Inactive Virus that I can't get rid off

sarahitalia

Posts: 12   +0
I am trying to get rid of a virus on my hp vista laptop. The virus does not let me open any anti virus software, or restore it. I have it on safe mode currently, but if I try to turn it one in normal mode it lets me sign in and then it flashes up a blue screen for 1 second and then switches back off. I have tried in system to set the laptop to not automatically restart when this screen shows but it still always does it.
I have ran various online scans which have not found any viruses, however I managed to download and run Malwarebytes and this showed 8 trojans which I then deleted and restarted my laptop. It made no changes however and now my laptop isn't allowing me to open the Malwarebytes even in safe mode. I have tried to do a restore on safe mode by typing in various commands into a black box but it just came up error and would not allow me to restore at all. I seem to be able to browse okay on safe mode but there is clearly still a virus evident.
Anyone have any ideas?
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Great, thanks!
The malewarebytes log:
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Database version: v2012.12.19.06
Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.19019
tino :: TINO-PC [administrator]
16/12/2012 16:14:58
mbam-log-2012-12-16 (16-14-58).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215479
Time elapsed: 6 minute(s), 11 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform|Zango 10.3.84.0 (Adware.Zango) -> Data: -> Quarantined and deleted successfully.
Registry Data Items Detected: 3
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\tino\AppData\Local\rlh.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\tino\AppData\Local\rlh.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\tino\AppData\Local\rlh.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Then DDS:
DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.19019
Run by tino at 16:27:44 on 2012-12-16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1007 [GMT 0:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AOL Toolbar: {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AOL Toolbar: {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-gb\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{B75CAFCD-4EC2-4E3E-96AA-B4A38B754BA9} : DHCPNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\tino\appdata\roaming\mozilla\firefox\profiles\74e3fu9e.default\
FF - prefs.js: browser.startup.homepage - 0\r\nFind friends\r\nFriend requests\r\n\r\n * No new requests.\r\n\r\nSee all friend requests\r\n0\r\nSend a new message\r\nMessages\r\n\r\n *\r\n Julie Brand Pirie\r\n (no subject) Hi Clair hope your alll well my number is 07799545853 house 01592 722240 and...\r\n on Wednesday\r\n *\r\n Laura Docherty\r\n (no subject) thanks hun xx\r\n last Saturday\r\n *\r\n Sarah Forno\r\n (no subject) Me - 07545546930 Gem - 07736049300\r\n last Saturday\r\n *\r\n Amanda Pilon\r\n (no subject) Oh sorry I couldve done wi the £ too but wouldve taken me an hour of rushin t...\r\n last Saturday\r\n *\r\n Alyson\r\n £20 to spend at ASOS I've got it too. Time to go shopping lol\r\n about a week ago\r\n\r\nSee all messages 8 unread\r\n0\r\nNotifications\r\n\r\n *\r\n Charlene LJ Short, Pamela Blyth and 2 other friends also commented on Laine Mcbay's photo.\r\n 38 minutes ago\r\n *\r\n Louise Hildreth, Kathy Milligan ╱ Easton and 32 other friends like your status.\r\n 8 hours ago\r\n *\r\n Sheila Tasker and Kireana Mackay sent you requests in Causes.\r\n 13 hours ago\r\n *\r\n Carole Docherty, Laura Docherty and 5 other friends commented on your status.\r\n 21 hours ago\r\n *\r\n Terri Logie posted on your Wall.\r\n on Friday\r\n\r\nSee all notifications\r\nSearch\r\n\r\n *\r\n * Home\r\n * Profile\r\n *\r\n * Account\r\n o Clair Lewis\r\n o Edit friends\r\n o Use Facebook as Page\r\n o Account Settings\r\n o Privacy Settings\r\n o Help Centre\r\n o\r\n\r\nSet Facebook as your homepage\r\n\r\n *\r\n *\r\n *\r\n *\r\n *\r\n*\r\n\r\nSee what's happening with your friends as soon as you open your browser.\r\n← Drag this up to the home button in your Firefox toolbar\r\nSet homepage nowSkip\r\nFacebook © 2011 · English (UK)\r\nAbout · Advertising · Developers · Careers · Privacy · Terms · Help\r\n←
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\0\NP_wtapp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-26 21504]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-12-16 40776]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-12-17 11:33:25 54016 ----a-w- c:\windows\system32\drivers\pjmmsogp.sys
2012-12-17 11:08:33 -------- d-----w- c:\users\tino\appdata\roaming\AVG2013
2012-12-17 11:08:10 -------- d-----w- c:\users\tino\appdata\roaming\TuneUp Software
2012-12-17 11:06:46 -------- d-----w- c:\programdata\AVG2013
2012-12-17 11:06:46 -------- d-----w- C:\$AVG
2012-12-17 11:05:58 -------- d-----w- c:\program files\AVG
2012-12-17 11:03:38 -------- d--h--w- c:\programdata\Common Files
2012-12-17 11:03:38 -------- d-----w- c:\users\tino\appdata\local\MFAData
2012-12-17 11:03:38 -------- d-----w- c:\users\tino\appdata\local\Avg2013
2012-12-17 11:03:38 -------- d-----w- c:\programdata\MFAData
2012-12-17 10:07:52 -------- d-----w- c:\users\tino\appdata\roaming\Malwarebytes
2012-12-17 10:07:44 -------- d-----w- c:\programdata\Malwarebytes
2012-12-17 09:54:55 -------- d-sh--w- C:\$RECYCLE.BIN
2012-12-17 09:54:52 -------- d-----w- c:\users\tino\appdata\local\temp
2012-12-17 09:39:54 98816 ----a-w- c:\windows\sed.exe
2012-12-17 09:39:54 256000 ----a-w- c:\windows\PEV.exe
2012-12-17 09:39:54 208896 ----a-w- c:\windows\MBR.exe
2012-12-17 09:37:32 -------- d-----w- c:\program files\Trend Micro
2012-12-16 16:14:07 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-12-16 16:14:00 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-16 16:14:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-16 01:11:11 -------- d-----w- c:\program files\ESET
.
==================== Find3M ====================
.
2012-10-22 13:02:46 179936 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2012-10-15 03:48:52 55776 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-10-02 03:30:38 159712 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2012-09-21 03:46:06 164832 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-09-21 03:46:00 177376 ----a-w- c:\windows\system32\drivers\avglogx.sys
2012-09-21 03:45:54 19936 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
.
============= FINISH: 16:34:50.69 ===============
and Attach:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 17/03/2008 10:31:25
System Uptime: 16/12/2012 15:54:21 (1 hours ago)
.
Motherboard: Hewlett-Packard | | 30D9
Processor: Intel(R) Pentium(R) Dual CPU T2370 @ 1.73GHz | CPU | 1729/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 138 GiB total, 17.325 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 2.068 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0001
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0001
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0002
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #2
PNP Device ID: ROOT\*6TO4MP\0002
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0003
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #3
PNP Device ID: ROOT\*6TO4MP\0003
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0004
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #4
PNP Device ID: ROOT\*6TO4MP\0004
Service: tunnel
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia N95 8GB
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia N95 8GB
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
µTorrent
Google Toolbar for Internet Explorer
HP Update
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft Office Enterprise 2007
Mozilla Firefox (3.6.16)
.
==== End Of File ===========================
 
  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

=============================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
 
Rougekiller:
ogueKiller V8.4.0 [Dec 18 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User : tino [Admin rights]
Mode : Remove -- Date : 12/16/2012 21:39:03
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK1637GSX +++++
--- User ---
[MBR] 7b12d5e795aba2949c1ed6d3276ad4d3
[BSP] 6b74144a3ab1d51ed6ff8ce436f0741a : HP tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 140874 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 288511335 | Size: 11750 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[3]_D_12162012_02d2139.txt >>
RKreport[1]_S_12162012_02d2138.txt ; RKreport[2]_D_12162012_02d2138.txt ; RKreport[3]_D_12162012_02d2139.txt


and just running the other one now
 
Unfortunately the other scan was going really fast and then it started to freezing on certain files in AppData? I have left it running but I will have to go to bed for now (time difference as I'm in the UK) but thank you for your help so far and I'll reply in the morning if the scan has finished!
 
It actually went faster so I decided to wait so here is the log. I am running my laptop from safe mode with networking at the moment as it won't turn on without being in safe mode, a blue screen just flashes up when I log in and the it shuts down!

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-16 21:41:40
-----------------------------
21:41:40.531 OS Version: Windows 6.0.6002 Service Pack 2
21:41:40.531 Number of processors: 2 586 0xF0D
21:41:40.531 ComputerName: TINO-PC UserName: tino
21:41:42.887 Initialize success
21:44:35.470 AVAST engine defs: 12121901
21:44:51.429 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
21:44:51.444 Disk 0 Vendor: TOSHIBA_ DL03 Size: 152627MB BusType: 3
21:44:51.444 Disk 0 MBR read successfully
21:44:51.444 Disk 0 MBR scan
21:44:51.460 Disk 0 unknown MBR code
21:44:51.460 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 140874 MB offset 63
21:44:51.491 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11750 MB offset 288511335
21:44:51.507 Disk 0 scanning sectors +312576705
21:44:51.553 Disk 0 scanning C:\Windows\system32\drivers
21:45:05.687 Service scanning
21:45:34.672 Modules scanning
21:45:40.069 Disk 0 trace - called modules:
21:45:40.116 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
21:45:40.116 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c584f0]
21:45:40.132 3 CLASSPNP.SYS[885a68b3] -> nt!IofCallDriver -> [0x851d4148]
21:45:40.132 5 acpi.sys[806996bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x851da028]
21:45:41.895 AVAST engine scan C:\Windows
21:45:46.621 AVAST engine scan C:\Windows\system32
21:49:52.337 AVAST engine scan C:\Windows\system32\drivers
21:50:09.403 AVAST engine scan C:\Users\tino
22:04:58.993 AVAST engine scan C:\ProgramData
22:07:14.121 Scan finished successfully
22:07:26.039 Disk 0 MBR has been saved successfully to "C:\Users\tino\Desktop\MBR.dat"
22:07:26.039 The log file has been saved successfully to "C:\Users\tino\Desktop\aswMBR.txt"
 
Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

===============================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
ComboFix 12-12-20.02 - tino 17/12/2012 10:51:02.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1538 [GMT 0:00]
Running from: c:\users\tino\Desktop\123.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-11-17 to 2012-12-17 )))))))))))))))))))))))))))))))
.
.
2012-12-17 11:33 . 2012-12-17 11:33 54016 ----a-w- c:\windows\system32\drivers\pjmmsogp.sys
2012-12-17 11:08 . 2012-12-17 11:08 -------- d-----w- c:\users\tino\AppData\Roaming\AVG2013
2012-12-17 11:08 . 2012-12-17 11:08 -------- d-----w- c:\users\tino\AppData\Roaming\TuneUp Software
2012-12-17 11:06 . 2012-12-17 11:08 -------- d-----w- c:\programdata\AVG2013
2012-12-17 11:06 . 2012-12-17 11:06 -------- d-----w- C:\$AVG
2012-12-17 11:06 . 2012-12-17 11:06 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Avg2013
2012-12-17 11:05 . 2012-12-17 11:05 -------- d-----w- c:\program files\AVG
2012-12-17 11:03 . 2012-12-17 11:10 -------- d-----w- c:\programdata\MFAData
2012-12-17 11:03 . 2012-12-17 11:09 -------- d-----w- c:\users\tino\AppData\Local\Avg2013
2012-12-17 11:03 . 2012-12-17 11:03 -------- d--h--w- c:\programdata\Common Files
2012-12-17 11:03 . 2012-12-17 11:03 -------- d-----w- c:\users\tino\AppData\Local\MFAData
2012-12-17 11:00 . 2012-12-17 11:01 -------- d-----w- c:\users\tino\AppData\Local\temp
2012-12-17 11:00 . 2012-12-17 11:00 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-12-17 11:00 . 2012-12-17 11:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-17 09:37 . 2012-12-17 09:37 -------- d-----w- c:\program files\Trend Micro
2012-12-16 16:14 . 2012-12-16 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-16 16:14 . 2012-09-29 19:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-16 01:11 . 2012-12-16 01:11 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-22 13:02 . 2012-10-22 13:02 179936 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2012-10-15 03:48 . 2012-10-15 03:48 55776 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-10-05 03:32 . 2012-10-05 03:32 93536 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2012-10-02 03:30 . 2012-10-02 03:30 159712 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2012-09-21 03:46 . 2012-09-21 03:46 164832 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-09-21 03:46 . 2012-09-21 03:46 177376 ----a-w- c:\windows\system32\drivers\avglogx.sys
2012-09-21 03:45 . 2012-09-21 03:45 19936 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-02 1783136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-28 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-28 137752]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-21 217088]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-27 202032]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-30 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-16 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2011-03-01 126976]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 21:54]
.
2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 21:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\tino\AppData\Roaming\Mozilla\Firefox\Profiles\74e3fu9e.default\
FF - prefs.js: browser.startup.homepage - 0\r\nFind friends\r\nFriend requests\r\n\r\n * No new requests.\r\n\r\nSee all friend requests\r\n0\r\nSend a new message\r\nMessages\r\n\r\n *\r\n Julie Brand Pirie\r\n (no subject) Hi Clair hope your alll well my number is 07799545853 house 01592 722240 and...\r\n on Wednesday\r\n *\r\n Laura Docherty\r\n (no subject) thanks hun xx\r\n last Saturday\r\n *\r\n Sarah Forno\r\n (no subject) Me - 07545546930 Gem - 07736049300\r\n last Saturday\r\n *\r\n Amanda Pilon\r\n (no subject) Oh sorry I couldve done wi the £ too but wouldve taken me an hour of rushin t...\r\n last Saturday\r\n *\r\n Alyson\r\n £20 to spend at ASOS I've got it too. Time to go shopping lol\r\n about a week ago\r\n\r\nSee all messages 8 unread\r\n0\r\nNotifications\r\n\r\n *\r\n Charlene LJ Short, Pamela Blyth and 2 other friends also commented on Laine Mcbay's photo.\r\n 38 minutes ago\r\n *\r\n Louise Hildreth, Kathy Milligan ╱ Easton and 32 other friends like your status.\r\n 8 hours ago\r\n *\r\n Sheila Tasker and Kireana Mackay sent you requests in Causes.\r\n 13 hours ago\r\n *\r\n Carole Docherty, Laura Docherty and 5 other friends commented on your status.\r\n 21 hours ago\r\n *\r\n Terri Logie posted on your Wall.\r\n on Friday\r\n\r\nSee all notifications\r\nSearch\r\n\r\n *\r\n * Home\r\n * Profile\r\n *\r\n * Account\r\n o Clair Lewis\r\n o Edit friends\r\n o Use Facebook as Page\r\n o Account Settings\r\n o Privacy Settings\r\n o Help Centre\r\n o\r\n\r\nSet Facebook as your homepage\r\n\r\n *\r\n *\r\n *\r\n *\r\n *\r\n*\r\n\r\nSee what's happening with your friends as soon as you open your browser.\r\n← Drag this up to the home button in your Firefox toolbar\r\nSet homepage nowSkip\r\nFacebook © 2011 · English (UK)\r\nAbout · Advertising · Developers · Careers · Privacy · Terms · Help\r\n←
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-17 11:01
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1244)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
Completion time: 2012-12-17 11:03:15
ComboFix-quarantined-files.txt 2012-12-17 11:03
ComboFix2.txt 2012-12-17 09:54
.
Pre-Run: 18,403,622,912 bytes free
Post-Run: 18,492,284,928 bytes free
.
- - End Of File - - 45D69651FE9FA669D5E87D14203223C1
 
Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 12/17/2012 11:07:46 AM in x86 mode.
Windows Version: Windows Vista (TM) Home Premium Service Pack 2
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* No issues found.
Checking Windows Service Integrity:
* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Automatic
* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic (Delayed Start)
* Windows Update (wuauserv) is not Running.
Startup Type set to: Automatic (Delayed Start)
* Windows Update (AFD) is not Running.
Startup Type set to: Automatic (Delayed Start)
* msiserver => %systemroot%\system32\msiexec.exe /V [Incorrect ImagePath]
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* HOSTS file entries found:
127.0.0.1 localhost
Program finished at: 12/17/2012 11:07:54 AM
Execution time: 0 hours(s), 0 minute(s), and 8 seconds(s)
 
ComboFix 12-12-17.02 - tino 17/12/2012 9:41.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1519 [GMT 0:00]
Running from: c:\users\tino\Desktop\123.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\cleansweep.exe
c:\cleansweep.exe\config.bin
c:\users\Public\Documents\Server\admin.txt
c:\users\Public\Documents\Server\server.dat
c:\users\tino\Documents\My Documents.url
c:\windows\system32\KBL.LOG
.
.
((((((((((((((((((((((((( Files Created from 2012-11-17 to 2012-12-17 )))))))))))))))))))))))))))))))
.
.
2012-12-17 11:08 . 2012-12-17 11:08 -------- d-----w- c:\users\tino\AppData\Roaming\AVG2013
2012-12-17 11:08 . 2012-12-17 11:08 -------- d-----w- c:\users\tino\AppData\Roaming\TuneUp Software
2012-12-17 11:06 . 2012-12-17 11:08 -------- d-----w- c:\programdata\AVG2013
2012-12-17 11:06 . 2012-12-17 11:06 -------- d-----w- C:\$AVG
2012-12-17 11:06 . 2012-12-17 11:06 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Avg2013
2012-12-17 11:05 . 2012-12-17 11:05 -------- d-----w- c:\program files\AVG
2012-12-17 11:03 . 2012-12-17 11:10 -------- d-----w- c:\programdata\MFAData
2012-12-17 11:03 . 2012-12-17 11:09 -------- d-----w- c:\users\tino\AppData\Local\Avg2013
2012-12-17 11:03 . 2012-12-17 11:03 -------- d--h--w- c:\programdata\Common Files
2012-12-17 11:03 . 2012-12-17 11:03 -------- d-----w- c:\users\tino\AppData\Local\MFAData
2012-12-17 09:50 . 2012-12-17 09:52 -------- d-----w- c:\users\tino\AppData\Local\temp
2012-12-17 09:50 . 2012-12-17 09:50 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-12-17 09:50 . 2012-12-17 09:50 -------- d-----w- c:\users\Default\AppData\Local\temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-22 13:02 . 2012-10-22 13:02 179936 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2012-10-15 03:48 . 2012-10-15 03:48 55776 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-10-05 03:32 . 2012-10-05 03:32 93536 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2012-10-02 03:30 . 2012-10-02 03:30 159712 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2012-09-21 03:46 . 2012-09-21 03:46 164832 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-09-21 03:46 . 2012-09-21 03:46 177376 ----a-w- c:\windows\system32\drivers\avglogx.sys
2012-09-21 03:45 . 2012-09-21 03:45 19936 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-02 1783136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-28 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-28 137752]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-21 217088]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-27 202032]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-30 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-16 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2011-03-01 126976]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 21:54]
.
2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 21:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\tino\AppData\Roaming\Mozilla\Firefox\Profiles\74e3fu9e.default\
FF - prefs.js: browser.startup.homepage - 0\r\nFind friends\r\nFriend requests\r\n\r\n * No new requests.\r\n\r\nSee all friend requests\r\n0\r\nSend a new message\r\nMessages\r\n\r\n *\r\n Julie Brand Pirie\r\n (no subject) Hi Clair hope your alll well my number is 07799545853 house 01592 722240 and...\r\n on Wednesday\r\n *\r\n Laura Docherty\r\n (no subject) thanks hun xx\r\n last Saturday\r\n *\r\n Sarah Forno\r\n (no subject) Me - 07545546930 Gem - 07736049300\r\n last Saturday\r\n *\r\n Amanda Pilon\r\n (no subject) Oh sorry I couldve done wi the £ too but wouldve taken me an hour of rushin t...\r\n last Saturday\r\n *\r\n Alyson\r\n £20 to spend at ASOS I've got it too. Time to go shopping lol\r\n about a week ago\r\n\r\nSee all messages 8 unread\r\n0\r\nNotifications\r\n\r\n *\r\n Charlene LJ Short, Pamela Blyth and 2 other friends also commented on Laine Mcbay's photo.\r\n 38 minutes ago\r\n *\r\n Louise Hildreth, Kathy Milligan ╱ Easton and 32 other friends like your status.\r\n 8 hours ago\r\n *\r\n Sheila Tasker and Kireana Mackay sent you requests in Causes.\r\n 13 hours ago\r\n *\r\n Carole Docherty, Laura Docherty and 5 other friends commented on your status.\r\n 21 hours ago\r\n *\r\n Terri Logie posted on your Wall.\r\n on Friday\r\n\r\nSee all notifications\r\nSearch\r\n\r\n *\r\n * Home\r\n * Profile\r\n *\r\n * Account\r\n o Clair Lewis\r\n o Edit friends\r\n o Use Facebook as Page\r\n o Account Settings\r\n o Privacy Settings\r\n o Help Centre\r\n o\r\n\r\nSet Facebook as your homepage\r\n\r\n *\r\n *\r\n *\r\n *\r\n *\r\n*\r\n\r\nSee what's happening with your friends as soon as you open your browser.\r\n← Drag this up to the home button in your Firefox toolbar\r\nSet homepage nowSkip\r\nFacebook © 2011 · English (UK)\r\nAbout · Advertising · Developers · Careers · Privacy · Terms · Help\r\n←
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-17 09:52
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-12-17 09:54:50
ComboFix-quarantined-files.txt 2012-12-17 09:54
.
Pre-Run: 17,015,672,832 bytes free
Post-Run: 18,992,717,824 bytes free
.
- - End Of File - - AEAC32948AEC49AC3D8C12BB14E66CEB
 
Unfortunately not! The blue screen flashed up again and then the computer restarted! I'm back to safe mode. I forgot to say that when I finished the scans whenever I tried to click on a desktop icon or internet etc it came up something about illegial and key registry? I can't remember exactly though. Also after every scan it seems to delete internet explorer but then it comes back again after a while. I don't know if that makes any difference!
 
it came up something about illegial and key registry?

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

At this point it doesn't look like any infection is causing your issue as most scans come up clean (MBAM reported just some minor issues).

I suggest you start new topic in Windows forum.
 
Back