Inactive Metropolitan police ukash scareware, is my PC clean now?

cessna729

Posts: 10   +0
Just found this Tech Support site after the event, but hope you can help.:)
Just over 2 weeks ago, I was browsing the net, when all of sudden my PC is "locked-down" and I'm informed I have to pay 100 big ones to get it unlocked :( I managed to get into safe mode using F8 and was able to remove a exe file in the roming/ temp folder, and revert to an earlyier store-point, re-booted, got back to Windows Vista ok and ran a full virus scan and installed malwarebytes (which said no infection found). Then 2 days ago, I was browsing the net and guess what!! same thing again, PC is "locked-down" and I'm informed I have to pay 100 big ones to get it unlocked. "Will I never learn!! or figure I should change my browsing habits!! This time F8 didn't work, and my Avira anti-virus had been disabled/killed so I had to use the Alienware backup DVD to revert to an earlyier store-point, then re-install Avira and ran malwarebyte to get back to normal Windows Vista.

It was only then that I found your great web site https://www.techspot.com/community/forums/virus-and-malware-removal.28/ and have tried to follow your UPDATED 5-step Viruses/Spyware/Malware Preliminary Removal Instructions. I've also installed Avira "web protection" to improve my browsing habits ;)

So I need your expert help, is my PC clean now?


Step 1: Antivirus scanning
Avira Free Antivirus 2012 Realtime protection running, Web protection Active (Last update 20/07/2012).
--------------------------------------------

Step 2: Malwarebytes Anti-Malware
Downloaded, updated Performed Full scan.

log pasted:
---
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.20.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19272
zaphod :: ALX [administrator]

20/07/2012 17:11:01
mbam-log-2012-07-20 (17-11-01).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 482206
Time elapsed: 3 hour(s), 57 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
--------------------------------------------

Step 3: GMER
Downloaded, disconnected ethernet cable from PC, closed all running progs, tempoarily disabled Avira Free 2012 Realtime protection and ran GMER.exe.
gmer.exe has stopped working,
Problem signature:
Problem Event Name: APPCRASH
Application Name: gmer.exe
Application Version: 1.0.15.15641
Application Timestamp: 4e21f2b1
Fault Module Name: gmer.exe
Fault Module Version: 1.0.15.15641
Fault Module Timestamp: 4e21f2b1
Exception Code: c0000005
Exception Offset: 0000c676
OS Version: 6.0.6002.2.2.0.256.1
Locale ID: 2057
Additional Information 1: 4254
Additional Information 2: fe2c75f8e1cb8e4ac132f386ef457bf0
Additional Information 3: ee4d
Additional Information 4: 3ecfdc723e6b34047eef7acd3cf23e4f

closed prog.

GMER refuses to run, tried again, UN-checked "Devices" in right pane.
Left running over night.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-21 06:33:39
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000005e NVIDIA__ rev.
Running: gmer.exe; Driver: C:\Users\zaphod\AppData\Local\Temp\pxldrpow.sys


---- System - GMER 1.0.15 ----

SSDT 8C5FB766 ZwCreateSection
SSDT 8C5FB770 ZwRequestWaitReplyPort
SSDT 8C5FB76B ZwSetContextThread
SSDT 8C5FB775 ZwSetSecurityObject
SSDT 8C5FB77A ZwSystemDebugControl
SSDT 8C5FB707 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 215 81EB68D8 4 Bytes [66, B7, 5F, 8C]
.text ntkrnlpa.exe!KeSetEvent + 539 81EB6BFC 4 Bytes [70, B7, 5F, 8C]
.text ntkrnlpa.exe!KeSetEvent + 56D 81EB6C30 4 Bytes [6B, B7, 5F, 8C]
.text ntkrnlpa.exe!KeSetEvent + 5D1 81EB6C94 4 Bytes [75, B7, 5F, 8C]
.text ntkrnlpa.exe!KeSetEvent + 619 81EB6CDC 4 Bytes [7A, B7, 5F, 8C]
.text ...
? C:\Users\zaphod\AppData\Local\Temp\ALSysIO.sys The system cannot find the file specified. !
? C:\Users\zaphod\AppData\Local\Temp\aswMBR.sys The system cannot find the file specified. !

---- EOF - GMER 1.0.15 ----
-------------------------

Step 4: DDS
Ran dds.scr, logs pasted below.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19272 BrowserJavaVersion: 10.4.1
Run by zaphod at 7:19:09 on 2012-07-21
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.3070.1749 [GMT 1:00]
.
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\werfault.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uStart Page = about:blank
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Avira SearchFree Toolbar plus Web Protection: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Avira SearchFree Toolbar plus Web Protection: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Radio Downloader] "c:\program files\radio downloader\Radio Downloader.exe" /hidemainwindow
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [<NO NAME>]
StartupFolder: c:\users\zaphod\appdata\roaming\micros~1\windows\startm~1\programs\startup\gpsgate.lnk - c:\program files\franson\gpsgate 2.0\GpsGateXP.exe
StartupFolder: c:\users\zaphod\appdata\roaming\micros~1\windows\startm~1\programs\startup\mozill~1.lnk - c:\program files\mozilla thunderbird\thunderbird.exe
StartupFolder: c:\users\zaphod\appdata\roaming\micros~1\windows\startm~1\programs\startup\router~1.lnk - c:\routerstatslite\RouterStatsLite.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 212.139.132.6 212.74.112.67
TCP: Interfaces\{26783D5D-28E4-4D4E-BB12-5AD4317EA9FF} : DhcpNameServer = 212.139.132.6 212.74.112.67
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\zaphod\appdata\roaming\mozilla\firefox\profiles\vt926wag.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://search.avira.com/?l=dis&o=APN10401&gct=hp&dc=EU&locale=en_GB
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-3&o=APN10401&locale=en_GB&apn_uid=a300e5d3-68b2-4618-a3b0-fb5435561f7c&apn_ptnrs=^ABZ&apn_sauid=5A09183C-8FBE-4BA6-9BE8-1AE89B6F5AD2&apn_dtid=^YYYYYY^YY^GB&&q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\joystick plugin\npjoystick.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npjoystick.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-17 36000]
R1 bizVSerial;Franson VSerial;c:\windows\system32\drivers\bizVSerialNT.sys [2006-4-3 14949]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2012-4-27 158512]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2012-4-27 91952]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-17 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-17 110032]
R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2012-3-17 465360]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-17 83392]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-5-19 2348352]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-2-29 382272]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2012-4-12 104752]
R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2012-4-12 116016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-24 136176]
S3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
S3 FGYB;FGYB;c:\users\zaphod\appdata\local\temp\fgyb.exe --> c:\users\zaphod\appdata\local\temp\FGYB.exe [?]
S3 Franson GpsGate 2.0;Franson GpsGate 2.0;c:\program files\franson\gpsgate 2.0\GpsGateService.exe [2008-9-12 258048]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-24 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-23 113120]
S3 TfBulk;TfBulk;c:\windows\system32\drivers\TfBulk.SYS [2007-5-31 13312]
S3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\drivers\gtkdrv.sys [2012-1-4 16128]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2012-4-12 82736]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-07-20 17:13:25 -------- d-----w- c:\program files\ESET
2012-07-20 00:32:32 14664 ----a-w- c:\windows\stinger.sys
2012-07-20 00:31:54 -------- d-----w- c:\program files\stinger
2012-07-19 22:58:43 -------- d-----w- c:\program files\Ask.com
2012-07-19 22:58:37 -------- d-----w- c:\users\zaphod\appdata\local\APN
2012-07-19 22:42:24 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-07-11 18:21:17 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 18:19:02 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-07-11 18:19:02 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-07-11 18:19:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-07-11 18:19:00 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 18:19:00 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 18:18:59 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2012-07-11 18:18:58 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 18:18:58 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 18:18:58 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-08 20:41:04 -------- d-----w- C:\maps
2012-07-07 07:05:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-07 07:05:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-03 20:50:20 -------- d-----w- c:\users\zaphod\appdata\roaming\Malwarebytes
2012-07-03 20:50:19 -------- d-----w- c:\programdata\Malwarebytes
2012-06-25 08:36:33 -------- d-----w- c:\users\zaphod\appdata\local\Macromedia
2012-06-23 11:16:06 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-06-23 11:16:04 157608 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-06-23 11:16:04 113120 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-06-23 11:16:03 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-23 11:16:03 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-21 15:57:52 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 15:57:39 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 15:57:36 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-21 15:57:36 171904 ----a-w- c:\windows\system32\wuwebv.dll
.
==================== Find3M ====================
.
2012-06-25 06:37:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-25 06:37:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-19 15:42:29 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-18 21:35:06 73216 ----a-w- c:\windows\ST6UNST.EXE
2012-05-18 21:35:06 249856 ------w- c:\windows\Setup1.exe
2012-05-15 06:37:49 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 06:32:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-15 06:32:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-15 06:31:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
2012-05-15 06:31:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2012-05-15 05:01:56 385024 ----a-w- c:\windows\system32\html.iec
2012-05-15 03:26:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-15 03:23:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-08 16:37:03 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-01 14:03:49 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 7:19:31.35 ===============
---------------

Attach.txt pasted:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 03/03/2011 22:47:44
System Uptime: 20/07/2012 17:07:35 (14 hours ago)
.
Motherboard: ELITEGROUP COMPUTER SYSTEM CO.,LTD. | | NFORCE6M-A
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ | Socket AM2 | 3000/201mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 924 GiB total, 488.452 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.0)
Amazon Kindle
Ask Toolbar
Aspell English Dictionary-0.50-2
Audacity 1.3.13 (Unicode)
Avira Free Antivirus
Avira SearchFree Toolbar plus Web Protection Updater
CCleaner
Core Temp version 0.99.8
Data Parse
EasyNavs version 3.02
ESET Online Scanner v3
Franson GpsGate 2.6
Free Download Manager 3.0
Garmin GTN Trainer Lite
Global Mapper 13
GNS400W-500W Trainer
GNU Aspell 0.50-3
Google Chrome
Google Earth
Google Earth Plug-in
Google Update Helper
HNavDBEditor version 3.02
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImgBurn
Java Auto Updater
Java(TM) 6 Update 31
Java(TM) 7 Update 4
JavaFX 2.1.0
Joystick Plug-in
JRollon Planes CRJ-200 version 1.4.0
K-Lite Mega Codec Pack 7.7.8
Kml Builder
Log Parser 2.2
Log Parser Lizard
Malwarebytes Anti-Malware version 1.62.0.1300
Media Player Classic - Home Cinema v1.5.2.3456
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Flight Simulator SimConnect Client v10.0.61259.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Movica
Mozilla Firefox 13.0.1 (x86 en-GB)
Mozilla Maintenance Service
Mozilla Thunderbird 13.0.1 (x86 en-GB)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
My MP4Box GUI 0.5.5.4
Navigraph nDAC 3
Notepad++
NVIDIA 3D Vision Controller Driver 296.10
NVIDIA 3D Vision Driver 296.10
NVIDIA Control Panel 296.10
NVIDIA Graphics Driver 296.10
NVIDIA Install Application
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.0213
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 1.7.11
NVIDIA Update Components
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00
Oracle VM VirtualBox 4.1.14
Plan-G
PROCIO
Python 2.7.2
Radio Downloader
RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
SimConnect Config Tool
SkyView2
SonicStage 4.3
Topfield Tools
Trojan Killer
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VLC media player 2.0.2
Windows Grep 2.3
WinHTTrack Website Copier 3.44-1
WinRAR 4.01 (32-bit)
XPS Annotator 1.22
.
==== Event Viewer Messages From Past Week ========
.
20/07/2012 17:07:54, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 0019212F521E has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
20/07/2012 01:57:42, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr bizVSerial spldr ssmdrv VBoxDrv VBoxUSBMon Wanarpv6
20/07/2012 01:57:42, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
20/07/2012 01:56:39, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
20/07/2012 01:56:31, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
19/07/2012 23:30:40, Error: Service Control Manager [7024] - The Avira Realtime Protection service terminated with service-specific error 306 (0x132).
17/07/2012 18:30:50, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{26783D5D-28E4-4D4E-BB12-5AD4317EA9FF} because another computer on the network has the same name. The server could not start.
14/07/2012 08:52:36, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
.
==== End Of File ===========================

Re-enabled Anti-virus and re-connected to internet.
-----------------

Step 5: Log Handling.
Posting logs as requested.
Thanks for any help, I'm just disappointed I didn't find your site first, two weeks ago.
cessna729.
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
 
Hi dragonmasterJ, thanks for helping, currently running ComboFix on my infected Pc (I borrowed thgis laptop to post this. Will post when CombowFix is finished & I can re-enable antivirus ect, as per your instructions.
Thanks again
cessna729
 
Hi DragonMasterJay, Back online. Once I received your post, I did as requested, and didn't make any more changes to my PC without you telling me. One slight problem is that after CombowFix finished and created the log.txt, all the program shortcuts on my desktop stopped working, so I had to re-start windows to be able to post this from my PC. I have now re-enabled Real Time antivirus.

ComboFix downloaded, re-named to svchost.exe & save on desktop.
Closed open browsers, temporarily un-plugged ethernet, disabled my Avira Realtime anti-virus, script blocking and any anti-malware real-time protection before performing the scan.

Running ComboFix: Double clicked on svchost.exe & follow the prompts.

When ComboFix finishes, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" in your next reply.

ComboFix 12-07-21.01 - zaphod 21/07/2012 18:22:01.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.3070.2236 [GMT 1:00]
Running from: c:\users\zaphod\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\zaphod\AUTORUN.INF
c:\windows\system32\7_param.dat
c:\windows\system32\spsys.log
c:\windows\system32\win.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-06-21 to 2012-07-21 )))))))))))))))))))))))))))))))
.
.
2012-07-21 17:26 . 2012-07-21 17:26 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-07-21 17:26 . 2012-07-21 17:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-20 17:13 . 2012-07-20 17:13 -------- d-----w- c:\program files\ESET
2012-07-20 00:32 . 2012-07-20 00:32 14664 ----a-w- c:\windows\stinger.sys
2012-07-20 00:31 . 2012-07-20 00:54 -------- d-----w- c:\program files\stinger
2012-07-19 22:58 . 2012-07-19 22:58 -------- d-----w- c:\program files\Ask.com
2012-07-19 22:58 . 2012-07-19 22:58 -------- d-----w- c:\users\zaphod\AppData\Local\APN
2012-07-19 22:42 . 2012-07-20 17:58 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-07-11 18:21 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 18:19 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-07-11 18:19 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-07-11 18:19 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-07-11 18:19 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 18:19 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 18:18 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 18:18 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 18:18 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 18:18 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-08 20:41 . 2012-07-08 20:47 -------- d-----w- C:\maps
2012-07-07 07:05 . 2012-07-13 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-07 07:05 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 20:50 . 2012-07-07 07:05 -------- d-----w- c:\users\zaphod\AppData\Roaming\Malwarebytes
2012-07-03 20:50 . 2012-07-07 07:05 -------- d-----w- c:\programdata\Malwarebytes
2012-06-25 08:36 . 2012-06-25 08:36 -------- d-----w- c:\users\zaphod\AppData\Local\Macromedia
2012-06-23 11:16 . 2012-07-21 08:38 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-06-23 11:16 . 2012-07-21 08:26 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-06-23 11:16 . 2012-07-21 08:26 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-06-23 11:16 . 2012-07-21 08:26 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-23 11:16 . 2012-07-21 08:26 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-20 01:00 . 2012-07-20 01:00 4926 ----a-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.zip
2012-07-20 00:59 . 2012-07-20 00:59 4926 ----a-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.zip
2012-06-25 06:37 . 2012-04-15 09:15 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-25 06:37 . 2011-05-23 07:51 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-21 15:57 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 15:57 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 15:57 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 15:57 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 15:57 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 15:57 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 15:57 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 14:19 . 2012-06-21 15:57 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 14:12 . 2012-06-21 15:57 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-19 15:42 . 2012-05-19 15:42 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-18 21:35 . 2012-05-18 21:35 249856 ------w- c:\windows\Setup1.exe
2012-05-18 21:35 . 2012-05-18 21:35 73216 ----a-w- c:\windows\ST6UNST.EXE
2012-05-15 06:37 . 2012-06-16 10:15 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 06:32 . 2012-06-16 10:15 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-15 06:32 . 2012-06-16 10:15 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-15 06:31 . 2012-06-16 10:15 109056 ----a-w- c:\windows\system32\iesysprep.dll
2012-05-15 06:31 . 2012-06-16 10:15 71680 ----a-w- c:\windows\system32\iesetup.dll
2012-05-15 05:01 . 2012-06-16 10:15 385024 ----a-w- c:\windows\system32\html.iec
2012-05-15 03:26 . 2012-06-16 10:15 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-15 03:23 . 2012-06-16 10:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-08 16:37 . 2012-03-17 09:42 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-08 16:37 . 2012-03-17 09:42 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-05-01 14:03 . 2012-06-16 10:15 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-21 08:26 . 2011-04-30 22:14 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-20 1519824]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-06-20 12:18 1519824 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-20 1519824]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Radio Downloader"="c:\program files\Radio Downloader\Radio Downloader.exe" [2012-05-27 528352]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-08 348624]
.
c:\users\zaphod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
GpsGate.lnk - c:\program files\Franson\GpsGate 2.0\GpsGateXP.exe [2008-9-12 540672]
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2011-9-1 400352]
RouterStatsLite.lnk - c:\routerstatslite\RouterStatsLite.exe [2011-9-11 1857024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]
2012-06-20 12:18 1568976 ----a-w- c:\program files\Ask.com\Updater\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ALSYSIO
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-24 12:28]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-24 12:28]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 212.139.132.6 212.74.112.67
FF - ProfilePath - c:\users\zaphod\AppData\Roaming\Mozilla\Firefox\Profiles\vt926wag.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.avira.com/?l=dis&o=APN10401&gct=hp&dc=EU&locale=en_GB
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-21 18:26
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2112362465-2988664399-1861529408-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*©qh`Pÿ*€ß*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-2112362465-2988664399-1861529408-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*©qh`Pÿ*€ß*\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
Completion time: 2012-07-21 18:28:39
ComboFix-quarantined-files.txt 2012-07-21 17:28
.
Pre-Run: 524,126,478,336 bytes free
Post-Run: 524,133,240,832 bytes free
.
- - End Of File - - F1F4A3BEFF8EA169A48E619AF5E6B6B0
 
Download SuperAntiSpyware
  • Load SuperAntiSpyware and click the Check for updates button.
  • Once the update is finished click the Scan your computer button.
  • Check Perform Complete Scan and then next.
  • SuperAntiSpyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log onto the forum.
 
Hi DragonMasterJay,
Download SuperAntiSpyware, UPDATED, running COMPLETE SCAN as I type. Will post log when finished.
It's been running 1hr 20mins so far.
cessna729.
 
Hi DragonMasterJay,
SuperAntiSpyware compleated its scan a few minutes later, here is the log:
The 3 item's it reported to have found, went straight into quarentine, SUPERAntiSpyware then requested I re-boot my machine, so I'm posting this first before I re-boot, I'll report back when re-boot compleate.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/23/2012 at 07:11 PM

Application Version : 5.5.1012

Core Rules Database Version : 8942
Trace Rules Database Version: 6754

Scan type : Complete Scan
Total Scan Time : 01:18:46

Operating System Information
Windows Vista Ultimate 32-bit, Service Pack 2 (Build 6.00.6002)
UAC On - Limited User (Administrator User)

Memory items scanned : 641
Memory threats detected : 0
Registry items scanned : 36045
Registry threats detected : 0
File items scanned : 57723
File threats detected : 3

Trojan.Agent/Gen-Rimecud
C:\NVIDIA\WINVISTA\174.20_VISTA\NVSVC.DLL

Trojan.Agent/Gen-Toggle
ZIP ARCHIVE( C:\USERS\ZAPHOD\DOWNLOADS\PYTHONSCRIPTSNETINSTALLER.ZIP )/PYTHONSCRIPTSNETINSTALLER.EXE
C:\USERS\ZAPHOD\DOWNLOADS\PYTHONSCRIPTSNETINSTALLER.ZIP
 
Hi DragonMasterJay, It's me back again, after the re-boot, windows started up ok, and SUPERAntiSpyware auto updated it's self, same program version but with a newer database 8944, so I've just started the scan again, so I'll back in just over 1hr 30mins.
Thanks again for your help.
cessna729.
 
Hi DragonMasterJay, It's me back again,
Re-ran SUPERAntiSpyware with the latest database Ver: 8944, here is the log file below:
Though, I think a few may be false-positives maybe? but I've quarenteened them all as SUPERAntiSpyware suggested untill you say otherwise.
cessna729.
------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/23/2012 at 08:52 PM

Application Version : 5.5.1012

Core Rules Database Version : 8944
Trace Rules Database Version: 6756

Scan type : Complete Scan
Total Scan Time : 01:20:40

Operating System Information
Windows Vista Ultimate 32-bit, Service Pack 2 (Build 6.00.6002)
UAC On - Limited User (Administrator User)

Memory items scanned : 640
Memory threats detected : 0
Registry items scanned : 36054
Registry threats detected : 0
File items scanned : 57935
File threats detected : 37

Adware.Tracking Cookie
.doubleclick.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.ar.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.tribalfusion.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.at.atwola.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.tacoda.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\USERS\ZAPHOD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VT926WAG.DEFAULT\COOKIES.SQLITE ]
 
A bunch of cookies. LOL

ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
Hi Jay, Thanks, I've just started the ESET Online Scanner, I'll leave it running over night. I'll undate the logs in the morning.
cessna729.
 
Hi Morning Jay,
ESET Online Scanner log.txt attached below.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=44596d48487b4a4a9002b5a3418d1fe3
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-20 08:43:03
# local_time=2012-07-20 09:43:03 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1792 16777215 100 0 10830830 10830830 0 0
# compatibility_mode=5892 16776638 100 95 43380915 180337406 0 0
# compatibility_mode=8192 67108863 100 0 146 146 0 0
# scanned=321146
# found=3
# cleaned=3
# scan_time=12433
C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe a variant of Win32/1AntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\zaphod\Downloads\cnet_xav122_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\zaphod\Downloads\gridsoft trogenkiller.exe a variant of Win32/1AntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=44596d48487b4a4a9002b5a3418d1fe3
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-23 11:54:40
# local_time=2012-07-24 12:54:40 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1792 16777215 100 0 11105552 11105552 0 0
# compatibility_mode=5892 16776638 100 95 43655637 180612128 0 0
# compatibility_mode=8192 67108863 100 0 274868 274868 0 0
# scanned=320496
# found=0
# cleaned=0
# scan_time=8407
 
Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
Hi DragonMasterJay, As I said in my first post: Just over 3 weeks ago now, while just browsing the net, my PC got infected with what appeared to be Metropolitan police ukash scareware. This locked my desktop, stopping me using the PC and demanded $100 to "un-lock it".I managed to remove the "lock-down" using "safe mode", and scanned to remove any trace. Unfortunately I was daft enough to re-visit the same area of the net a few days later and my PC got re-infected. This time it stopped F8 working and disabled my Avira Anti-Virus, so it took me a bit longer to get my PC back (and I have re-installed and updated my Antivirus). This time I decided to call on the experts to make sure I had got all of the "little b*g*er". I have since figured why it was so difficulte to get back in the 2nd time because the "scareware" had set the system OS wait time to zero, so it wouldn't wait for F8, so you couln't get into safe mode. All sorted now, I hope, cos I still don't know how the "little b*g*er" got onto my machine because I never knowingly downloaded or ran any exe, or com program, I was just browsing the net, watching movie clips, there was no warning, not a "peep" out of my firewall or antivirus, or any pop-up or anything asking me to click on it, all I noticed was the mouse cursor went to "busy" for a bit longer than normal, and up-poped this screen saying Metropolitan police ukash "lock-down".

Any who, to answer your questions, any issues seen since I removed Metropolitan police ukash scareware the 2nd time:
  • Slow computer ......................................................................NO
  • Error messages ....................................................................NO
  • Fake antivirus alerts or the icon in the system tray...............NO, just the SUPERANTISpyware from post #5.
  • svchost.exe running at 100%.................................................NO
  • System crashes or blue screen of death...............................NO.
 
Great! If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check
Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
 
Hello. Are you still with us?

Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

Thanks.
 
Back