Folder Deleted : C:\Users\Ng Lai Sim\AppData\LocalLow\BabylonToolbar
Folder Deleted : C:\Users\Ng Lai Sim\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Ng Lai Sim\AppData\LocalLow\MyWebSearch
Folder Deleted : C:\Users\Ng Lai Sim\AppData\LocalLow\WinZipBar
Folder Deleted : C:\Users\Ng Lai Sim\AppData\Roaming\registry mechanic
Folder Deleted : C:\Users\Ng Lai Sim\AppData\Roaming\yourfiledownloader
Folder Deleted : C:\Users\Ng Lai Sim\AppData\Roaming\Mozilla\Firefox\Profiles\ysb3wjn2.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Deleted : C:\Users\Ng Lai Sim\AppData\Roaming\Mozilla\Firefox\Profiles\ysb3wjn2.default\Extensions\ffxtlbr@babylon.com
Folder Deleted : C:\Users\Ng Lai Sim\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
File Deleted : C:\Users\Ng Lai Sim\AppData\Roaming\Mozilla\Firefox\Profiles\ysb3wjn2.default\user.js
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3106777
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9280CAA3-237E-468E-A41C-43EADB5FF61A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9280CAA3-237E-468E-A41C-43EADB5FF61A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0F11BF3D-B2AE-4722-9801-483F0F121D38}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08ACB675-3082-4B8F-B066-6AF108D29697}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{50FAFAF0-70A9-419D-A109-FA4B4FFD4E37}]
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\YourFileDownloader
Key Deleted : HKCU\Software\WinZipBar
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Fun Web Products
Key Deleted : HKCU\Software\AppDataLow\Software\FunWebProducts
Key Deleted : HKCU\Software\AppDataLow\Software\MyWebSearch
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\WinZipBar
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\YourFileDownloader
Key Deleted : HKLM\Software\WinZipBar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1AE46C09-2AB8-4EE5-88FB-08CD0FF7F2DF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\WinZipBar Toolbar
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.19088
 
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]
 
-\\ Mozilla Firefox v
 
[ File : C:\Users\Ng Lai Sim\AppData\Roaming\Mozilla\Firefox\Profiles\ysb3wjn2.default\prefs.js ]
 
 
-\\ Google Chrome v29.0.1547.76
 
[ File : C:\Users\Ng Lai Sim\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [9219 octets] - [24/09/2013 00:01:25]
AdwCleaner[S0].txt - [9266 octets] - [24/09/2013 06:12:56]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9326 octets] ##########


#13 Lai Sim

Lai Sim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:42 AM

Posted 23 September 2013 - 05:44 PM

Hi,

 

Checkup was done.

 

The report is as follows:

 

 Results of screen317's Security Check version 0.99.73  
 Windows Vista Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 8 Out of date! 
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Trend Micro Titanium Internet Security   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java™ 6 Update 29  
 Java version out of Date! 
 Adobe Flash Player 11.8.800.168  
 Adobe Reader 9 Adobe Reader out of Date! 
 Google Chrome 29.0.1547.76  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe  
 Trend Micro AMSP coreServiceShell.exe  
 Trend Micro UniClient UiFrmWrk uiWatchDog.exe 
 Trend Micro AMSP coreFrameworkHost.exe  
 Trend Micro UniClient UiFrmWrk uiSeAgnt.exe 
 Trend Micro AMSP AMSP_LogServer.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 
 

 

regards,

Lai Sim



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 24 September 2013 - 04:44 AM

Your system is free of malware now! :)

 

 

Windows Vista out of date

Your Microsoft Windows installation is out of date. Microsoft continually releases security and stability updates for its supported operating systems and you should always apply these to help keep your PC secure. Out-of-date Windows installations represent a risk to your system and are also a conduit for the spread of malware.

You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP2) can be obtained directly from Microsoft here.

 

 

 

 

Internet Explorer out of date

Your version of Internet Explorer is outdated.

 

 

 

 

Java runtime Environment out of date

Your Java runtime environment is outdated. We will fix this.

  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.

After the reboot
  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.

 

 

 

 

Adobe Reader out of date

Your Adobe Reader is outdated. We will fix this.


  • Get the actual software from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Run setup and follow the instructions.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.

 

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  • Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice.
  • Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 Lai Sim

Lai Sim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:42 AM

Posted 24 September 2013 - 05:09 AM

Thank you very much for your kind assistance. I have taken note on your advice.

 

Really very very appreciate your help.

I have made a little donation for you to continue fighting with malware. Hope my little contribution would help.

 

Have a nice day!

 

regards,

Lai Sim

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users