Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

worm/autorun.aa infection


  • This topic is locked This topic is locked
22 replies to this topic

#1 Anjiten

Anjiten

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 06 May 2014 - 09:57 AM

An AVG Detection pop-up opens on start-up reporting a virus - Worm/AutoRun.aa. The warning only occurs on start-up - normal AVG scan doesn't spot anything.

 

No behavioral problems so far, but I can't remove it - all I get is a 'Removal of threat has failed. Access is denied' message, and nothing else I've tried picks up on it.

 

This is my parent's pc and not heavily used, so I've no idea how this got on here. What should I do?

 

 

Here is the DDS log:

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16545  BrowserJavaVersion: 10.55.2
Run by Peter at 15:46:34 on 2014-05-06
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2038.622 [GMT 1:00]
.
AV: AVG Internet Security 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Internet Security 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
FW: AVG Internet Security 2014 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
.
============== Running Processes ================
.
c:\PROGRA~1\AVG\AVG2014\avgrsx.exe
C:\Program Files\AVG\AVG2014\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
C:\Program Files\AVG\AVG2014\avgfws.exe
C:\Program Files\AVG\AVG2014\avgidsagent.exe
C:\Program Files\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG2014\avgnsx.exe
C:\Program Files\AVG\AVG2014\avgemcx.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
C:\Program Files\AVG\AVG2014\avgui.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Peter\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Peter\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\AVG\AVG2014\avgcsrvx.exe
C:\Users\Peter\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Peter\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://uk.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\peter\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [Desktop SMS] c:\program files\idm\desktop sms\DesktopSMS.exe /auto
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ApnTBMon] "c:\program files\askpartnernetwork\toolbar\updater\TBNotifier.exe"
mRun: [AVG_UI] "c:\program files\avg\avg2014\avgui.exe" /TRAYONLY
mRun: [Autorun Eater] c:\program files\autorun eater\oldmcdonald.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 62.244.176.176 62.244.177.177
TCP: Interfaces\{7552C3C4-6EEA-4192-8148-383CFDB76F18} : DHCPNameServer = 62.244.176.176 62.244.177.177
Notify: igfxcui - igfxdev.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 127.0.0.1 ads.mcafee.com
Hosts: 127.0.0.1 wdcs.trendmicro.com
Hosts: 127.0.0.1 om.symantec.com
Hosts: 127.0.0.1 oms.symantec.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\peter\appdata\roaming\mozilla\firefox\profiles\hnid92fj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://uk.my.yahoo.com/
FF - component: c:\users\peter\appdata\roaming\mozilla\firefox\profiles\hnid92fj.default\extensions\zoterowinwordintegration@zotero.org\components\zoteroWinWordIntegration.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\npjpi170_25.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\users\peter\appdata\local\google\update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_13_0_0_206.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu
FF - Ext: Zotero Word for Windows Integration: zoteroWinWordIntegration@zotero.org - %profile%\extensions\zoteroWinWordIntegration@zotero.org
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2014-3-27 150296]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2014-3-27 238872]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2014-3-31 108312]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2014-3-27 28440]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-7-16 28544]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2014-3-27 123160]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2013-9-26 47928]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2014-4-18 199960]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2014-3-27 22296]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2014-3-27 193304]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2014-3-31 211224]
R2 APNMCP;Ask Update Service;c:\program files\askpartnernetwork\toolbar\apnmcp.exe [2014-4-5 166352]
R2 avgfws;AVG Firewall;c:\program files\avg\avg2014\avgfws.exe [2014-4-3 1473280]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2014-4-18 3645456]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2014-3-27 291912]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-27 21504]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-5-6 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-5-6 857912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-5-6 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-5-6 107736]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-5-6 51416]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2008-3-11 252416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
.
=============== Created Last 30 ================
.
2014-05-06 14:42:33 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-05-06 13:17:20 -------- d-----w- c:\programdata\Autorun Eater
2014-05-06 13:17:11 -------- d-----w- c:\program files\Autorun Eater
2014-05-06 12:40:02 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-06 12:39:30 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-06 12:39:30 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-05-06 12:39:30 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-05-06 12:39:30 -------- d-----w- c:\programdata\Malwarebytes
2014-05-06 12:39:30 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-04-18 14:02:04 199960 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
.
==================== Find3M  ====================
.
2014-04-30 19:09:04 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-30 19:09:04 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-31 15:11:58 211224 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2014-03-27 21:15:18 193304 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2014-03-27 21:14:40 123160 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2014-03-27 21:04:22 150296 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2014-03-27 21:04:02 238872 ----a-w- c:\windows\system32\drivers\avglogx.sys
2014-03-27 21:03:22 28440 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2014-03-27 21:03:20 22296 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2014-03-07 23:12:00 1806848 ----a-w- c:\windows\system32\jscript9.dll
2014-03-07 23:02:19 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-07 23:02:07 1129472 ----a-w- c:\windows\system32\wininet.dll
2014-03-07 22:57:17 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2014-03-07 22:56:03 421376 ----a-w- c:\windows\system32\vbscript.dll
2014-03-07 22:52:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-02-07 10:38:44 2050560 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 15:48:02.70 ===============
 


BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:24 PM

Posted 10 May 2014 - 10:23 AM

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

 
Having said that....   YBCQLm4.gif   Let's get going!!  
----------
 

81mYIKe.jpg  AdwCleaner
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

----------
 

weVCzW0.jpg Please download TDSSKiller

  • Double click TDSSKiller.exe
  • Press Start Scan but do nothing else as we are just looking for what is there.
  • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------
 

n3uobiT.jpg  Download CKScanner by askey127 from Here & save it to your Desktop.

  • Right-click and Run as Administrator CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 Anjiten

Anjiten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 11 May 2014 - 07:39 AM

Hi Jeff,

Thanks for your help!

 

No malicious objects were found with TDSSKiller. Please let me know if you still want me to attach the log - I haven't worked out how to do attachments here yet...

 

The CKScanner report merely says the following:

 
CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.CNAPTZ
 ----- EOF ----- 

 

Here is the AdwCleaner Report:

 

# AdwCleaner v3.207 - Report created 11/05/2014 at 13:13:23
# Updated 05/05/2014 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Peter - PETER-PC
# Running from : C:\Users\Peter\Downloads\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
Service Found : APNMCP
 
***** [ Files / Folders ] *****
 
File Found : C:\Program Files\Mozilla Firefox\.autoreg
File Found : C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\hnid92fj.default\searchplugins\ask-search.xml
Folder Found : C:\Program Files\AskPartnerNetwork
Folder Found : C:\ProgramData\apn
Folder Found : C:\ProgramData\AskPartnerNetwork
Folder Found : C:\Users\Peter\AppData\Local\Temp\apn
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\AskPartnerNetwork
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKLM\Software\AskPartnerNetwork
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnTbMon]
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16545
 
 
-\\ Mozilla Firefox v3.6.13 (en-GB)
 
[ File : C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\hnid92fj.default\prefs.js ]
 
 
-\\ Google Chrome v
 
[ File : C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [1656 octets] - [11/05/2014 13:13:23]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1716 octets] ##########


#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:24 PM

Posted 11 May 2014 - 10:21 AM

ComboFix
 
Download Combofix from either of the links below, and save it to your desktop.  
Link 1
Link 2
 
**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#5 Anjiten

Anjiten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 11 May 2014 - 03:14 PM

Hi Jeff,

 

Here is the ComboFix report:

 

ComboFix 14-05-10.01 - Peter 11/05/2014  20:54:27.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2038.972 [GMT 1:00]
Running from: c:\users\Peter\Desktop\ComboFix.exe
AV: AVG Internet Security 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
FW: AVG Internet Security 2014 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
SP: AVG Internet Security 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Peter\AppData\Local\Temp\ppcrlui_5384_2
c:\windows\system32\pt
c:\windows\system32\pt\toscdspd.cpl.mui
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-11 to 2014-05-11  )))))))))))))))))))))))))))))))
.
.
2014-05-11 20:05 . 2014-05-11 20:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-05-11 12:14 . 2010-08-30 07:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-05-11 12:12 . 2014-05-11 12:14 -------- d-----w- C:\AdwCleaner
2014-05-11 12:09 . 2014-04-29 10:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-06 14:42 . 2014-04-14 19:13 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-05-06 13:17 . 2014-05-06 13:17 -------- d-----w- c:\programdata\Autorun Eater
2014-05-06 13:17 . 2014-05-06 13:17 -------- d-----w- c:\program files\Autorun Eater
2014-05-06 12:40 . 2014-05-11 12:05 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-06 12:39 . 2014-05-06 12:39 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-05-06 12:39 . 2014-05-06 12:39 -------- d-----w- c:\programdata\Malwarebytes
2014-05-06 12:39 . 2014-04-03 08:51 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-05-06 12:39 . 2014-04-03 08:51 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-06 12:39 . 2014-04-03 08:50 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-18 14:02 . 2014-04-18 14:02 199960 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-30 19:09 . 2012-04-17 18:40 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-04-30 19:09 . 2011-07-14 20:06 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-31 15:11 . 2014-03-31 15:11 211224 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2014-03-31 15:11 . 2014-03-31 15:11 108312 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2014-03-27 21:15 . 2014-03-27 21:15 193304 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2014-03-27 21:14 . 2014-03-27 21:14 123160 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2014-03-27 21:04 . 2014-03-27 21:04 150296 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2014-03-27 21:04 . 2014-03-27 21:04 238872 ----a-w- c:\windows\system32\drivers\avglogx.sys
2014-03-27 21:03 . 2014-03-27 21:03 28440 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2014-03-27 21:03 . 2014-03-27 21:03 22296 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-06-27 436088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-28 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-22 894248]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"NDSTray.exe"="NDSTray.exe" [BU]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"Desktop SMS"="c:\program files\IDM\Desktop SMS\DesktopSMS.exe" [2007-06-18 1507328]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"ApnTBMon"="c:\program files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe" [2014-04-05 1801168]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2014-04-06 5180432]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2012-02-17 522720]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnTBMon]
2014-04-05 20:57 1801168 ----a-w- c:\program files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-07-24 14:24 116648 ----atw- c:\users\Peter\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 08:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-07-28 10:52 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2008-01-29 17:38 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 84121598
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - MBAMWEBACCESSCONTROL
*Deregistered* - 84121598
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 19:09]
.
2014-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 14:26]
.
2014-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 14:26]
.
2014-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2090089086-4070206164-254660030-1000Core.job
- c:\users\Peter\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-27 14:24]
.
2014-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2090089086-4070206164-254660030-1000UA.job
- c:\users\Peter\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-27 14:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 62.244.176.176 62.244.177.177
FF - ProfilePath - c:\users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\hnid92fj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://uk.my.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu
FF - Ext: Zotero Word for Windows Integration: zoteroWinWordIntegration@zotero.org - %profile%\extensions\zoteroWinWordIntegration@zotero.org
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-05-11 21:06
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????Uanl??????????P????????? 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2014-05-11  21:08:52
ComboFix-quarantined-files.txt  2014-05-11 20:08
.
Pre-Run: 33,897,943,040 bytes free
Post-Run: 35,170,418,688 bytes free
.
- - End Of File - - 65685EEC9BD1CFB0F5E38F4B3D667E83
5C616939100B85E558DA92B899A0FC36


#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:24 PM

Posted 11 May 2014 - 05:15 PM

ComboFix

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    ClearJavaCache::
     
    DDS::
    mRun: [ApnTBMon] "c:\program files\askpartnernetwork\toolbar\updater\TBNotifier.exe"
     
    File::
    c:\program files\askpartnernetwork\toolbar\apnmcp.exe
     
    Driver::
    APNMCP

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
     
    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

 

Post the new ComboFix log and also let me know how your system is running.  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#7 Anjiten

Anjiten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 12 May 2014 - 06:50 PM

Hi Jeff,

 

Since turning the laptop on today to follow your latest instructions, the AVG warning hasn't appeared.

 

There's been no noticeable changes to the way the laptop runs, good or bad - the only thing I've noticed is the Internet Explorer icon has reappeared on the desktop. I had deleted the icon, since I set Chrome as the default browser. I tried using it (IE9) briefly to see how it behaves and the homepage etc is normal - Yahoo uk - the only thing odd is the fact that it generates a pop-up 'you are entering a secure area' / 'leaving a secure area' when navigating between pages (and all I did was navigate to one of Yahoo's news pages.) Since I don't generally use IE and find it very buggy on those occasions when I do, I can't say that this is particularly strange behavior for it!

 

The ComboFix log is below. When the laptop restarted the antivirus also restarted, and came up with a trojan warning (IDP.Trojan.15E52105, Object name: ComboFix\REGT.3XE). I chose to 'allow' it, and re-deactivated AVG, assuming it's merely to do with the combofix scan...

 

 ComboFix 14-05-10.01 - Peter 12/05/2014  23:53:59.2.2 - x86

Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2038.1066 [GMT 1:00]
Running from: c:\users\Peter\Desktop\ComboFix.exe
Command switches used :: c:\users\Peter\Desktop\CFScript.txt
AV: AVG Internet Security 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
FW: AVG Internet Security 2014 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
SP: AVG Internet Security 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\askpartnernetwork\toolbar\apnmcp.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Peter\AppData\Local\Temp\ppcrlui_4176_2
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_APNMCP
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-12 to 2014-05-12  )))))))))))))))))))))))))))))))
.
.
2014-05-11 12:14 . 2010-08-30 07:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-05-11 12:12 . 2014-05-11 12:14 -------- d-----w- C:\AdwCleaner
2014-05-11 12:09 . 2014-04-29 10:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-06 14:42 . 2014-04-14 19:13 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-05-06 13:17 . 2014-05-06 13:17 -------- d-----w- c:\programdata\Autorun Eater
2014-05-06 13:17 . 2014-05-06 13:17 -------- d-----w- c:\program files\Autorun Eater
2014-05-06 12:40 . 2014-05-12 23:24 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-06 12:39 . 2014-05-06 12:39 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-05-06 12:39 . 2014-05-06 12:39 -------- d-----w- c:\programdata\Malwarebytes
2014-05-06 12:39 . 2014-04-03 08:51 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-05-06 12:39 . 2014-04-03 08:51 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-06 12:39 . 2014-04-03 08:50 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-18 14:02 . 2014-04-18 14:02 199960 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-30 19:09 . 2012-04-17 18:40 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-04-30 19:09 . 2011-07-14 20:06 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-31 15:11 . 2014-03-31 15:11 211224 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2014-03-31 15:11 . 2014-03-31 15:11 108312 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2014-03-27 21:15 . 2014-03-27 21:15 193304 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2014-03-27 21:14 . 2014-03-27 21:14 123160 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2014-03-27 21:04 . 2014-03-27 21:04 150296 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2014-03-27 21:04 . 2014-03-27 21:04 238872 ----a-w- c:\windows\system32\drivers\avglogx.sys
2014-03-27 21:03 . 2014-03-27 21:03 28440 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2014-03-27 21:03 . 2014-03-27 21:03 22296 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-06-27 436088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-28 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-22 894248]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"NDSTray.exe"="NDSTray.exe" [BU]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"Desktop SMS"="c:\program files\IDM\Desktop SMS\DesktopSMS.exe" [2007-06-18 1507328]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2014-04-06 5180432]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2012-02-17 522720]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnTBMon]
2014-04-05 20:57 1801168 ----a-w- c:\program files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-07-24 14:24 116648 ----atw- c:\users\Peter\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 08:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-07-28 10:52 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2008-01-29 17:38 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMWEBACCESSCONTROL
*Deregistered* - MBAMWebAccessControl
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 19:09]
.
2014-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 14:26]
.
2014-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 14:26]
.
2014-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2090089086-4070206164-254660030-1000Core.job
- c:\users\Peter\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-27 14:24]
.
2014-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2090089086-4070206164-254660030-1000UA.job
- c:\users\Peter\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-27 14:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 62.244.176.176 62.244.177.177
FF - ProfilePath - c:\users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\hnid92fj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://uk.my.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu
FF - Ext: Zotero Word for Windows Integration: zoteroWinWordIntegration@zotero.org - %profile%\extensions\zoteroWinWordIntegration@zotero.org
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-05-13 00:22
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????Uanl??????????P????????? 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(636)
c:\program files\IDM\Desktop SMS\oehook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ATK Hotkey\ASLDRSrv.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\AVG\AVG2014\avgfws.exe
c:\program files\AVG\AVG2014\avgwdsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\ATK Hotkey\Hcontrol.exe
c:\program files\ATK Hotkey\ATKOSD.exe
c:\windows\RtHDVCpl.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Windows Mail\WinMail.exe
.
**************************************************************************
.
Completion time: 2014-05-13  00:29:47 - machine was rebooted
ComboFix-quarantined-files.txt  2014-05-12 23:29
ComboFix2.txt  2014-05-11 20:08
.
Pre-Run: 36,259,823,616 bytes free
Post-Run: 35,912,908,800 bytes free
.
- - End Of File - - 0E33894FE2EDB7F65EB48FEA88259F71
5C616939100B85E558DA92B899A0FC36


#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:24 PM

Posted 12 May 2014 - 07:28 PM

Yes that file that was detected is a False Positive.  AVG can sometimes not play well with ComboFix but that was a file from ComboFix that was detected.  Good job letting that go!!
 
Ok.....I should have asked you for this earlier but when you ran DDS there should have been a log named Attach.txt created as well.  If you have that, please post it.  If not, please run DDS again and only get the Attach.txt log and post it.  Thanks.   :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 Anjiten

Anjiten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 13 May 2014 - 06:47 PM

Hi Jeff,

 

Here it is - it's the original. (If you want it zipped and attached, you're going have to tell me how to add attachments!)

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium 
Boot Device: \Device\HarddiskVolume2
Install Date: 11/03/2008 18:59:06
System Uptime: 06/05/2014 15:17:53 (0 hours ago)
.
Motherboard: TOSHIBA |  | Satellite L40
Processor: Intel® Pentium® Dual  CPU  T2330  @ 1.60GHz | Socket 478 | 1600/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 31.874 GiB free.
E: is FIXED (NTFS) - 73 GiB total, 71.245 GiB free.
F: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP553: 14/04/2014 10:17:34 - Windows Update
RP554: 15/04/2014 10:38:28 - Scheduled Checkpoint
RP555: 16/04/2014 13:38:50 - Scheduled Checkpoint
RP556: 17/04/2014 20:12:45 - Scheduled Checkpoint
RP557: 30/04/2014 20:14:45 - Scheduled Checkpoint
RP558: 06/05/2014 15:39:49 - Installed Java 7 Update 55
.
==== Installed Programs ======================
.
Accessibility
Adobe Flash Player 13 ActiveX
Adobe Flash Player 13 Plugin
Adobe Reader 8.1.3
Ask Toolbar
ATK Hotkey
Autorun Eater v2.6
AVG 2014
Canon iP4300
Canon iP4300 User Registration
CD/DVD Drive Acoustic Silencer
Desktop SMS
DVD MovieFactory for TOSHIBA
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java 7 Update 55
Java Auto Updater
Java™ SE Runtime Environment 6
LiveUpdate Notice (Symantec Corporation)
Malwarebytes Anti-Malware version 2.0.1.1004
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4.5.1
Microsoft Office Excel 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
myphotobook 3.1
Panda ActiveScan 2.0
Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
REALTEK USB Wireless LAN Driver
RICOH R5C83x/84x Media Driver Vista x86 Ver.3.33.03
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697)
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Manuals
Toshiba Online Product Information
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Visual Studio 2012 x86 Redistributables
Windows Media Encoder 9 Series
.
==== Event Viewer Messages From Past Week ========
.
30/04/2014 19:08:33, Error: Service Control Manager [7024]  - The AVGIDSAgent service terminated with service-specific error 3758213661 (0xE001CA1D).
06/05/2014 15:20:19, Error: Service Control Manager [7000]  - The rimsptsk service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
06/05/2014 15:20:19, Error: Service Control Manager [7000]  - The rimmptsk service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
06/05/2014 15:20:19, Error: Service Control Manager [7000]  - The Ricoh xD-Picture Card Driver service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
06/05/2014 15:19:28, Error: Microsoft-Windows-Kernel-General [5]  - {Registry Hive Recovered} Registry hive (file): '\??\C:\Users\Peter\AppData\Local\Microsoft\Windows\UsrClass.dat' was corrupted and it has been recovered. Some data might have been lost.
06/05/2014 14:25:15, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
06/05/2014 14:25:15, Error: Service Control Manager [7000]  - The Windows Media Player Network Sharing Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
06/05/2014 12:49:47, Error: Microsoft-Windows-Servicing [4375]  - Windows Servicing failed to complete the process of setting package KB2729453 (Security Update) into Resolved(Resolved) state
06/05/2014 12:41:48, Error: Microsoft-Windows-ResourcePublication [1002]  - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish.  Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
.
==== End Of File ===========================


#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:24 PM

Posted 14 May 2014 - 06:31 AM

No this was just fine.   :)
 
GUZVCQN.jpgMalwarebytes
 
Please open Malwarebytes, update it and then run a Hyper Scan.  Save the log that is created for your next reply.
----------
 

ESET Online Scanner
 
Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:24 PM

Posted 16 May 2014 - 06:26 AM

Still here?


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#12 Anjiten

Anjiten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 16 May 2014 - 09:41 AM

Yes, sorry!

 

Here is the Malawarebytes log - doesn't seem to have found anything. I'll post the ESET scan results as soon as it's finished scanning...

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 16/05/2014
Scan Time: 14:20:57
Logfile: Malwarebytes.txt
Administrator: Yes
 
Version: 2.00.1.1004
Malware Database: v2014.05.16.08
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled
 
OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Peter
 
Scan Type: Hyper Scan
Result: Completed
Objects Scanned: 202503
Time Elapsed: 12 min, 23 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Disabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#13 Anjiten

Anjiten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 16 May 2014 - 10:52 AM

Here are the ESET scan results...

 

C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\APNSetup.exe a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\UpdateManager.exe a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\AskToolbarInstaller-12.0.1_ORJ-V7.msi a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\AskToolbarInstaller-12.10.0_ORJ-V7.msi a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\AskToolbarInstaller-12.2.2_ORJ-V7.msi a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\AskToolbarInstaller-12.3.0_ORJ-V7.msi a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\AskToolbarInstaller-12.6.0_ORJ-V7.msi a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\AskToolbarInstaller-12.9.1_ORJ-V7.msi a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\program files\AskPartnerNetwork\Toolbar\apnmcp.exe a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\program files\AskPartnerNetwork\Toolbar\searchhook.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\program files\AskPartnerNetwork\Toolbar\ServiceLocator.exe a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\program files\AskPartnerNetwork\Toolbar\SO.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\program files\AskPartnerNetwork\Toolbar\toolbar.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\program files\AskPartnerNetwork\Toolbar\Toolbar.exe a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\program files\AskPartnerNetwork\Toolbar\ToolbarPS.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\program files\AskPartnerNetwork\Toolbar\toolbar_x64.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\program files\AskPartnerNetwork\Toolbar\UpdateManager.exe a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\program files\AskPartnerNetwork\Toolbar\{PartnerID}\Passport.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7\Source\program files\AskPartnerNetwork\Toolbar\{PartnerID}\Passport_x64.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application


#14 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:24 PM

Posted 17 May 2014 - 05:52 PM

Please open an elevated command prompt > Click Start and type cmd in Start Search.
When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.
 
Copy the contents of the code box > right click in the command window and select paste

rd "C:\Program Files\AskPartnerNetwork" /s /q

Press Enter (you won't actually see anything happen)
Close the Command Prompt window.
 
Let me know how your system is running now.   :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#15 Anjiten

Anjiten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 17 May 2014 - 06:34 PM

Done.

 

The AVG warning hasn't appeared since Tuesday, and since there haven't been any other noticeable problems everything now looks fine. Do you reckon it's clear now?

 

Thanks,

Anji






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users