TechSpot

Checking if computer is clean

By Lordoftomato
Dec 17, 2011
  1. Hi all, thank you for volunteering your time. I am currently trying to fix an issue for my mom on her computer. She was saying her Skype program wouldn't show up after clicking the icon. I tried Skype after running the scans and it appears to work now. However, I wanted to double check with a pro to see if her computer was cleaned fully.

    Here are my logs after the 5 steps:

    1)
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19048

    12/16/2011 11:43:26 PM
    mbam-log-2011-12-16 (23-43-26).txt

    Scan type: Quick scan
    Objects scanned: 130510
    Time elapsed: 25 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 51
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 4
    Files Infected: 8

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\TypeLib\{d12f94fa-fc9a-41f7-b808-7fbb419dd7a6} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{4c2bfec9-f03c-4f74-932e-5723e603b4ac} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{6c773ca2-f142-4b2c-981a-fd3b1bec1578} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{7ef05eff-0e62-4040-8d81-73a10d8de60f} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{d158174c-004b-4a2e-9410-5442c10c60d2} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{23a2b2b7-21de-4b88-afba-5a918abbf463} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{23a2b2b7-21de-4b88-afba-5a918abbf463} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{77fef28e-eb96-44ff-b511-3185dea48697} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77fef28e-eb96-44ff-b511-3185dea48697} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{77fef28e-eb96-44ff-b511-3185dea48697} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77fef28e-eb96-44ff-b511-3185dea48697} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a7f05ee4-0426-454f-8013-c41e3596e9e9} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a7f05ee4-0426-454f-8013-c41e3596e9e9} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{b580cf65-e151-49c3-b73f-70b13fca8e86} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b580cf65-e151-49c3-b73f-70b13fca8e86} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{b580cf65-e151-49c3-b73f-70b13fca8e86} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{e5d5d4a1-17f0-41d7-b1c6-0979f91e6f46} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e5d5d4a1-17f0-41d7-b1c6-0979f91e6f46} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\baidubar.tool.1 (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\baidubarex.bdhomepage (Adware.BDSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\baidubarex.bdhomepage.1 (Adware.BDSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\baidubarex.bdhomepage.2 (Adware.BDSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\baidubarex.bdhomepage.3 (Adware.BDSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\baidubarex.bdhomepage.4 (Adware.BDSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\baidubarex.bdhomepage.5 (Adware.BDSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\baidubarx.bandie (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\baidubarx.bandie.1 (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\baidubarx.toolband (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\baidubarx.toolband.1 (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\barbroker.bdbroker (Adware.BDSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\barbroker.bdbroker.1 (Adware.BDSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{7a33ce9e-4f33-4b4e-b263-6aeeab6c3dc2} (Adware.BDSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{5becd27b-dcf5-4def-b066-486a47245c03} (Adware.BDSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7a33ce9e-4f33-4b4e-b263-6aeeab6c3dc2} (Adware.BDSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{3a8c9d89-3271-45f4-98c0-56b0f5a16172} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{2923508c-9425-4a61-b9ce-a98239055916} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{f9bc0421-bb5c-447d-8547-bb45afa80a4d} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{4d89001b-5b5b-4e76-a1f5-638e49db7a58} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{fa677cc1-d6fa-4b55-825d-6c493f56ed84} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{fe575a61-09bd-4f3a-b8b5-b55b813b44ec} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{11cc93e4-0be6-4f8f-82aa-d577fb955b05} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11cc93e4-0be6-4f8f-82aa-d577fb955b05} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{c7c530b2-4611-4bcf-da92-40b25fd75a5a} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c7c530b2-4611-4bcf-da92-40b25fd75a5a} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{c7c530b2-4611-4bcf-da92-40b25fd75a5a} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7c530b2-4611-4bcf-da92-40b25fd75a5a} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c7c530b2-4611-4bcf-da92-40b25fd75a5a} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{fbedba6c-44a2-43b9-bd49-20eb6e0c4e86} (Adware.Baidu) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX (Adware.BDSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\baidubar.tool (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Baidu (Trojan.Cinmus) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b580cf65-e151-49c3-b73f-70b13fca8e86} (Trojan.Cinmus) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{b580cf65-e151-49c3-b73f-70b13fca8e86} (Trojan.Cinmus) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Program Files\Baidu (Adware.Baidu) -> Quarantined and deleted successfully.
    C:\Program Files\Baidu\Toolbar (Adware.Baidu) -> Quarantined and deleted successfully.
    C:\Program Files\Baidu\Toolbar\BaiduBarX_Tmp (Adware.Baidu) -> Quarantined and deleted successfully.
    C:\Program Files\Baidu\{C7C530B2-4611-4BCF-DA92-40B25FD75A5A} (Adware.Baidu) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Program Files\Baidu\Toolbar\BaiduBarX.dll (Trojan.Cinmus) -> Quarantined and deleted successfully.
    C:\Program Files\Baidu\Toolbar\BarBroker.exe (Adware.Baidu) -> Quarantined and deleted successfully.
    C:\Program Files\Baidu\Toolbar\BarBroker_CloseIEUpdate.exe (Adware.Baidu) -> Quarantined and deleted successfully.
    C:\Program Files\Baidu\Toolbar\rc.dll (Adware.Baidu) -> Quarantined and deleted successfully.
    C:\Program Files\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll (Adware.Baidu) -> Quarantined and deleted successfully.
    C:\Program Files\Baidu\Toolbar\BaiduBarX_Tmp\BarBroker.exe (Adware.Baidu) -> Quarantined and deleted successfully.
    C:\Program Files\Baidu\{C7C530B2-4611-4BCF-DA92-40B25FD75A5A}\AddressBar.dll (Adware.Baidu) -> Quarantined and deleted successfully.
    C:\Program Files\Baidu\{C7C530B2-4611-4BCF-DA92-40B25FD75A5A}\ASBarBroker.exe (Adware.Baidu) -> Quarantined and deleted successfully.

    2)

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-12-17 11:22:57
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LV01
    Running: olj44ikv.exe; Driver: C:\Users\SUIRAO~1\AppData\Local\Temp\uwriqpoc.sys


    ---- Devices - GMER 1.0.15 ----

    Device \Driver\iaStor \Device\Ide\iaStor0 [826B9EB0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [826B9EB0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [826B9EB0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\a7te1jlj \Device\Scsi\a7te1jlj1Port2Path0Target0Lun0 8618C1F8
    Device \Driver\a7te1jlj \Device\Scsi\a7te1jlj1 8618C1F8
    Device \FileSystem\Ntfs \Ntfs 8489B1F8

    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    3)

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_29
    Run by Sui Rao at 11:53:58 on 2011-12-17
    AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Windows\system32\lsm.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Program Files\Toshiba\TOSHIBA Service Station\TSS.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Users\Sui Rao\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\igfxext.exe
    C:\Windows\system32\conime.exe
    C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\WLANExt.exe
    C:\Users\Sui Rao\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Sui Rao\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Sui Rao\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\rundll32.exe
    C:\Users\Sui Rao\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = Preserve
    uStart Page = hxxp://www.yahoo.com/
    uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
    mURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: ÏÔʾïýÂó(Xmlbar)¹¤¾ßÌõ: {6b896adb-4a82-46e2-858c-13134782ce34} - c:\program files\xmlbar\tv downloader\iebar\xbietb.dll
    TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
    uRun: [Google Update] "c:\users\sui rao\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [PPAP] "c:\program files\common files\pplivenetwork\PPAP.exe" -background
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [cfFncEnabler.exe] cfFncEnabler.exe
    mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\TSS.exe" /hide
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [kwmusic] "c:\program files\kwmusic\Kwmusic.exe" /autorun
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pptv.lnk - c:\program files\pplive\pptv\PPLive.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &Xmlbar Search - http://www.xmlbar.com/iebar/iemenu.php?lang=Chinese Simplified&ver=1.0
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: ïýÂó&XmlbarËÑË÷ - http://www.xmlbar.com/iebar/iemenu.php?lang=Chinese Simplified&ver=1.0
    IE: {612F6E5C-B314-4bab-93D1-D266AAFBE700} - c:\program files\xmlbar\flv downloader\FLVDownloader(xmlbar).exe
    IE: {8B6AE613-809E-49bc-A150-3EE7338F5C03} - c:\program files\xmlbar\tv downloader\TVDownloader(xmlbar).exe
    IE: {95B3F550-91C4-4627-BCC4-521288C52977} - c:\program files\pplive\pptv\PPLive.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{025454E4-6DBC-4E0A-857B-B02E7EF2E601} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{0913D5A8-EAAD-4D04-821E-DF2C6404AAB0} : DhcpNameServer = 192.168.0.1 192.168.0.1
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\9.0.1\ViProtocol.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: AVGRSSTX.DLL,c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\sui rao\appdata\roaming\mozilla\firefox\profiles\f7p0bbt9.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=&mid=b51fd66d71c2096d105c75e9af687b77-fadd0351fab1780a86f4e922a2c3e3657e23fef0&ds=AVG&v=9.0.0.18.1&lang=zh-cn&pr=fr&d=2011-12-13%2017%3A26%3A33&sap=ku&q=
    FF - component: c:\programdata\avg secure search\9.0.0.18\components\toolbarhomewmp.dll
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\internet explorer\pplite\plugin\npplugin2.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - plugin: c:\users\sui rao\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: AVG Security Toolbar: avg@toolbar - c:\programdata\avg secure search\9.0.0.18
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-17 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-17 29712]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-17 243152]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-17 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
    R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-16 40960]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-9-30 7168]
    R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-28 3658752]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 167264]
    S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-9-30 9216]
    .
    =============== Created Last 30 ================
    .
    2011-12-14 01:27:09 -------- d-----w- c:\programdata\AVG Secure Search
    2011-12-14 01:27:04 -------- d-----w- c:\program files\common files\AVG Secure Search
    2011-12-14 01:27:02 -------- d-----w- c:\program files\AVG Secure Search
    .
    ==================== Find3M ====================
    .
    2011-10-12 07:58:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-03 13:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    ============= FINISH: 11:56:58.19 ===============

    4)

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    .
    Motherboard: TOSHIBA | | Portable PC
    Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz | CPU | 2166/667mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 140 GiB total, 66.307 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    2007 Microsoft Office system
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.4.6
    ArcSoft TotalMedia Backup
    AVG Free 9.0
    Brother HL-2140
    Camera Assistant Software for Toshiba
    CCleaner
    CD/DVD Drive Acoustic Silencer
    CNTV ÍøÒ³µã²¥¼ÓËÙÆ÷1.0.2.0
    DivX Setup
    DVD MovieFactory for TOSHIBA
    Final Media Player 2010
    Google Chrome ä¯ÀÀÆ÷
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless WiFi Software
    Intel? Matrix Storage Manager
    InterActual Player
    Java Auto Updater
    Java(TM) 6 Update 29
    Java(TM) 6 Update 6
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Office XP Professional with FrontPage
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft XML Parser
    Mozilla Firefox (3.6.24)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NetZero Internet Access Installer
    NVIDIA PhysX
    OGA Notifier 2.0.0048.0
    OpenAL
    ParetoLogic DriverCure
    Picasa 3
    Portal
    PPTV Downloader(xmlbar)(remove only)
    PPTV V3.0.6.0006
    QuickBooks Financial Center
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2466156)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2464583)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Media Encoder (KB2447961)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Encoder (KB979332)
    Skype? 5.5
    Steam
    Synaptics Pointing Device Driver
    System Requirements Lab
    System Requirements Lab CYRI
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Desktop Links
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Face Recognition
    TOSHIBA Hardware Setup
    TOSHIBA Recovery Disc Creator
    Toshiba Registration
    TOSHIBA Service Station
    TOSHIBA Software Modem
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2509470)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2536413)
    VC80CRTRedist - 8.0.50727.4053
    Viewpoint Media Player
    VLC media player 1.1.3
    Windows Media Encoder 9 Series
    Xvid 1.2.1 final uninstall
    ïýÂóµçÊӾ粥·ÅÏÂÔØÆ÷(xmlbar)(½öÒƳý)
    ïýÂó×ÛºÏÊÓƵÏÂÔØ(xmlbar)(½öÒƳý)
    ѸÀ׿´¿´²¥·ÅÆ÷
    ¿áÎÒK¸è
    ¿áÎÒÒôÀֺР2011
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/17/2011 10:48:08 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    12/17/2011 10:44:37 AM, Error: Microsoft-Windows-WMPNSS-Service [14329] - Service 'WMPNetworkSvc' did not start correctly because the registry could not be updated due to error '0x80070006'. If possible, reinstall Windows Media Player.
    12/16/2011 9:45:45 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Eventlog service.
    12/16/2011 9:43:49 PM, Error: Service Control Manager [7022] - The TPM Base Services service hung on starting.
    12/16/2011 9:41:55 PM, Error: Service Control Manager [7022] - The KtmRm for Distributed Transaction Coordinator service hung on starting.
    12/16/2011 9:38:30 PM, Error: Service Control Manager [7022] - The Background Intelligent Transfer Service service hung on starting.
    12/12/2011 6:04:11 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the service.
    12/12/2011 6:03:41 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the avg9wd service.
    12/12/2011 5:49:06 PM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/12/2011 5:49:05 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
    12/12/2011 5:44:11 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 0022FA1E3F94 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
    12/11/2011 6:57:52 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.109 for the Network Card with network address 0022FA1E3F94 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    12/11/2011 6:52:03 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.111 for the Network Card with network address 001E33966F2C has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    12/10/2011 2:10:58 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.103 for the Network Card with network address 0022FA1E3F94 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! So far, the system looks pretty good. There are entries that our scans can't read:
    CNTV ÍøÒ³µã²¥¼ÓËÙÆ÷1.0.2.0
    Google Chrome ä¯ÀÀÆ÷
    ïýÂóµçÊӾ粥·ÅÏÂÔØÆ÷(xmlbar)(½öÒƳý)
    ïýÂó×ÛºÏÊÓƵÏÂÔØ(xmlbar)(½öÒƳý)
    ѸÀ׿´¿´²¥·ÅÆ÷
    ¿áÎÒK¸è
    ¿áÎÒÒôÀֺР2011
    Noting some other content, these are Chinese?
    I cannot verify the entries as good or bad if I can't read them.
    =================================
    You have probably noticed the abundance of adware removed in Malwarebytes. I don't know where you got that version though because it's way out of date. Unless you purchase the program, leaving it on the system won't accomplish anything because it gives no real time protection.Please uninstall the version that is on the system now
    ------------------------------
    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ========================
    Then do this online virus scan:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =====================================
    I advise removing these plug-ins from Firefox:> Tools> Options> Plugins:
    ClickPotatoLiteSA.dll
    Viewpoint Media Player


    Click Potato is a big source of malware. And the Viewpoint Media Player gets installed bundled with a non-related download, without the knowledge or permission of the user.

    Viewpoint is also on the OS and should be removed in Add/Remove Programs, followed by using Windows Explorer to access My Computer> Local Drive(C)> Programs> do a right click> Delete on the the Viewpoint folder.

    Did she have any other problems in addition to the Skype problem> such as files, programs or icons that appeared to be missing?
    ==================================
    Please leave logs for new Mbam scan and Eset in the next reply.
    ==================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. Lordoftomato

    Lordoftomato TS Rookie Topic Starter Posts: 17

    Here is the Malwarebytes full scan, I will post ESET scan when its finished


    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8392

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19048

    12/18/2011 9:57:48 AM
    mbam-log-2011-12-18 (09-57-48).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 312430
    Time elapsed: 2 hour(s), 2 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 7
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4} (Adware.Funshion) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4} (Adware.Funshion) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027} (Adware.Funshion) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{D02E3AB9-7796-40cb-BDFC-20D834FE1F75} (Adware.Funshion) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC} (Adware.Funshion) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\ASBarBroker.BDBroker.1 (Adware.Funshion) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\ASBarBroker.BDBroker (Adware.Funshion) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\Sui Rao\downloads\xvidsetup (1).exe (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\Users\Sui Rao\downloads\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
     
  4. Lordoftomato

    Lordoftomato TS Rookie Topic Starter Posts: 17

    eset scan

    C:\Users\Sui Rao\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\53c8c5da-35a7cb20 multiple threats
    C:\Users\Sui Rao\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\34a3fab-2278c78f multiple threats
    C:\Users\Sui Rao\Downloads\fyzip-setup.exe Win32/DownloadAdmin.A.Gen application
    C:\Users\Sui Rao\Downloads\HA_TotalRecorder_52_szl (1).rar Win32/Adware.WSearch application
    C:\Users\Sui Rao\Downloads\HA_TotalRecorder_52_szl.rar Win32/Adware.WSearch application
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that.

    Please do not send a PM during those days.
    ==============================
    Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system. Also open Firefox> Tools> Options plugins and remove Javav6u6 from there
    You do have the current version but you also have an outdated version: Java(TM) 6 Update 6. Some of the malware has gotten into the Java cache because of this.
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =====================================
    For the Eset entries:
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      : File
      C:\Users\Sui Rao\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\53c8c5da-35a7cb20 
      C:\Users\Sui Rao\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\34a3fab-2278c78f 
      C:\Users\Sui Rao\Downloads\fyzip-setup.exe 
      C:\Users\Sui Rao\Downloads\HA_TotalRecorder_52_szl (1).rar 
      C:\Users\Sui Rao\Downloads\HA_TotalRecorder_52_szl.rar 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ====================================
    Please turn your attention to this- from the current Mbam log:
    Description: Added by the Adware-BDSearch Parasite of Chinese origin hailing from funshion.com and detected as Adware-BDSearch or Adware-Baidu. Identified by Malwarebytes' Anti-Malware as Adware.Funshion.

    I previously brought your attention to characters the scans can't read, mentioning there appeared to be related to a Chinese program, but you did not address the issue. It is likely that some of the malware is coming from those programs and you will have to uninstall them.
    ====================================
    The system is not clean and is still actively getting new malware. Much of it is adware, possibly because there is not enough security:

    Download Security Check by screen317 from one of these links:
    Link1
    Link 2
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ===================================
    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =====================================
    I think the Cookies will need to be reset- lets check that:
    • Please download SuperAntiSpyware from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.
    It's possible that the program will ask you to reboot in order to delete some files.
    =============================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    Please include the following logs in your next reply:
    OTM
    Security Check
    Combofix
    SuperAntispyware
    CK Scanner
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...