TechSpot

Metropolitan police ukash scareware, is my PC clean now?

Inactive
By cessna729
Jul 21, 2012
  1. Just found this Tech Support site after the event, but hope you can help.:)
    Just over 2 weeks ago, I was browsing the net, when all of sudden my PC is "locked-down" and I'm informed I have to pay 100 big ones to get it unlocked :( I managed to get into safe mode using F8 and was able to remove a exe file in the roming/ temp folder, and revert to an earlyier store-point, re-booted, got back to Windows Vista ok and ran a full virus scan and installed malwarebytes (which said no infection found). Then 2 days ago, I was browsing the net and guess what!! same thing again, PC is "locked-down" and I'm informed I have to pay 100 big ones to get it unlocked. "Will I never learn!! or figure I should change my browsing habits!! This time F8 didn't work, and my Avira anti-virus had been disabled/killed so I had to use the Alienware backup DVD to revert to an earlyier store-point, then re-install Avira and ran malwarebyte to get back to normal Windows Vista.

    It was only then that I found your great web site http://www.techspot.com/community/forums/virus-and-malware-removal.28/ and have tried to follow your UPDATED 5-step Viruses/Spyware/Malware Preliminary Removal Instructions. I've also installed Avira "web protection" to improve my browsing habits ;)

    So I need your expert help, is my PC clean now?


    Step 1: Antivirus scanning
    Avira Free Antivirus 2012 Realtime protection running, Web protection Active (Last update 20/07/2012).
    --------------------------------------------

    Step 2: Malwarebytes Anti-Malware
    Downloaded, updated Performed Full scan.

    log pasted:
    ---
    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.07.20.06

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.19272
    zaphod :: ALX [administrator]

    20/07/2012 17:11:01
    mbam-log-2012-07-20 (17-11-01).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 482206
    Time elapsed: 3 hour(s), 57 minute(s), 41 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    --------------------------------------------

    Step 3: GMER
    Downloaded, disconnected ethernet cable from PC, closed all running progs, tempoarily disabled Avira Free 2012 Realtime protection and ran GMER.exe.
    gmer.exe has stopped working,
    Problem signature:
    Problem Event Name: APPCRASH
    Application Name: gmer.exe
    Application Version: 1.0.15.15641
    Application Timestamp: 4e21f2b1
    Fault Module Name: gmer.exe
    Fault Module Version: 1.0.15.15641
    Fault Module Timestamp: 4e21f2b1
    Exception Code: c0000005
    Exception Offset: 0000c676
    OS Version: 6.0.6002.2.2.0.256.1
    Locale ID: 2057
    Additional Information 1: 4254
    Additional Information 2: fe2c75f8e1cb8e4ac132f386ef457bf0
    Additional Information 3: ee4d
    Additional Information 4: 3ecfdc723e6b34047eef7acd3cf23e4f

    closed prog.

    GMER refuses to run, tried again, UN-checked "Devices" in right pane.
    Left running over night.

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-07-21 06:33:39
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000005e NVIDIA__ rev.
    Running: gmer.exe; Driver: C:\Users\zaphod\AppData\Local\Temp\pxldrpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8C5FB766 ZwCreateSection
    SSDT 8C5FB770 ZwRequestWaitReplyPort
    SSDT 8C5FB76B ZwSetContextThread
    SSDT 8C5FB775 ZwSetSecurityObject
    SSDT 8C5FB77A ZwSystemDebugControl
    SSDT 8C5FB707 ZwTerminateProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 215 81EB68D8 4 Bytes [66, B7, 5F, 8C]
    .text ntkrnlpa.exe!KeSetEvent + 539 81EB6BFC 4 Bytes [70, B7, 5F, 8C]
    .text ntkrnlpa.exe!KeSetEvent + 56D 81EB6C30 4 Bytes [6B, B7, 5F, 8C]
    .text ntkrnlpa.exe!KeSetEvent + 5D1 81EB6C94 4 Bytes [75, B7, 5F, 8C]
    .text ntkrnlpa.exe!KeSetEvent + 619 81EB6CDC 4 Bytes [7A, B7, 5F, 8C]
    .text ...
    ? C:\Users\zaphod\AppData\Local\Temp\ALSysIO.sys The system cannot find the file specified. !
    ? C:\Users\zaphod\AppData\Local\Temp\aswMBR.sys The system cannot find the file specified. !

    ---- EOF - GMER 1.0.15 ----
    -------------------------

    Step 4: DDS
    Ran dds.scr, logs pasted below.
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.19272 BrowserJavaVersion: 10.4.1
    Run by zaphod at 7:19:09 on 2012-07-21
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.3070.1749 [GMT 1:00]
    .
    AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    C:\Windows\system32\werfault.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Notepad++\notepad++.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = Preserve
    uStart Page = about:blank
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
    BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
    BHO: Avira SearchFree Toolbar plus Web Protection: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
    TB: Avira SearchFree Toolbar plus Web Protection: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    uRun: [Radio Downloader] "c:\program files\radio downloader\Radio Downloader.exe" /hidemainwindow
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [<NO NAME>]
    StartupFolder: c:\users\zaphod\appdata\roaming\micros~1\windows\startm~1\programs\startup\gpsgate.lnk - c:\program files\franson\gpsgate 2.0\GpsGateXP.exe
    StartupFolder: c:\users\zaphod\appdata\roaming\micros~1\windows\startm~1\programs\startup\mozill~1.lnk - c:\program files\mozilla thunderbird\thunderbird.exe
    StartupFolder: c:\users\zaphod\appdata\roaming\micros~1\windows\startm~1\programs\startup\router~1.lnk - c:\routerstatslite\RouterStatsLite.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    LSP: c:\program files\avira\antivir desktop\avsda.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: DhcpNameServer = 212.139.132.6 212.74.112.67
    TCP: Interfaces\{26783D5D-28E4-4D4E-BB12-5AD4317EA9FF} : DhcpNameServer = 212.139.132.6 212.74.112.67
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\zaphod\appdata\roaming\mozilla\firefox\profiles\vt926wag.default\
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - hxxp://search.avira.com/?l=dis&o=APN10401&gct=hp&dc=EU&locale=en_GB
    FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-3&o=APN10401&locale=en_GB&apn_uid=a300e5d3-68b2-4618-a3b0-fb5435561f7c&apn_ptnrs=^ABZ&apn_sauid=5A09183C-8FBE-4BA6-9BE8-1AE89B6F5AD2&apn_dtid=^YYYYYY^YY^GB&&q=
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
    FF - plugin: c:\program files\joystick plugin\npjoystick.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npjoystick.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
    FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\dtplugin\npdeployJava1.dll
    FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-17 36000]
    R1 bizVSerial;Franson VSerial;c:\windows\system32\drivers\bizVSerialNT.sys [2006-4-3 14949]
    R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2012-4-27 158512]
    R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2012-4-27 91952]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-17 86224]
    R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-17 110032]
    R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2012-3-17 465360]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-17 83392]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-5-19 2348352]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-2-29 382272]
    R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2012-4-12 104752]
    R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2012-4-12 116016]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-24 136176]
    S3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
    S3 FGYB;FGYB;c:\users\zaphod\appdata\local\temp\fgyb.exe --> c:\users\zaphod\appdata\local\temp\FGYB.exe [?]
    S3 Franson GpsGate 2.0;Franson GpsGate 2.0;c:\program files\franson\gpsgate 2.0\GpsGateService.exe [2008-9-12 258048]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-24 136176]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-23 113120]
    S3 TfBulk;TfBulk;c:\windows\system32\drivers\TfBulk.SYS [2007-5-31 13312]
    S3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\drivers\gtkdrv.sys [2012-1-4 16128]
    S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2012-4-12 82736]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-07-20 17:13:25 -------- d-----w- c:\program files\ESET
    2012-07-20 00:32:32 14664 ----a-w- c:\windows\stinger.sys
    2012-07-20 00:31:54 -------- d-----w- c:\program files\stinger
    2012-07-19 22:58:43 -------- d-----w- c:\program files\Ask.com
    2012-07-19 22:58:37 -------- d-----w- c:\users\zaphod\appdata\local\APN
    2012-07-19 22:42:24 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2012-07-11 18:21:17 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 18:19:02 984064 ----a-w- c:\windows\system32\crypt32.dll
    2012-07-11 18:19:02 98304 ----a-w- c:\windows\system32\cryptnet.dll
    2012-07-11 18:19:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-07-11 18:19:00 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 18:19:00 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 18:18:59 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2012-07-11 18:18:58 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-11 18:18:58 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-07-11 18:18:58 204288 ----a-w- c:\windows\system32\ncrypt.dll
    2012-07-08 20:41:04 -------- d-----w- C:\maps
    2012-07-07 07:05:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-07 07:05:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-03 20:50:20 -------- d-----w- c:\users\zaphod\appdata\roaming\Malwarebytes
    2012-07-03 20:50:19 -------- d-----w- c:\programdata\Malwarebytes
    2012-06-25 08:36:33 -------- d-----w- c:\users\zaphod\appdata\local\Macromedia
    2012-06-23 11:16:06 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2012-06-23 11:16:04 157608 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
    2012-06-23 11:16:04 113120 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
    2012-06-23 11:16:03 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
    2012-06-23 11:16:03 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
    2012-06-21 15:57:52 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 15:57:39 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-21 15:57:36 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-21 15:57:36 171904 ----a-w- c:\windows\system32\wuwebv.dll
    .
    ==================== Find3M ====================
    .
    2012-06-25 06:37:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-25 06:37:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-05-19 15:42:29 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-05-18 21:35:06 73216 ----a-w- c:\windows\ST6UNST.EXE
    2012-05-18 21:35:06 249856 ------w- c:\windows\Setup1.exe
    2012-05-15 06:37:49 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-05-15 06:32:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-05-15 06:32:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-05-15 06:31:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2012-05-15 06:31:43 71680 ----a-w- c:\windows\system32\iesetup.dll
    2012-05-15 05:01:56 385024 ----a-w- c:\windows\system32\html.iec
    2012-05-15 03:26:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-05-15 03:23:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2012-05-08 16:37:03 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2012-05-01 14:03:49 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    ============= FINISH: 7:19:31.35 ===============
    ---------------

    Attach.txt pasted:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 03/03/2011 22:47:44
    System Uptime: 20/07/2012 17:07:35 (14 hours ago)
    .
    Motherboard: ELITEGROUP COMPUTER SYSTEM CO.,LTD. | | NFORCE6M-A
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ | Socket AM2 | 3000/201mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 924 GiB total, 488.452 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.0)
    Amazon Kindle
    Ask Toolbar
    Aspell English Dictionary-0.50-2
    Audacity 1.3.13 (Unicode)
    Avira Free Antivirus
    Avira SearchFree Toolbar plus Web Protection Updater
    CCleaner
    Core Temp version 0.99.8
    Data Parse
    EasyNavs version 3.02
    ESET Online Scanner v3
    Franson GpsGate 2.6
    Free Download Manager 3.0
    Garmin GTN Trainer Lite
    Global Mapper 13
    GNS400W-500W Trainer
    GNU Aspell 0.50-3
    Google Chrome
    Google Earth
    Google Earth Plug-in
    Google Update Helper
    HNavDBEditor version 3.02
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    ImgBurn
    Java Auto Updater
    Java(TM) 6 Update 31
    Java(TM) 7 Update 4
    JavaFX 2.1.0
    Joystick Plug-in
    JRollon Planes CRJ-200 version 1.4.0
    K-Lite Mega Codec Pack 7.7.8
    Kml Builder
    Log Parser 2.2
    Log Parser Lizard
    Malwarebytes Anti-Malware version 1.62.0.1300
    Media Player Classic - Home Cinema v1.5.2.3456
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Flight Simulator SimConnect Client v10.0.61259.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Movica
    Mozilla Firefox 13.0.1 (x86 en-GB)
    Mozilla Maintenance Service
    Mozilla Thunderbird 13.0.1 (x86 en-GB)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    My MP4Box GUI 0.5.5.4
    Navigraph nDAC 3
    Notepad++
    NVIDIA 3D Vision Controller Driver 296.10
    NVIDIA 3D Vision Driver 296.10
    NVIDIA Control Panel 296.10
    NVIDIA Graphics Driver 296.10
    NVIDIA Install Application
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.12.0213
    NVIDIA Stereoscopic 3D Driver
    NVIDIA Update 1.7.11
    NVIDIA Update Components
    OpenMG Limited Patch 4.7-07-14-05-01
    OpenMG Secure Module 4.7.00
    Oracle VM VirtualBox 4.1.14
    Plan-G
    PROCIO
    Python 2.7.2
    Radio Downloader
    RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    SimConnect Config Tool
    SkyView2
    SonicStage 4.3
    Topfield Tools
    Trojan Killer
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VLC media player 2.0.2
    Windows Grep 2.3
    WinHTTrack Website Copier 3.44-1
    WinRAR 4.01 (32-bit)
    XPS Annotator 1.22
    .
    ==== Event Viewer Messages From Past Week ========
    .
    20/07/2012 17:07:54, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 0019212F521E has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    20/07/2012 01:57:42, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr bizVSerial spldr ssmdrv VBoxDrv VBoxUSBMon Wanarpv6
    20/07/2012 01:57:42, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    20/07/2012 01:56:39, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    20/07/2012 01:56:31, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    19/07/2012 23:30:40, Error: Service Control Manager [7024] - The Avira Realtime Protection service terminated with service-specific error 306 (0x132).
    17/07/2012 18:30:50, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{26783D5D-28E4-4D4E-BB12-5AD4317EA9FF} because another computer on the network has the same name. The server could not start.
    14/07/2012 08:52:36, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    .
    ==== End Of File ===========================

    Re-enabled Anti-virus and re-connected to internet.
    -----------------

    Step 5: Log Handling.
    Posting logs as requested.
    Thanks for any help, I'm just disappointed I didn't find your site first, two weeks ago.
    cessna729.
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  3. cessna729

    cessna729 TS Rookie Topic Starter

    Hi dragonmasterJ, thanks for helping, currently running ComboFix on my infected Pc (I borrowed thgis laptop to post this. Will post when CombowFix is finished & I can re-enable antivirus ect, as per your instructions.
    Thanks again
    cessna729
     
  4. cessna729

    cessna729 TS Rookie Topic Starter

    Hi DragonMasterJay, Back online. Once I received your post, I did as requested, and didn't make any more changes to my PC without you telling me. One slight problem is that after CombowFix finished and created the log.txt, all the program shortcuts on my desktop stopped working, so I had to re-start windows to be able to post this from my PC. I have now re-enabled Real Time antivirus.

    ComboFix downloaded, re-named to svchost.exe & save on desktop.
    Closed open browsers, temporarily un-plugged ethernet, disabled my Avira Realtime anti-virus, script blocking and any anti-malware real-time protection before performing the scan.

    Running ComboFix: Double clicked on svchost.exe & follow the prompts.

    When ComboFix finishes, it will produce a report for you.
    Please post the "C:\Combo-Fix.txt" in your next reply.

    ComboFix 12-07-21.01 - zaphod 21/07/2012 18:22:01.1.2 - x86
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.3070.2236 [GMT 1:00]
    Running from: c:\users\zaphod\Desktop\ComboFix.exe
    AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\zaphod\AUTORUN.INF
    c:\windows\system32\7_param.dat
    c:\windows\system32\spsys.log
    c:\windows\system32\win.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-21 to 2012-07-21 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-21 17:26 . 2012-07-21 17:26 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-07-21 17:26 . 2012-07-21 17:26 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-20 17:13 . 2012-07-20 17:13 -------- d-----w- c:\program files\ESET
    2012-07-20 00:32 . 2012-07-20 00:32 14664 ----a-w- c:\windows\stinger.sys
    2012-07-20 00:31 . 2012-07-20 00:54 -------- d-----w- c:\program files\stinger
    2012-07-19 22:58 . 2012-07-19 22:58 -------- d-----w- c:\program files\Ask.com
    2012-07-19 22:58 . 2012-07-19 22:58 -------- d-----w- c:\users\zaphod\AppData\Local\APN
    2012-07-19 22:42 . 2012-07-20 17:58 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2012-07-11 18:21 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 18:19 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
    2012-07-11 18:19 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
    2012-07-11 18:19 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-07-11 18:19 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 18:19 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 18:18 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2012-07-11 18:18 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-11 18:18 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-07-11 18:18 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
    2012-07-08 20:41 . 2012-07-08 20:47 -------- d-----w- C:\maps
    2012-07-07 07:05 . 2012-07-13 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-07 07:05 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-03 20:50 . 2012-07-07 07:05 -------- d-----w- c:\users\zaphod\AppData\Roaming\Malwarebytes
    2012-07-03 20:50 . 2012-07-07 07:05 -------- d-----w- c:\programdata\Malwarebytes
    2012-06-25 08:36 . 2012-06-25 08:36 -------- d-----w- c:\users\zaphod\AppData\Local\Macromedia
    2012-06-23 11:16 . 2012-07-21 08:38 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2012-06-23 11:16 . 2012-07-21 08:26 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
    2012-06-23 11:16 . 2012-07-21 08:26 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
    2012-06-23 11:16 . 2012-07-21 08:26 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
    2012-06-23 11:16 . 2012-07-21 08:26 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-20 01:00 . 2012-07-20 01:00 4926 ----a-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.zip
    2012-07-20 00:59 . 2012-07-20 00:59 4926 ----a-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.zip
    2012-06-25 06:37 . 2012-04-15 09:15 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-06-25 06:37 . 2011-05-23 07:51 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-02 22:19 . 2012-06-21 15:57 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 15:57 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 15:57 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 15:57 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 15:57 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 15:57 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 15:57 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 14:19 . 2012-06-21 15:57 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 14:12 . 2012-06-21 15:57 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-19 15:42 . 2012-05-19 15:42 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-05-18 21:35 . 2012-05-18 21:35 249856 ------w- c:\windows\Setup1.exe
    2012-05-18 21:35 . 2012-05-18 21:35 73216 ----a-w- c:\windows\ST6UNST.EXE
    2012-05-15 06:37 . 2012-06-16 10:15 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-05-15 06:32 . 2012-06-16 10:15 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-05-15 06:32 . 2012-06-16 10:15 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-05-15 06:31 . 2012-06-16 10:15 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2012-05-15 06:31 . 2012-06-16 10:15 71680 ----a-w- c:\windows\system32\iesetup.dll
    2012-05-15 05:01 . 2012-06-16 10:15 385024 ----a-w- c:\windows\system32\html.iec
    2012-05-15 03:26 . 2012-06-16 10:15 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-05-15 03:23 . 2012-06-16 10:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2012-05-08 16:37 . 2012-03-17 09:42 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2012-05-08 16:37 . 2012-03-17 09:42 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2012-05-01 14:03 . 2012-06-16 10:15 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-21 08:26 . 2011-04-30 22:14 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-20 1519824]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2012-06-20 12:18 1519824 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-20 1519824]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Radio Downloader"="c:\program files\Radio Downloader\Radio Downloader.exe" [2012-05-27 528352]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-08 348624]
    .
    c:\users\zaphod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    GpsGate.lnk - c:\program files\Franson\GpsGate 2.0\GpsGateXP.exe [2008-9-12 540672]
    Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2011-9-1 400352]
    RouterStatsLite.lnk - c:\routerstatslite\RouterStatsLite.exe [2011-9-11 1857024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]
    2012-06-20 12:18 1568976 ----a-w- c:\program files\Ask.com\Updater\Updater.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ALSYSIO
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-09-24 12:28]
    .
    2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-09-24 12:28]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
    TCP: DhcpNameServer = 212.139.132.6 212.74.112.67
    FF - ProfilePath - c:\users\zaphod\AppData\Roaming\Mozilla\Firefox\Profiles\vt926wag.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://search.avira.com/?l=dis&o=APN10401&gct=hp&dc=EU&locale=en_GB
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-21 18:26
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2112362465-2988664399-1861529408-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*©qh`Pÿ*€ß*]
    @Class="Shell"
    .
    [HKEY_USERS\S-1-5-21-2112362465-2988664399-1861529408-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*©qh`Pÿ*€ß*\OpenWithList]
    @Class="Shell"
    "a"="vlc.exe"
    "MRUList"="a"
    .
    Completion time: 2012-07-21 18:28:39
    ComboFix-quarantined-files.txt 2012-07-21 17:28
    .
    Pre-Run: 524,126,478,336 bytes free
    Post-Run: 524,133,240,832 bytes free
    .
    - - End Of File - - F1F4A3BEFF8EA169A48E619AF5E6B6B0
     
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download SuperAntiSpyware
    • Load SuperAntiSpyware and click the Check for updates button.
    • Once the update is finished click the Scan your computer button.
    • Check Perform Complete Scan and then next.
    • SuperAntiSpyware will now scan your computer and when its finished it will list all the infections it has found.
    • Make sure that they all have a check next to them and press next.
    • Click finish and you will be taken back to the main interface.
    • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
    • Copy and paste the log onto the forum.
     
  6. cessna729

    cessna729 TS Rookie Topic Starter

    Hi DragonMasterJay,
    Download SuperAntiSpyware, UPDATED, running COMPLETE SCAN as I type. Will post log when finished.
    It's been running 1hr 20mins so far.
    cessna729.
     
  7. cessna729

    cessna729 TS Rookie Topic Starter

    Hi DragonMasterJay,
    SuperAntiSpyware compleated its scan a few minutes later, here is the log:
    The 3 item's it reported to have found, went straight into quarentine, SUPERAntiSpyware then requested I re-boot my machine, so I'm posting this first before I re-boot, I'll report back when re-boot compleate.

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/23/2012 at 07:11 PM

    Application Version : 5.5.1012

    Core Rules Database Version : 8942
    Trace Rules Database Version: 6754

    Scan type : Complete Scan
    Total Scan Time : 01:18:46

    Operating System Information
    Windows Vista Ultimate 32-bit, Service Pack 2 (Build 6.00.6002)
    UAC On - Limited User (Administrator User)

    Memory items scanned : 641
    Memory threats detected : 0
    Registry items scanned : 36045
    Registry threats detected : 0
    File items scanned : 57723
    File threats detected : 3

    Trojan.Agent/Gen-Rimecud
    C:\NVIDIA\WINVISTA\174.20_VISTA\NVSVC.DLL

    Trojan.Agent/Gen-Toggle
    ZIP ARCHIVE( C:\USERS\ZAPHOD\DOWNLOADS\PYTHONSCRIPTSNETINSTALLER.ZIP )/PYTHONSCRIPTSNETINSTALLER.EXE
    C:\USERS\ZAPHOD\DOWNLOADS\PYTHONSCRIPTSNETINSTALLER.ZIP
     
  8. cessna729

    cessna729 TS Rookie Topic Starter

    Hi DragonMasterJay, It's me back again, after the re-boot, windows started up ok, and SUPERAntiSpyware auto updated it's self, same program version but with a newer database 8944, so I've just started the scan again, so I'll back in just over 1hr 30mins.
    Thanks again for your help.
    cessna729.
     
  9. cessna729

    cessna729 TS Rookie Topic Starter

    Hi DragonMasterJay, It's me back again,
    Re-ran SUPERAntiSpyware with the latest database Ver: 8944, here is the log file below:
    Though, I think a few may be false-positives maybe? but I've quarenteened them all as SUPERAntiSpyware suggested untill you say otherwise.
    cessna729.
    ------------------------------------------------
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/23/2012 at 08:52 PM

    Application Version : 5.5.1012

    Core Rules Database Version : 8944
    Trace Rules Database Version: 6756

    Scan type : Complete Scan
    Total Scan Time : 01:20:40

    Operating System Information
    Windows Vista Ultimate 32-bit, Service Pack 2 (Build 6.00.6002)
    UAC On - Limited User (Administrator User)

    Memory items scanned : 640
    Memory threats detected : 0
    Registry items scanned : 36054
    Registry threats detected : 0
    File items scanned : 57935
    File threats detected : 37

    Adware.Tracking Cookie
    .doubleclick.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .advertising.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .revsci.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .revsci.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .invitemedia.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    ad.yieldmanager.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .invitemedia.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .atdmt.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .atdmt.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .tacoda.at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .ar.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .invitemedia.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .invitemedia.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    ad.yieldmanager.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .pro-market.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .pro-market.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .pro-market.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .pro-market.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .tribalfusion.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .interclick.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .interclick.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .advertising.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .advertising.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .advertising.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .tacoda.at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .tacoda.at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .tacoda.at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .tacoda.at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .tacoda.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .advertising.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .advertising.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .revsci.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .media6degrees.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .media6degrees.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
    .media6degrees.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    A bunch of cookies. LOL

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  11. cessna729

    cessna729 TS Rookie Topic Starter

    Hi Jay, Thanks, I've just started the ESET Online Scanner, I'll leave it running over night. I'll undate the logs in the morning.
    cessna729.
     
     
  12. cessna729

    cessna729 TS Rookie Topic Starter

    Hi Morning Jay,
    ESET Online Scanner log.txt attached below.

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=44596d48487b4a4a9002b5a3418d1fe3
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-07-20 08:43:03
    # local_time=2012-07-20 09:43:03 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=1792 16777215 100 0 10830830 10830830 0 0
    # compatibility_mode=5892 16776638 100 95 43380915 180337406 0 0
    # compatibility_mode=8192 67108863 100 0 146 146 0 0
    # scanned=321146
    # found=3
    # cleaned=3
    # scan_time=12433
    C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe a variant of Win32/1AntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Users\zaphod\Downloads\cnet_xav122_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Users\zaphod\Downloads\gridsoft trogenkiller.exe a variant of Win32/1AntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=44596d48487b4a4a9002b5a3418d1fe3
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-07-23 11:54:40
    # local_time=2012-07-24 12:54:40 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=1792 16777215 100 0 11105552 11105552 0 0
    # compatibility_mode=5892 16776638 100 95 43655637 180612128 0 0
    # compatibility_mode=8192 67108863 100 0 274868 274868 0 0
    # scanned=320496
    # found=0
    # cleaned=0
    # scan_time=8407
     
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
     
  14. cessna729

    cessna729 TS Rookie Topic Starter

    Hi DragonMasterJay, As I said in my first post: Just over 3 weeks ago now, while just browsing the net, my PC got infected with what appeared to be Metropolitan police ukash scareware. This locked my desktop, stopping me using the PC and demanded $100 to "un-lock it".I managed to remove the "lock-down" using "safe mode", and scanned to remove any trace. Unfortunately I was daft enough to re-visit the same area of the net a few days later and my PC got re-infected. This time it stopped F8 working and disabled my Avira Anti-Virus, so it took me a bit longer to get my PC back (and I have re-installed and updated my Antivirus). This time I decided to call on the experts to make sure I had got all of the "little b*g*er". I have since figured why it was so difficulte to get back in the 2nd time because the "scareware" had set the system OS wait time to zero, so it wouldn't wait for F8, so you couln't get into safe mode. All sorted now, I hope, cos I still don't know how the "little b*g*er" got onto my machine because I never knowingly downloaded or ran any exe, or com program, I was just browsing the net, watching movie clips, there was no warning, not a "peep" out of my firewall or antivirus, or any pop-up or anything asking me to click on it, all I noticed was the mouse cursor went to "busy" for a bit longer than normal, and up-poped this screen saying Metropolitan police ukash "lock-down".

    Any who, to answer your questions, any issues seen since I removed Metropolitan police ukash scareware the 2nd time:
    • Slow computer ......................................................................NO
    • Error messages ....................................................................NO
    • Fake antivirus alerts or the icon in the system tray...............NO, just the SUPERANTISpyware from post #5.
    • svchost.exe running at 100%.................................................NO
    • System crashes or blue screen of death...............................NO.
     
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Great! If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Please download TFC by OldTimer to your desktop
    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start
      button to begin the process. Depending on how often you clean temp
      files, execution time should be anywhere from a few seconds to a minute
      or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran TFC
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
     
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.