Virus that I can't get rid off

Inactive
By sarahitalia
Dec 18, 2012
  1. I am trying to get rid of a virus on my hp vista laptop. The virus does not let me open any anti virus software, or restore it. I have it on safe mode currently, but if I try to turn it one in normal mode it lets me sign in and then it flashes up a blue screen for 1 second and then switches back off. I have tried in system to set the laptop to not automatically restart when this screen shows but it still always does it.
    I have ran various online scans which have not found any viruses, however I managed to download and run Malwarebytes and this showed 8 trojans which I then deleted and restarted my laptop. It made no changes however and now my laptop isn't allowing me to open the Malwarebytes even in safe mode. I have tried to do a restore on safe mode by typing in various commands into a black box but it just came up error and would not allow me to restore at all. I seem to be able to browse okay on safe mode but there is clearly still a virus evident.
    Anyone have any ideas?
  2. Broni

    Broni Malware Annihilator Posts: 45,159   +242

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. sarahitalia

    sarahitalia Newcomer, in training Topic Starter

    Great, thanks!
    The malewarebytes log:
    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org
    Database version: v2012.12.19.06
    Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.19019
    tino :: TINO-PC [administrator]
    16/12/2012 16:14:58
    mbam-log-2012-12-16 (16-14-58).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 215479
    Time elapsed: 6 minute(s), 11 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform|Zango 10.3.84.0 (Adware.Zango) -> Data: -> Quarantined and deleted successfully.
    Registry Data Items Detected: 3
    HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\tino\AppData\Local\rlh.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\tino\AppData\Local\rlh.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\tino\AppData\Local\rlh.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
    Then DDS:
    DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
    Internet Explorer: 8.0.6001.19019
    Run by tino at 16:27:44 on 2012-12-16
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1007 [GMT 0:00]
    .
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - <orphaned>
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: AOL Toolbar Launcher: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
    BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: AOL Toolbar: {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: AOL Toolbar: {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
    mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
    mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
    mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-gb\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
    IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: NameServer = 192.168.0.1
    TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76} : DHCPNameServer = 192.168.0.1
    TCP: Interfaces\{B75CAFCD-4EC2-4E3E-96AA-B4A38B754BA9} : DHCPNameServer = 192.168.1.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs= c:\progra~1\google\google~2\GOEC62~1.DLL
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\tino\appdata\roaming\mozilla\firefox\profiles\74e3fu9e.default\
    FF - prefs.js: browser.startup.homepage - 0\r\nFind friends\r\nFriend requests\r\n\r\n * No new requests.\r\n\r\nSee all friend requests\r\n0\r\nSend a new message\r\nMessages\r\n\r\n *\r\n Julie Brand Pirie\r\n (no subject) Hi Clair hope your alll well my number is 07799545853 house 01592 722240 and...\r\n on Wednesday\r\n *\r\n Laura Docherty\r\n (no subject) thanks hun xx\r\n last Saturday\r\n *\r\n Sarah Forno\r\n (no subject) Me - 07545546930 Gem - 07736049300\r\n last Saturday\r\n *\r\n Amanda Pilon\r\n (no subject) Oh sorry I couldve done wi the £ too but wouldve taken me an hour of rushin t...\r\n last Saturday\r\n *\r\n Alyson\r\n £20 to spend at ASOS I've got it too. Time to go shopping lol\r\n about a week ago\r\n\r\nSee all messages 8 unread\r\n0\r\nNotifications\r\n\r\n *\r\n Charlene LJ Short, Pamela Blyth and 2 other friends also commented on Laine Mcbay's photo.\r\n 38 minutes ago\r\n *\r\n Louise Hildreth, Kathy Milligan ╱ Easton and 32 other friends like your status.\r\n 8 hours ago\r\n *\r\n Sheila Tasker and Kireana Mackay sent you requests in Causes.\r\n 13 hours ago\r\n *\r\n Carole Docherty, Laura Docherty and 5 other friends commented on your status.\r\n 21 hours ago\r\n *\r\n Terri Logie posted on your Wall.\r\n on Friday\r\n\r\nSee all notifications\r\nSearch\r\n\r\n *\r\n * Home\r\n * Profile\r\n *\r\n * Account\r\n o Clair Lewis\r\n o Edit friends\r\n o Use Facebook as Page\r\n o Account Settings\r\n o Privacy Settings\r\n o Help Centre\r\n o\r\n\r\nSet Facebook as your homepage\r\n\r\n *\r\n *\r\n *\r\n *\r\n *\r\n*\r\n\r\nSee what's happening with your friends as soon as you open your browser.\r\n← Drag this up to the home button in your Firefox toolbar\r\nSet homepage nowSkip\r\nFacebook © 2011 · English (UK)\r\nAbout · Advertising · Developers · Careers · Privacy · Terms · Help\r\n←
    FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\0\NP_wtapp.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    .
    ============= SERVICES / DRIVERS ===============
    .
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-26 21504]
    S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-12-16 40776]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-12-17 11:33:25 54016 ----a-w- c:\windows\system32\drivers\pjmmsogp.sys
    2012-12-17 11:08:33 -------- d-----w- c:\users\tino\appdata\roaming\AVG2013
    2012-12-17 11:08:10 -------- d-----w- c:\users\tino\appdata\roaming\TuneUp Software
    2012-12-17 11:06:46 -------- d-----w- c:\programdata\AVG2013
    2012-12-17 11:06:46 -------- d-----w- C:\$AVG
    2012-12-17 11:05:58 -------- d-----w- c:\program files\AVG
    2012-12-17 11:03:38 -------- d--h--w- c:\programdata\Common Files
    2012-12-17 11:03:38 -------- d-----w- c:\users\tino\appdata\local\MFAData
    2012-12-17 11:03:38 -------- d-----w- c:\users\tino\appdata\local\Avg2013
    2012-12-17 11:03:38 -------- d-----w- c:\programdata\MFAData
    2012-12-17 10:07:52 -------- d-----w- c:\users\tino\appdata\roaming\Malwarebytes
    2012-12-17 10:07:44 -------- d-----w- c:\programdata\Malwarebytes
    2012-12-17 09:54:55 -------- d-sh--w- C:\$RECYCLE.BIN
    2012-12-17 09:54:52 -------- d-----w- c:\users\tino\appdata\local\temp
    2012-12-17 09:39:54 98816 ----a-w- c:\windows\sed.exe
    2012-12-17 09:39:54 256000 ----a-w- c:\windows\PEV.exe
    2012-12-17 09:39:54 208896 ----a-w- c:\windows\MBR.exe
    2012-12-17 09:37:32 -------- d-----w- c:\program files\Trend Micro
    2012-12-16 16:14:07 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-12-16 16:14:00 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-12-16 16:14:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-12-16 01:11:11 -------- d-----w- c:\program files\ESET
    .
    ==================== Find3M ====================
    .
    2012-10-22 13:02:46 179936 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
    2012-10-15 03:48:52 55776 ----a-w- c:\windows\system32\drivers\avgidshx.sys
    2012-10-02 03:30:38 159712 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2012-09-21 03:46:06 164832 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2012-09-21 03:46:00 177376 ----a-w- c:\windows\system32\drivers\avglogx.sys
    2012-09-21 03:45:54 19936 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
    .
    ============= FINISH: 16:34:50.69 ===============
    and Attach:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 17/03/2008 10:31:25
    System Uptime: 16/12/2012 15:54:21 (1 hours ago)
    .
    Motherboard: Hewlett-Packard | | 30D9
    Processor: Intel(R) Pentium(R) Dual CPU T2370 @ 1.73GHz | CPU | 1729/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 138 GiB total, 17.325 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 2.068 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0000
    Manufacturer: Microsoft
    Name: 6TO4 Adapter
    PNP Device ID: ROOT\*6TO4MP\0000
    Service: tunnel
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0001
    Manufacturer: Microsoft
    Name: 6TO4 Adapter
    PNP Device ID: ROOT\*6TO4MP\0001
    Service: tunnel
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0002
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter #2
    PNP Device ID: ROOT\*6TO4MP\0002
    Service: tunnel
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0003
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter #3
    PNP Device ID: ROOT\*6TO4MP\0003
    Service: tunnel
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0004
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter #4
    PNP Device ID: ROOT\*6TO4MP\0004
    Service: tunnel
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: Nokia N95 8GB
    Device ID: ROOT\WPD\0000
    Manufacturer: Nokia
    Name: Nokia N95 8GB
    PNP Device ID: ROOT\WPD\0000
    Service: WUDFRd
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Google Toolbar for Internet Explorer
    HP Update
    Malwarebytes Anti-Malware version 1.65.1.1000
    Microsoft Office Enterprise 2007
    Mozilla Firefox (3.6.16)
    .
    ==== End Of File ===========================
  4. Broni

    Broni Malware Annihilator Posts: 45,159   +242

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    =============================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
  5. sarahitalia

    sarahitalia Newcomer, in training Topic Starter

    Rougekiller:
    ogueKiller V8.4.0 [Dec 18 2012] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
    Started in : Safe mode with network support
    User : tino [Admin rights]
    Mode : Remove -- Date : 12/16/2012 21:39:03
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 0 ¤¤¤
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts
    127.0.0.1 localhost

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: TOSHIBA MK1637GSX +++++
    --- User ---
    [MBR] 7b12d5e795aba2949c1ed6d3276ad4d3
    [BSP] 6b74144a3ab1d51ed6ff8ce436f0741a : HP tatooed MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 140874 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 288511335 | Size: 11750 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[3]_D_12162012_02d2139.txt >>
    RKreport[1]_S_12162012_02d2138.txt ; RKreport[2]_D_12162012_02d2138.txt ; RKreport[3]_D_12162012_02d2139.txt


    and just running the other one now
  6. sarahitalia

    sarahitalia Newcomer, in training Topic Starter

    Unfortunately the other scan was going really fast and then it started to freezing on certain files in AppData? I have left it running but I will have to go to bed for now (time difference as I'm in the UK) but thank you for your help so far and I'll reply in the morning if the scan has finished!
  7. Broni

    Broni Malware Annihilator Posts: 45,159   +242

    If it still gives you problems run it from safe mode.
  8. sarahitalia

    sarahitalia Newcomer, in training Topic Starter

    It actually went faster so I decided to wait so here is the log. I am running my laptop from safe mode with networking at the moment as it won't turn on without being in safe mode, a blue screen just flashes up when I log in and the it shuts down!

    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2012-12-16 21:41:40
    -----------------------------
    21:41:40.531 OS Version: Windows 6.0.6002 Service Pack 2
    21:41:40.531 Number of processors: 2 586 0xF0D
    21:41:40.531 ComputerName: TINO-PC UserName: tino
    21:41:42.887 Initialize success
    21:44:35.470 AVAST engine defs: 12121901
    21:44:51.429 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    21:44:51.444 Disk 0 Vendor: TOSHIBA_ DL03 Size: 152627MB BusType: 3
    21:44:51.444 Disk 0 MBR read successfully
    21:44:51.444 Disk 0 MBR scan
    21:44:51.460 Disk 0 unknown MBR code
    21:44:51.460 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 140874 MB offset 63
    21:44:51.491 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11750 MB offset 288511335
    21:44:51.507 Disk 0 scanning sectors +312576705
    21:44:51.553 Disk 0 scanning C:\Windows\system32\drivers
    21:45:05.687 Service scanning
    21:45:34.672 Modules scanning
    21:45:40.069 Disk 0 trace - called modules:
    21:45:40.116 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
    21:45:40.116 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c584f0]
    21:45:40.132 3 CLASSPNP.SYS[885a68b3] -> nt!IofCallDriver -> [0x851d4148]
    21:45:40.132 5 acpi.sys[806996bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x851da028]
    21:45:41.895 AVAST engine scan C:\Windows
    21:45:46.621 AVAST engine scan C:\Windows\system32
    21:49:52.337 AVAST engine scan C:\Windows\system32\drivers
    21:50:09.403 AVAST engine scan C:\Users\tino
    22:04:58.993 AVAST engine scan C:\ProgramData
    22:07:14.121 Scan finished successfully
    22:07:26.039 Disk 0 MBR has been saved successfully to "C:\Users\tino\Desktop\MBR.dat"
    22:07:26.039 The log file has been saved successfully to "C:\Users\tino\Desktop\aswMBR.txt"
  9. Broni

    Broni Malware Annihilator Posts: 45,159   +242

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ===============================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
  10. sarahitalia

    sarahitalia Newcomer, in training Topic Starter

    ComboFix 12-12-20.02 - tino 17/12/2012 10:51:02.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1538 [GMT 0:00]
    Running from: c:\users\tino\Desktop\123.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-17 to 2012-12-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-17 11:33 . 2012-12-17 11:33 54016 ----a-w- c:\windows\system32\drivers\pjmmsogp.sys
    2012-12-17 11:08 . 2012-12-17 11:08 -------- d-----w- c:\users\tino\AppData\Roaming\AVG2013
    2012-12-17 11:08 . 2012-12-17 11:08 -------- d-----w- c:\users\tino\AppData\Roaming\TuneUp Software
    2012-12-17 11:06 . 2012-12-17 11:08 -------- d-----w- c:\programdata\AVG2013
    2012-12-17 11:06 . 2012-12-17 11:06 -------- d-----w- C:\$AVG
    2012-12-17 11:06 . 2012-12-17 11:06 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Avg2013
    2012-12-17 11:05 . 2012-12-17 11:05 -------- d-----w- c:\program files\AVG
    2012-12-17 11:03 . 2012-12-17 11:10 -------- d-----w- c:\programdata\MFAData
    2012-12-17 11:03 . 2012-12-17 11:09 -------- d-----w- c:\users\tino\AppData\Local\Avg2013
    2012-12-17 11:03 . 2012-12-17 11:03 -------- d--h--w- c:\programdata\Common Files
    2012-12-17 11:03 . 2012-12-17 11:03 -------- d-----w- c:\users\tino\AppData\Local\MFAData
    2012-12-17 11:00 . 2012-12-17 11:01 -------- d-----w- c:\users\tino\AppData\Local\temp
    2012-12-17 11:00 . 2012-12-17 11:00 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-12-17 11:00 . 2012-12-17 11:00 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-12-17 09:37 . 2012-12-17 09:37 -------- d-----w- c:\program files\Trend Micro
    2012-12-16 16:14 . 2012-12-16 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-12-16 16:14 . 2012-09-29 19:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-12-16 01:11 . 2012-12-16 01:11 -------- d-----w- c:\program files\ESET
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-22 13:02 . 2012-10-22 13:02 179936 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
    2012-10-15 03:48 . 2012-10-15 03:48 55776 ----a-w- c:\windows\system32\drivers\avgidshx.sys
    2012-10-05 03:32 . 2012-10-05 03:32 93536 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2012-10-02 03:30 . 2012-10-02 03:30 159712 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2012-09-21 03:46 . 2012-09-21 03:46 164832 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2012-09-21 03:46 . 2012-09-21 03:46 177376 ----a-w- c:\windows\system32\drivers\avglogx.sys
    2012-09-21 03:45 . 2012-09-21 03:45 19936 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-02 1783136]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-30 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-28 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-28 154136]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-28 137752]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-21 217088]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
    "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-27 202032]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
    "HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
    "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-30 198160]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-16 149280]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
    "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2011-03-01 126976]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ECACHE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 21:54]
    .
    2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 21:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\tino\AppData\Roaming\Mozilla\Firefox\Profiles\74e3fu9e.default\
    FF - prefs.js: browser.startup.homepage - 0\r\nFind friends\r\nFriend requests\r\n\r\n * No new requests.\r\n\r\nSee all friend requests\r\n0\r\nSend a new message\r\nMessages\r\n\r\n *\r\n Julie Brand Pirie\r\n (no subject) Hi Clair hope your alll well my number is 07799545853 house 01592 722240 and...\r\n on Wednesday\r\n *\r\n Laura Docherty\r\n (no subject) thanks hun xx\r\n last Saturday\r\n *\r\n Sarah Forno\r\n (no subject) Me - 07545546930 Gem - 07736049300\r\n last Saturday\r\n *\r\n Amanda Pilon\r\n (no subject) Oh sorry I couldve done wi the £ too but wouldve taken me an hour of rushin t...\r\n last Saturday\r\n *\r\n Alyson\r\n £20 to spend at ASOS I've got it too. Time to go shopping lol\r\n about a week ago\r\n\r\nSee all messages 8 unread\r\n0\r\nNotifications\r\n\r\n *\r\n Charlene LJ Short, Pamela Blyth and 2 other friends also commented on Laine Mcbay's photo.\r\n 38 minutes ago\r\n *\r\n Louise Hildreth, Kathy Milligan ╱ Easton and 32 other friends like your status.\r\n 8 hours ago\r\n *\r\n Sheila Tasker and Kireana Mackay sent you requests in Causes.\r\n 13 hours ago\r\n *\r\n Carole Docherty, Laura Docherty and 5 other friends commented on your status.\r\n 21 hours ago\r\n *\r\n Terri Logie posted on your Wall.\r\n on Friday\r\n\r\nSee all notifications\r\nSearch\r\n\r\n *\r\n * Home\r\n * Profile\r\n *\r\n * Account\r\n o Clair Lewis\r\n o Edit friends\r\n o Use Facebook as Page\r\n o Account Settings\r\n o Privacy Settings\r\n o Help Centre\r\n o\r\n\r\nSet Facebook as your homepage\r\n\r\n *\r\n *\r\n *\r\n *\r\n *\r\n*\r\n\r\nSee what's happening with your friends as soon as you open your browser.\r\n← Drag this up to the home button in your Firefox toolbar\r\nSet homepage nowSkip\r\nFacebook © 2011 · English (UK)\r\nAbout · Advertising · Developers · Careers · Privacy · Terms · Help\r\n←
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-RunOnce-<NO NAME> - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-12-17 11:01
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(1244)
    c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
    .
    Completion time: 2012-12-17 11:03:15
    ComboFix-quarantined-files.txt 2012-12-17 11:03
    ComboFix2.txt 2012-12-17 09:54
    .
    Pre-Run: 18,403,622,912 bytes free
    Post-Run: 18,492,284,928 bytes free
    .
    - - End Of File - - 45D69651FE9FA669D5E87D14203223C1
  11. sarahitalia

    sarahitalia Newcomer, in training Topic Starter

    Rkill 2.4.5 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html
    Program started at: 12/17/2012 11:07:46 AM in x86 mode.
    Windows Version: Windows Vista (TM) Home Premium Service Pack 2
    Checking for Windows services to stop:
    * No malware services found to stop.
    Checking for processes to terminate:
    * No malware processes found to kill.
    Checking Registry for malware related settings:
    * No issues found in the Registry.
    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
    Performing miscellaneous checks:
    * No issues found.
    Checking Windows Service Integrity:
    * COM+ Event System (EventSystem) is not Running.
    Startup Type set to: Automatic
    * Security Center (wscsvc) is not Running.
    Startup Type set to: Automatic (Delayed Start)
    * Windows Update (wuauserv) is not Running.
    Startup Type set to: Automatic (Delayed Start)
    * Windows Update (AFD) is not Running.
    Startup Type set to: Automatic (Delayed Start)
    * msiserver => %systemroot%\system32\msiexec.exe /V [Incorrect ImagePath]
    Searching for Missing Digital Signatures:
    * No issues found.
    Checking HOSTS File:
    * HOSTS file entries found:
    127.0.0.1 localhost
    Program finished at: 12/17/2012 11:07:54 AM
    Execution time: 0 hours(s), 0 minute(s), and 8 seconds(s)
  12. sarahitalia

    sarahitalia Newcomer, in training Topic Starter

    ComboFix 12-12-17.02 - tino 17/12/2012 9:41.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1519 [GMT 0:00]
    Running from: c:\users\tino\Desktop\123.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\cleansweep.exe
    c:\cleansweep.exe\config.bin
    c:\users\Public\Documents\Server\admin.txt
    c:\users\Public\Documents\Server\server.dat
    c:\users\tino\Documents\My Documents.url
    c:\windows\system32\KBL.LOG
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-17 to 2012-12-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-17 11:08 . 2012-12-17 11:08 -------- d-----w- c:\users\tino\AppData\Roaming\AVG2013
    2012-12-17 11:08 . 2012-12-17 11:08 -------- d-----w- c:\users\tino\AppData\Roaming\TuneUp Software
    2012-12-17 11:06 . 2012-12-17 11:08 -------- d-----w- c:\programdata\AVG2013
    2012-12-17 11:06 . 2012-12-17 11:06 -------- d-----w- C:\$AVG
    2012-12-17 11:06 . 2012-12-17 11:06 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Avg2013
    2012-12-17 11:05 . 2012-12-17 11:05 -------- d-----w- c:\program files\AVG
    2012-12-17 11:03 . 2012-12-17 11:10 -------- d-----w- c:\programdata\MFAData
    2012-12-17 11:03 . 2012-12-17 11:09 -------- d-----w- c:\users\tino\AppData\Local\Avg2013
    2012-12-17 11:03 . 2012-12-17 11:03 -------- d--h--w- c:\programdata\Common Files
    2012-12-17 11:03 . 2012-12-17 11:03 -------- d-----w- c:\users\tino\AppData\Local\MFAData
    2012-12-17 09:50 . 2012-12-17 09:52 -------- d-----w- c:\users\tino\AppData\Local\temp
    2012-12-17 09:50 . 2012-12-17 09:50 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-12-17 09:50 . 2012-12-17 09:50 -------- d-----w- c:\users\Default\AppData\Local\temp
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-22 13:02 . 2012-10-22 13:02 179936 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
    2012-10-15 03:48 . 2012-10-15 03:48 55776 ----a-w- c:\windows\system32\drivers\avgidshx.sys
    2012-10-05 03:32 . 2012-10-05 03:32 93536 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2012-10-02 03:30 . 2012-10-02 03:30 159712 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2012-09-21 03:46 . 2012-09-21 03:46 164832 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2012-09-21 03:46 . 2012-09-21 03:46 177376 ----a-w- c:\windows\system32\drivers\avglogx.sys
    2012-09-21 03:45 . 2012-09-21 03:45 19936 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-02 1783136]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-30 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-28 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-28 154136]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-28 137752]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-21 217088]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
    "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-27 202032]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
    "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-30 198160]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-16 149280]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
    "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2011-03-01 126976]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ECACHE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 21:54]
    .
    2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 21:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\tino\AppData\Roaming\Mozilla\Firefox\Profiles\74e3fu9e.default\
    FF - prefs.js: browser.startup.homepage - 0\r\nFind friends\r\nFriend requests\r\n\r\n * No new requests.\r\n\r\nSee all friend requests\r\n0\r\nSend a new message\r\nMessages\r\n\r\n *\r\n Julie Brand Pirie\r\n (no subject) Hi Clair hope your alll well my number is 07799545853 house 01592 722240 and...\r\n on Wednesday\r\n *\r\n Laura Docherty\r\n (no subject) thanks hun xx\r\n last Saturday\r\n *\r\n Sarah Forno\r\n (no subject) Me - 07545546930 Gem - 07736049300\r\n last Saturday\r\n *\r\n Amanda Pilon\r\n (no subject) Oh sorry I couldve done wi the £ too but wouldve taken me an hour of rushin t...\r\n last Saturday\r\n *\r\n Alyson\r\n £20 to spend at ASOS I've got it too. Time to go shopping lol\r\n about a week ago\r\n\r\nSee all messages 8 unread\r\n0\r\nNotifications\r\n\r\n *\r\n Charlene LJ Short, Pamela Blyth and 2 other friends also commented on Laine Mcbay's photo.\r\n 38 minutes ago\r\n *\r\n Louise Hildreth, Kathy Milligan ╱ Easton and 32 other friends like your status.\r\n 8 hours ago\r\n *\r\n Sheila Tasker and Kireana Mackay sent you requests in Causes.\r\n 13 hours ago\r\n *\r\n Carole Docherty, Laura Docherty and 5 other friends commented on your status.\r\n 21 hours ago\r\n *\r\n Terri Logie posted on your Wall.\r\n on Friday\r\n\r\nSee all notifications\r\nSearch\r\n\r\n *\r\n * Home\r\n * Profile\r\n *\r\n * Account\r\n o Clair Lewis\r\n o Edit friends\r\n o Use Facebook as Page\r\n o Account Settings\r\n o Privacy Settings\r\n o Help Centre\r\n o\r\n\r\nSet Facebook as your homepage\r\n\r\n *\r\n *\r\n *\r\n *\r\n *\r\n*\r\n\r\nSee what's happening with your friends as soon as you open your browser.\r\n← Drag this up to the home button in your Firefox toolbar\r\nSet homepage nowSkip\r\nFacebook © 2011 · English (UK)\r\nAbout · Advertising · Developers · Careers · Privacy · Terms · Help\r\n←
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-12-17 09:52
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2012-12-17 09:54:50
    ComboFix-quarantined-files.txt 2012-12-17 09:54
    .
    Pre-Run: 17,015,672,832 bytes free
    Post-Run: 18,992,717,824 bytes free
    .
    - - End Of File - - AEAC32948AEC49AC3D8C12BB14E66CEB
  13. sarahitalia

    sarahitalia Newcomer, in training Topic Starter

    So that was combofix, rkill and then combo fix again :)
     
  14. Broni

    Broni Malware Annihilator Posts: 45,159   +242

    Looks good.
    Can you start computer in normal mode?
  15. sarahitalia

    sarahitalia Newcomer, in training Topic Starter

    Unfortunately not! The blue screen flashed up again and then the computer restarted! I'm back to safe mode. I forgot to say that when I finished the scans whenever I tried to click on a desktop icon or internet etc it came up something about illegial and key registry? I can't remember exactly though. Also after every scan it seems to delete internet explorer but then it comes back again after a while. I don't know if that makes any difference!
  16. Broni

    Broni Malware Annihilator Posts: 45,159   +242

    At this point it doesn't look like any infection is causing your issue as most scans come up clean (MBAM reported just some minor issues).

    I suggest you start new topic in Windows forum.
  17. sarahitalia

    sarahitalia Newcomer, in training Topic Starter

    Ah great! Thank you for your help :)
  18. Broni

    Broni Malware Annihilator Posts: 45,159   +242



Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.