TechSpot

Web search redirected and files on hard drive disappeared

By pjizzle
Sep 18, 2011
  1. Hi All,

    Not sure what has happened here but all my music, photo’s and other files seem to have been deleted along with all the short cuts on my desktop. All my music folders are empty but if I open I-tunes they are there and playable, So I’m hoping I haven’t lost all my import documents with this virus.

    Clicking a link in a list of google search results re-directs the page. I have been using Microsoft security essentials for a few weeks now (which I never want to use again after this) and this is what it says as the threats that have been detected:

    worm:Win32/Autorun.gen!inf
    Exploit:Win32/Pdfjsc.RF

    I have followed the 6 steps and any help is greatly appreciated, please see my logs below:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-09-18 14:31:07
    Windows 6.1.7600
    Running: r1h47w9i.exe; Driver: C:\Users\P-jizzle\AppData\Local\Temp\pwlyakod.sys


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x30 0xFD 0x41 0xC3 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x55 0x52 0xAD 0x57 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x65 0x59 0xA6 0xC2 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1F 0x52 0x56 0xE3 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x55 0x52 0xAD 0x57 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x65 0x59 0xA6 0xC2 ...

    ---- Files - GMER 1.0.15 ----

    File C:\Users\P-jizzle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TQLQCCEN\like[1].htm 27010 bytes
    File C:\Users\P-jizzle\AppData\Roaming\Microsoft\Windows\Cookies\BB6QJQX2.txt 1323 bytes
    File C:\Users\P-jizzle\AppData\Roaming\Microsoft\Windows\Cookies\P61Y0NZN.txt 375 bytes
    File C:\Users\P-jizzle\AppData\Roaming\Microsoft\Windows\Cookies\PRJ8ODXH.txt 226 bytes
    File C:\Users\P-jizzle\AppData\Roaming\Microsoft\Windows\Cookies\RHBDDQ28.txt 108 bytes
    File C:\Users\P-jizzle\AppData\Roaming\Microsoft\Windows\Cookies\RJD3IL6F.txt 103 bytes

    ---- EOF - GMER 1.0.15 ----


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7600.16385
    Run by P-jizzle at 15:03:15 on 2011-09-18
    Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.3070.2302 [GMT 1:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\lxbkcoms.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
    C:\Program Files\Internet Download Manager\IDMan.exe
    C:\Program Files\DAEMON Tools Lite\DTLite.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Internet Download Manager\IEMonitor.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} - No File
    uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [AdobeBridge]
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [lxbkbmgr.exe] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
    StartupFolder: c:\users\p-jizzle\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
    StartupFolder: c:\users\p-jizzle\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
    IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
    IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    Trusted Zone: tvcatchup.com
    Trusted Zone: tvcatchup.com
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{1D91C794-8673-4E59-B939-81CC2425922C} : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{1D91C794-8673-4E59-B939-81CC2425922C}\F42377962756C6563737138393039333 : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{1D91C794-8673-4E59-B939-81CC2425922C}\F42377962756C6563737438333132323 : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{1D91C794-8673-4E59-B939-81CC2425922C}\F42377962756C6563737642353735423 : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{D61097DB-6F06-456E-B758-03CD22A98E77} : DhcpNameServer = 82.132.254.3 82.132.254.2
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\p-jizzle\appdata\roaming\mozilla\firefox\profiles\rlc8f4j8.default\
    FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: c:\program files\veetle\player\npvlc.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
    R1 MpKsl726ff0df;MpKsl726ff0df;c:\programdata\microsoft\microsoft antimalware\definition updates\{64b0894c-cf57-4e98-83eb-14657e59e324}\MpKsl726ff0df.sys [2011-9-18 28752]
    R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service --> c:\windows\system32\lxbkcoms.exe -service [?]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
    S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-24 1343400]
    .
    =============== Created Last 30 ================
    .
    2011-09-18 14:02:01 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{64b0894c-cf57-4e98-83eb-14657e59e324}\MpKsl726ff0df.sys
    2011-09-16 12:16:58 7152464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{64b0894c-cf57-4e98-83eb-14657e59e324}\mpengine.dll
    2011-09-15 22:59:46 -------- d--h--w- c:\users\p-jizzle\appdata\local\CrashDumps
    2011-09-08 19:52:34 -------- d-----w- c:\program files\Elaborate Bytes
    2011-09-08 19:28:27 11114 ----a-w- c:\programdata\MainApp.dll
    2011-09-08 19:25:55 14 ----a-w- c:\windows\system32\systeminfo3.dll
    2011-09-08 19:25:10 81920 ----a-w- c:\users\p-jizzle\appdata\roaming\ezpinst.exe
    2011-09-08 19:25:10 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
    2011-09-08 19:25:10 47360 ----a-w- c:\users\p-jizzle\appdata\roaming\pcouffin.sys
    2011-09-08 09:33:04 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
    2011-09-08 09:33:01 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e4f0ec0d-4936-432c-9b13-44ad288db7c7}\gapaengine.dll
    2011-09-07 10:55:15 -------- d-----w- c:\program files\Adobe Download Assistant
    2011-09-06 16:01:19 -------- d--h--w- c:\users\p-jizzle\appdata\roaming\PDAppFlex
    2011-09-06 15:59:56 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
    2011-09-06 15:15:03 -------- d--h--w- c:\users\p-jizzle\appdata\roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
    2011-08-27 15:55:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-26 21:16:22 7152464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2011-08-25 13:27:24 -------- d-----w- c:\program files\Microsoft Security Client
    2011-08-25 13:26:55 240008 ----a-w- c:\windows\system32\drivers\netio.sys
    2011-08-25 13:01:35 83249512 ---ha-w- c:\program files\common files\windows live\.cache\wlcB157.tmp
    2011-08-24 00:15:39 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-08-24 00:12:43 7152464 ------w- c:\programdata\microsoft\windows defender\definition updates\{e5ce807d-fe57-4a93-a51b-19c26343e448}\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2011-07-22 04:56:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-07-16 04:37:32 169984 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-16 04:34:28 290816 ----a-w- c:\windows\system32\KernelBase.dll
    2011-07-16 04:31:12 271360 ----a-w- c:\windows\system32\conhost.exe
    2011-07-16 02:21:47 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
    2011-07-16 02:21:47 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2011-07-16 02:21:47 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2011-07-16 02:21:47 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
    2011-07-09 02:26:10 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-23 04:38:05 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-06-23 04:38:04 3902336 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-06-21 05:39:53 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-06-21 05:36:36 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-06-21 05:35:05 44544 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-21 04:26:02 386048 ----a-w- c:\windows\system32\html.iec
    .
    ============= FINISH: 15:11:41.17 ===============


    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 26/04/2010 12:31:43
    System Uptime: 18/09/2011 15:01:15 (0 hours ago)
    .
    Motherboard: Quanta | | 30D2
    Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | U2E1 | 1000/667mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 286 GiB total, 138.188 GiB free.
    D: is FIXED (NTFS) - 12 GiB total, 3.626 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4BF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4BF0
    Service:
    .
    Class GUID:
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4AF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4AF0
    Service:
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: MpKsl3f6e9e65
    Device ID: ROOT\LEGACY_MPKSL3F6E9E65\0000
    Manufacturer:
    Name: MpKsl3f6e9e65
    PNP Device ID: ROOT\LEGACY_MPKSL3F6E9E65\0000
    Service: MpKsl3f6e9e65
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: MpKsl7b6da6bd
    Device ID: ROOT\LEGACY_MPKSL7B6DA6BD\0000
    Manufacturer:
    Name: MpKsl7b6da6bd
    PNP Device ID: ROOT\LEGACY_MPKSL7B6DA6BD\0000
    Service: MpKsl7b6da6bd
    .
    ==== System Restore Points ===================
    .
    RP203: 02/08/2011 17:48:19 - Windows Update
    RP204: 05/08/2011 12:02:58 - Windows Update
    RP205: 09/08/2011 09:43:50 - Windows Update
    RP206: 10/08/2011 15:45:30 - Windows Update
    RP207: 12/08/2011 10:02:20 - Windows Update
    RP208: 16/08/2011 15:48:21 - Windows Update
    RP209: 17/08/2011 17:41:39 - Windows Update
    RP210: 19/08/2011 18:11:44 - Windows Update
    RP211: 24/08/2011 01:11:51 - Windows Update
    RP212: 24/08/2011 01:34:30 - Windows Update
    RP213: 25/08/2011 14:26:33 - Windows Update
    RP214: 25/08/2011 14:40:01 - Windows Update
    RP215: 26/08/2011 22:15:39 - Windows Update
    RP216: 28/08/2011 00:46:28 - Windows Update
    RP217: 29/08/2011 11:35:58 - Windows Update
    RP218: 30/08/2011 18:50:46 - Windows Update
    RP219: 31/08/2011 22:15:33 - Windows Update
    RP220: 01/09/2011 23:26:37 - Windows Update
    RP221: 03/09/2011 00:35:12 - Windows Update
    RP222: 04/09/2011 01:11:10 - Windows Update
    RP223: 05/09/2011 21:55:52 - Windows Update
    RP224: 06/09/2011 17:08:46 - Removed Adobe Download Assistant
    RP225: 06/09/2011 22:56:57 - Windows Update
    RP226: 07/09/2011 23:33:04 - Windows Update
    RP227: 08/09/2011 10:31:55 - Windows Update
    RP228: 08/09/2011 20:25:19 - Device Driver Package Install: VSO Software
    RP229: 09/09/2011 11:00:13 - Windows Update
    RP230: 10/09/2011 11:09:40 - Windows Update
    RP231: 10/09/2011 14:30:45 - Removed BBC iPlayer Desktop
    RP232: 11/09/2011 23:48:35 - Windows Update
    RP233: 13/09/2011 00:24:42 - Windows Update
    RP234: 13/09/2011 22:07:15 - Windows Update
    RP235: 14/09/2011 00:56:31 - Windows Update
    RP236: 15/09/2011 12:47:43 - Windows Update
    RP237: 16/09/2011 13:16:38 - Windows Update
    RP238: 18/09/2011 13:19:52 - Windows Update
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Acrobat.com
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Community Help
    Adobe CSI CS4
    Adobe Download Assistant
    Adobe Dreamweaver CS4
    Adobe Dreamweaver CS5.5
    Adobe Flash Player 10 ActiveX
    Adobe Photoshop CS5.1
    Adobe Reader 9.3.3
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe Update Manager CS4
    Adobe Widget Browser
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    BitTorrent
    Bonjour
    CloneDVD2
    Connect
    Internet Download Manager 5.18.8.0
    iTunes
    Java(TM) 6 Update 17
    kuler
    Lexmark X1100 Series
    MagicDraw UML Personal Edition 16.0 sp1
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Project 2007 Service Pack 2 (SP2)
    Microsoft Office Project MUI (English) 2007
    Microsoft Office Project Professional 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFCLOC_x86
    mkv2vob
    MobileMe Control Panel
    Mozilla Firefox 6.0.2 (x86 en-GB)
    MSVCRT
    NVIDIA Drivers
    OGA Notifier 2.0.0048.0
    PDF Settings CS5
    QuickTime
    Safari
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553074)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2553073)
    Security Update for Microsoft Office Groove 2007 (KB2552997)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    SkyPlayer for Windows Media Center
    Suite Shared Configuration CS4
    System Requirements Lab
    System Requirements Lab CYRI
    TVCatchup MCE Plugin
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Project 2007 Help (KB963668)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2553110)
    VC80CRTRedist - 8.0.50727.4053
    Veetle TV 0.9.17
    VLC media player 1.0.5
    WampServer 2.0
    Windows Driver Package - ENE (enecir) HIDClass (04/29/2008 2.5.0.0)
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    18/09/2011 14:51:26, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2389.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    18/09/2011 13:26:22, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2389.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    18/09/2011 13:26:22, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2389.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    18/09/2011 13:26:22, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2389.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    18/09/2011 13:15:35, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    16/09/2011 13:23:50, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    16/09/2011 13:23:50, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    16/09/2011 13:23:49, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    16/09/2011 13:23:45, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    16/09/2011 13:23:45, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    16/09/2011 13:23:44, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    16/09/2011 13:23:38, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    16/09/2011 13:23:22, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache ElbyCDIO MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx Wanarpv6 WfpLwf
    16/09/2011 13:23:22, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    16/09/2011 13:23:22, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    16/09/2011 13:23:22, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    16/09/2011 13:23:22, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    16/09/2011 13:23:22, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    16/09/2011 13:23:22, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    16/09/2011 13:23:22, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    16/09/2011 13:23:22, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    16/09/2011 13:23:22, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    16/09/2011 13:23:22, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    16/09/2011 13:22:57, Error: sptd [4] - Driver detected an internal error in its data structures for .
    16/09/2011 12:59:20, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    16/09/2011 11:28:47, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2156.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    16/09/2011 11:28:47, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    16/09/2011 11:24:08, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    16/09/2011 11:24:08, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    16/09/2011 11:19:27, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    16/09/2011 11:18:30, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache ElbyCDIO MpFilter spldr sptd Wanarpv6
    16/09/2011 01:11:12, Error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x80070002 Error description: The system cannot find the file specified. Signature version: 0.0.0.0;0.0.0.0 Engine version: 0.0.0.0
    15/09/2011 23:41:43, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    15/09/2011 22:50:21, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    15/09/2011 22:22:40, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    15/09/2011 22:00:48, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    15/09/2011 17:46:41, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    15/09/2011 16:56:32, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    15/09/2011 14:33:13, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    15/09/2011 12:37:06, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    15/09/2011 00:27:51, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    14/09/2011 21:26:27, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    14/09/2011 17:01:06, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    14/09/2011 10:48:11, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    .


    Thanks in advance.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the redirect and also help find the 'hidden' files.;

    You left out a very important program- Malwarebytes: Please go back to the steps in the thread and run this: Step 2: Malwarebytes Anti-Malware

    If you have run it, please leave the log. I suspect you have malware that puts an attribute on files, icons, etc. that makes them show 'missing.' After I see the log, I will give you a shot program that may help. Please be sure to check the line for remoal of entries found.
    ==================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you, including a Registry Cleaner or make changes in the Registry.
      [o] Please Do not Attach logs or put in code boxes
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
     
  3. pjizzle

    pjizzle TS Rookie Topic Starter

    Hi Bobbye, thanks for the quick reply!

    I forgot to mention in my post that I’m unable to install Malwarebytes on my computer since this infection. During the installation process for Malwarebytes I receive these messages saying:

    “Access is denied”

    “Setup was not completed.
    Please correct the problem and run Setup again.”

    It then says ‘Rolling back changes’ and closes the setup. I have tried installing this in normal mode and safe mode with the no luck. I use to have Malwarebytes already installed on my computer but now the files are ‘missing’ I’m unable to run it, maybe there is way to access it?

    Thanks for your help.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay> Try running the following, then try Mbam again:
    Please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

    Once done, try running a scan again
    ========================================
    If the above doesn't work, do the following:

    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
    ===================================
    And you can run the following and see if it will allow you to see the files on the hard drive:
    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.

    Note: This program does not remove malware itself. But it can make the files visible.
     
  5. pjizzle

    pjizzle TS Rookie Topic Starter

    Hi,

    Randmbam.exe seemed to work and I was able to run Malawarebytes, but a bit suprised with the results as no threats found.

    Rkill worked and I than ran exeHelper. Unhide.exe also returned my files so thanks for that. The virus still seems presents, here are the logs:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7796

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    25/09/2011 16:41:32
    mbam-log-2011-09-25 (16-41-32).txt

    Scan type: Quick scan
    Objects scanned: 171753
    Time elapsed: 5 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    exeHelper by Raktor
    Build 20100414
    Run at 16:56:31 on 09/25/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good job! Since you're on a roll, let's see if we can get the following 2 scans:

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ===========================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ======================================
    I usually let a user run unhide just for the confidence reason of knowing the files are still on the system. We may have to run it again after the malware has been removed, but we'll cross that when we get to it!
     
  7. pjizzle

    pjizzle TS Rookie Topic Starter

    Hi,

    Had a problem with the ESET scan as it stopped half way through the first scan but 9 hours later I have the log. :D

    Combo fix:

    ComboFix 11-09-26.01 - P-jizzle 26/09/2011 13:23:09.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.3070.2164 [GMT 1:00]
    Running from: c:\users\P-jizzle\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\IFO_LOGICAL_VOLUME_IDENTIFIER.LOG
    c:\programdata\MainApp.dll
    c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3
    c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\chrome.manifest
    c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\chrome\idmmzcc.jar
    c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
    c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\components\iIDMMzCC.xpt
    c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\install.js
    c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\install.rdf
    c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\META-INF\manifest.mf
    c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\META-INF\zigbert.rsa
    c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\META-INF\zigbert.sf
    c:\windows\system32\systeminfo3.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-26 to 2011-09-26 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-26 12:56 . 2011-09-26 12:56 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-09-26 11:59 . 2011-09-26 11:59 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C113A8F7-18BB-451E-8BD0-0211EB8D34AE}\MpKsl552df885.sys
    2011-09-26 11:59 . 2011-09-26 11:59 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C113A8F7-18BB-451E-8BD0-0211EB8D34AE}\offreg.dll
    2011-09-25 15:58 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C113A8F7-18BB-451E-8BD0-0211EB8D34AE}\mpengine.dll
    2011-09-20 12:42 . 2011-06-21 10:24 32768 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
    2011-09-15 22:59 . 2011-09-26 12:05 -------- d-----w- c:\users\P-jizzle\AppData\Local\CrashDumps
    2011-09-12 22:04 . 2011-09-15 23:56 -------- d-----w- c:\users\P-jizzle\AppData\Local\Mozilla
    2011-09-08 19:52 . 2011-09-15 23:52 -------- d-----w- c:\program files\Elaborate Bytes
    2011-09-08 19:25 . 2011-09-08 19:48 81920 ----a-w- c:\users\P-jizzle\AppData\Roaming\ezpinst.exe
    2011-09-08 19:25 . 2011-09-08 19:48 47360 ----a-w- c:\users\P-jizzle\AppData\Roaming\pcouffin.sys
    2011-09-08 19:25 . 2011-09-08 19:48 -------- d-----w- c:\users\P-jizzle\AppData\Roaming\Vso
    2011-09-08 19:25 . 2011-09-08 19:25 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
    2011-09-08 09:33 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2011-09-08 09:33 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E4F0EC0D-4936-432C-9B13-44AD288DB7C7}\gapaengine.dll
    2011-09-07 10:55 . 2011-09-16 00:02 -------- d-----w- c:\program files\Adobe Download Assistant
    2011-09-06 16:01 . 2011-09-06 16:01 -------- d-----w- c:\users\P-jizzle\AppData\Roaming\PDAppFlex
    2011-09-06 15:59 . 2011-09-07 11:57 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
    2011-09-06 15:15 . 2011-09-06 15:15 -------- d-----w- c:\users\P-jizzle\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
    2011-08-27 15:55 . 2011-08-27 15:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-12 02:44 . 2011-08-24 00:12 7152464 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5CE807D-FE57-4A93-A51B-19C26343E448}\mpengine.dll
    2011-08-11 18:44 . 2011-08-26 21:16 7152464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-07-22 04:56 . 2011-08-10 14:24 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-07-16 04:37 . 2011-08-10 14:23 169984 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-16 04:34 . 2011-08-10 14:23 290816 ----a-w- c:\windows\system32\KernelBase.dll
    2011-07-16 04:31 . 2011-08-10 14:23 271360 ----a-w- c:\windows\system32\conhost.exe
    2011-07-16 04:19 . 2011-08-10 14:23 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
    2011-07-16 02:21 . 2011-08-10 14:23 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
    2011-07-16 02:21 . 2011-08-10 14:23 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2011-07-16 02:21 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2011-07-16 02:21 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
    2011-07-09 13:44 . 2011-07-09 13:44 29184 ----a-r- c:\users\P-jizzle\AppData\Roaming\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe
    2011-07-09 04:30 . 2011-08-24 00:15 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-07-09 02:26 . 2011-08-10 14:24 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-07-07 09:30 . 2011-04-23 22:20 2301208 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2011-07-07 09:30 . 2010-10-16 18:43 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2011-06-30 22:16 . 2010-10-16 18:43 2588952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2011-06-30 22:16 . 2011-03-23 11:28 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2011-09-03 06:18 . 2011-09-12 22:04 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-01-29 3179952]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-04-28 149280]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-02-28 74408]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
    .
    c:\users\P-jizzle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R1 MpKsl3f6e9e65;MpKsl3f6e9e65;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7FEA25B-064D-4E2C-8179-4665BE556DB2}\MpKsl3f6e9e65.sys [x]
    R1 MpKsl7b6da6bd;MpKsl7b6da6bd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7FEA25B-064D-4E2C-8179-4665BE556DB2}\MpKsl7b6da6bd.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
    R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2011-09-08 47360]
    R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-24 1343400]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-27 691696]
    S1 MpKsl552df885;MpKsl552df885;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C113A8F7-18BB-451E-8BD0-0211EB8D34AE}\MpKsl552df885.sys [2011-09-26 28752]
    S2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe [2008-02-19 537256]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSL552DF885
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
    IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
    IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    Trusted Zone: tvcatchup.com
    Trusted Zone: tvcatchup.com
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\users\P-jizzle\AppData\Roaming\Mozilla\Firefox\Profiles\rlc8f4j8.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKCU-Run-AdobeBridge - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3569515612-4175067792-3796432290-1001_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):e4,26,63,70,90,df,2e,d3,af,22,b3,39,88,c8,b8,d9,e7,cb,35,36,e4,
    10,fb,3d,a6,60,1b,f8,12,ca,a6,15,13,fa,57,b2,29,de,c8,70,00,00,00,00,00,00,\
    .
    [HKEY_USERS\S-1-5-21-3569515612-4175067792-3796432290-1001_Classes\CLSID\{bf97f5d2-492f-4a1f-9801-08764a99c3c0}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "Model"=dword:000000ef
    "Therad"=dword:0000001d
    "MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
    1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-09-26 14:14:16
    ComboFix-quarantined-files.txt 2011-09-26 13:14
    .
    Pre-Run: 151,062,781,952 bytes free
    Post-Run: 151,333,388,288 bytes free
    .
    - - End Of File - - 5BB89289A0752D75939C49374F872B37




    ESET Log:

    C:\ProgramData\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi a variant of Win32/SlowPCfighter application
    C:\Users\All Users\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi a variant of Win32/SlowPCfighter application
    C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\20edfb0d-71ef47ba a variant of Win32/Kryptik.SVJ trojan
    C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\41d89970-66c38ad6 a variant of Java/Agent.DP trojan
    C:\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.www.theviperfiles.com\CollectionKeyFinal\CollectionKeyFinal\CS4MCLG.EXE probably a variant of Win32/Spy.Agent.FFETUNH trojan
    C:\Windows.old\Documents and Settings\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.www.theviperfiles.com\CollectionKeyFinal\CollectionKeyFinal\CS4MCLG.EXE probably a variant of Win32/Spy.Agent.FFETUNH trojan
    C:\Windows.old\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.www.theviperfiles.com\CollectionKeyFinal\CollectionKeyFinal\CS4MCLG.EXE probably a variant of Win32/Spy.Agent.FFETUNH trojan


    Thanks again for your help!
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- I'm running 3 days behind!

    The viperfiles site is a warez site: Warez refers primarily to copyrighted works distributed without fees or royalties, and may be traded, in general violation of copyright law. So that will be piracy.

    For Eset entries:
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      
      :Files 
      C:\ProgramData\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi 
      C:\Users\All Users\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi 
      C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\20edfb0d-71ef47ba 
      C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\41d89970-66c38ad6 
      C:\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.http://www.theviperfiles.com\Collect...al\CS4MCLG.EXE 
      C:\Windows.old\Documents and Settings\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.http://www.theviperfiles.com\Collect...al\CS4MCLG.EXE 
      C:\Windows.old\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.http://www.theviperfiles.com\Collect...al\CS4MCLG.EXE 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ====================================
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    ====================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.
    ====================================
    I'll be back with script for Combofix.
     
  9. pjizzle

    pjizzle TS Rookie Topic Starter

    All processes killed
    Error: Unable to interpret <C:\ProgramData\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi > in the current context!
    Error: Unable to interpret <C:\Users\All Users\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi > in the current context!
    Error: Unable to interpret <C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\20edfb0d-71ef47ba > in the current context!
    Error: Unable to interpret <C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\41d89970-66c38ad6 > in the current context!
    Error: Unable to interpret <C:\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.Deleted > in the current context!
    Error: Unable to interpret <C:\Windows.old\Documents and Settings\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.Deleted > in the current context!
    Error: Unable to interpret <C:\Windows.old\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.Deleted\ > in the current context!
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56468 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: P-jizzle
    ->Temp folder emptied: 1688953 bytes
    ->Temporary Internet Files folder emptied: 2143822728 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 26192833 bytes
    ->Apple Safari cache emptied: 20119552 bytes
    ->Flash cache emptied: 3197866 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3826 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 2,093.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 10012011_180607

    Files moved on Reboot...
    File C:\Users\P-jizzle\AppData\Local\Temp\flaFC67.tmp not found!
    File C:\Users\P-jizzle\AppData\Local\Temp\~DF16983220160AAB59.TMP not found!
    File C:\Users\P-jizzle\AppData\Local\Temp\~DF2A4EF2ED5D3642BE.TMP not found!
    File C:\Users\P-jizzle\AppData\Local\Temp\~DF606B35E61204BFE7.TMP not found!
    File C:\Users\P-jizzle\AppData\Local\Temp\~DFFE8EAE06FBB09552.TMP not found!

    Registry entries deleted on Reboot...


    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\program files\adobe\adobe dreamweaver cs5.5\configuration\taglibraries\html\keygen.vtm
    c:\users\p-jizzle\documents\downloads\compressed\idk4kc.viper3773.Deleted
    c:\users\p-jizzle\documents\downloads\compressed\idk4kc.viper3773.Deleted
    c:\users\p-jizzle\documents\downloads\compressed\idk4kc.viper3773.Deleted
    c:\users\p-jizzle\documents\downloads\compressed\idk4kc.viper3773.Deleted
    c:\users\p-jizzle\documents\downloads\compressed\idk4kc.viper3773.Deleted
    c:\users\p-jizzle\documents\downloads\compressed\idk4kc.viper3773.Deleted
    c:\users\p-jizzle\favorites\adobe dreamweaver cs4 final + keygen + portable warez-bb.org.url
    c:\users\p-jizzle\favorites\adobe dreamweaver cs4 full ~ 345mb ~ keygen ~ installation warez-bb.org.url
    c:\users\p-jizzle\favorites\adobe photoshop cs4 extended final + keygen + portable warez-bb.org.url
    c:\users\p-jizzle\favorites\[mu-fs] avatar [eng]+[multi 7] [2009] 1gb-4dl+keygen warez-bb.org.url
    c:\windows.old\users\p-jizzle\documents\downloads\compressed\wallpaper_pack_keygen.rar
    c:\windows.old\users\p-jizzle\favorites\adobe dreamweaver cs4 final + keygen + portable warez-bb.org.url
    c:\windows.old\users\p-jizzle\favorites\adobe photoshop cs4 extended final + keygen + portable warez-bb.org.url
    scanner sequence 3.JD.11.GQAPTI
    ----- EOF -----
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you want to continue support, please removed the pirated programs:
    Adobe Photoshop CS4
    Adobe Dreamweaver

    And any warez links.
     
  11. pjizzle

    pjizzle TS Rookie Topic Starter

    Hi Bobbye,

    Latest CKS log:

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.MN.11.HSABIE
    ----- EOF -----

    Thanks
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, you're getting there. Please update and run the Eset scan again so we can make sure none of those infected entries remain.
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    Please post the entire log with heading resembling this:
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  13. pjizzle

    pjizzle TS Rookie Topic Starter

    Hi,

    Please see ESET log below:

    C:\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.www.theviperfiles.com\CollectionKeyFinal\CollectionKeyFinal\CS4MCLG.EXE probably a variant of Win32/Spy.Agent.FFETUNH trojan
    C:\Windows.old\Documents and Settings\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.www.theviperfiles.com\CollectionKeyFinal\CollectionKeyFinal\CS4MCLG.EXE probably a variant of Win32/Spy.Agent.FFETUNH trojan
    C:\Windows.old\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.www.theviperfiles.com\CollectionKeyFinal\CollectionKeyFinal\CS4MCLG.EXE probably a variant of Win32/Spy.Agent.FFETUNH trojan
    C:\_OTM\MovedFiles\10012011_180012\C_ProgramData\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi a variant of Win32/SlowPCfighter application
    C:\_OTM\MovedFiles\10012011_180012\C_Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\20edfb0d-71ef47ba a variant of Win32/Kryptik.SVJ trojan
    C:\_OTM\MovedFiles\10012011_180012\C_Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\41d89970-66c38ad6 a variant of Java/Agent.DP trojan


    Note: I have allready deleted the top one, the strange thing is I couldnt actually see it on my desktop.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    ========================
    There are new entires in Eset from the same source> ADCS4.Kg.Viper3773
    This is a keygen for CS4. Please remove all entries for this file and CS4 as it is pirated.

    From Microsoft:.
    ======================================
    Last time:
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.http://www.theviperfiles.com\Collect...al\CS4MCLG.EXE 
      C:\Windows.old\Documents and Settings\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.http://www.theviperfiles.com\Collect...al\CS4MCLG.EXE 
      C:\Windows.old\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.http://www.theviperfiles.com\Collect...al\CS4MCLG.EXE 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log).
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  15. pjizzle

    pjizzle TS Rookie Topic Starter

    I'm not sure why Eset has discovered 'New entries' as I have hardly used this machine since the virus started and have most deffientely not installed any new programs as advised by this forum.

    I have deleted the files now but when I try to run OTM the following message appears:

    "Invalid time flag! [ www.theviperfiles.com\Collect...al\CS4MCLG.EXE
    Must be numerical"

    I then click OK and the screen is empty including the windows taskbar so I have to restart the computer via control, alt, delete. Any ideas why this is happening?
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Apparently the source of the malware is still on the system. You will need to remove all software gathered through warez, including the programs you pirated.
     
  17. pjizzle

    pjizzle TS Rookie Topic Starter

    Hi,

    I'm still receiving the same 'invalid time' message and I also now have several short cut files everywhere and several 'desktop.ini' files in random folders.

    I have tried a number of searches to find these files and they do not seem to exist anymore so not sure why the invalid time message is still occurring when trying to run OTM.

    I have even deleted legit versions of CS5 and completely removed the desktop folder under 'windows.old'.

    Is this the only virus I have left?
    Can I also ask why we Unchecked 'Remove found threats' when running the ESET scan?

    Thanks for your help so far.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You can. It's because I use OTM to remove them which also removes other unneeded files in the system> included temporary internet files.

    Please right click o the Clock, lower right> Adjust Date/Time, make sure all of the setting are correct and on the Internet Time tab, click on Check now.
    =========================================
    Click on Start> Control Panel> Display> Desktop> Customize Desktop> Web tab> uncheck and delete everything you find in there (except for "My current home page")> Also remove the check mark from the the Lock Desktop Items box if it is checked> Apply> OK> Close.
    =========================================
    Click on Start> Control Panel> Folder Options> View tab> Check 'don't show hidden files & folders'> Check 'hide protected system files (Recommended)> Apply> OK
    =======================================
    Reboot the computer and see if the desktop.ini files are gone.
     
  19. pjizzle

    pjizzle TS Rookie Topic Starter

    Hi again,

    When I follow your instruction for the clock, it says on the internet time tab - "this computer is set to automatically synchronize with 'time.windows.com'." and there is no option to 'check now'.

    I also tried following your instructions for step two, but once I get to Control Panel I do not have the option to select 'Display'. Is this because I'm using Windows 7?
     
  20. pjizzle

    pjizzle TS Rookie Topic Starter

    Hi,

    I managed to find 'Folder Options' tab in regards to the 3rd step you gave me and now the desktop.ini files and other short cut files have gone so thanks for that. :D

    Just the malware issue now. Is this the only virus i have now, 'ADCS4.Kg.Viper3773'
    ?
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Click on Update now to the right of the server name box.
    --------------------------
    Sorry, I can't find the corresponding function for Desktop> Customize Desktop> Web tab in Win 7. But if the desktop.ini is gone, you should be okay. Sometimes I forget to check which OS I'm working with!
    ==================================
    It's not just a question of getting rid of this one item: If you have any shortcuts like bookmarks or favorites for theviperfiles, they need to be deleted. Any sites you have saved for warez downloads need to be removed.

    Then I'd like you to uninstall OTM. Reboot the computer and run a new Eset scan.
     
  22. pjizzle

    pjizzle TS Rookie Topic Starter

    Hi again,

    I was unable to run the previous 'move it' request on OTM but I have now unistalled OTM and run a new ESET scan.

    C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\58b789d8-420f4b4b a variant of Java/Agent.DT trojan
    C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\58b789d8-4da28a2d a variant of Java/Agent.DT trojan
    C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\58b789d8-731c5ca3 a variant of Java/Agent.DT trojan
    C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\58b789d8-753451fc a variant of Java/Agent.DT trojan
    C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\58b789d8-7879bf96 a variant of Java/Agent.DT trojan


    Is the java trojan related to the previous warez vrius?

    Thanks for your help
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't know the source for these entries, but they are in the Java cache. This usually happens when there is/are outdated Java on the system. If you updated Java and cleared the cache as previously instructed, then the source of the malware is still on the system:

    Clear the cache again. Reboot, then run the Eset scan,

    ======================================
    Have you removed all shortcuts, bookmarks, history, Coockies connected to the warez downloads? Let's check>>> be sure to check the line to remove the entires found:

    [​IMG]
    SuperAntiSpyware Home Edition Free Version
    • Please download SuperAntiSpyware from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.
    It's possible that the program will ask you to reboot in order to delete some files.

    Obtain the SuperAntiSpyware log as follows:
    • Click on 'Preferences'.
    • Click on the 'Statistics/Logs' tab.
    • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
    It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
     
  24. pjizzle

    pjizzle TS Rookie Topic Starter

    Hi Bobbye,

    I cleared the cache again and ran the ESET scan which returned no viruses. I think the computer is clean now, here is the super Anti Spyware log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 10/28/2011 at 01:36 PM

    Application Version : 5.0.1134

    Core Rules Database Version : 7846
    Trace Rules Database Version: 5658

    Scan type : Complete Scan
    Total Scan Time : 00:41:32

    Operating System Information
    Windows 7 Professional 32-bit (Build 6.01.7600)
    UAC Off - Administrator

    Memory items scanned : 680
    Memory threats detected : 0
    Registry items scanned : 38244
    Registry threats detected : 0
    File items scanned : 50823
    File threats detected : 2

    Adware.Tracking Cookie
    C:\Users\P-jizzle\AppData\Roaming\Microsoft\Windows\Cookies\AQ8ZBZMQ.txt [ /careers.peopleclick.com ]
    C:\USERS\P-JIZZLE\Cookies\AQ8ZBZMQ.txt [ Cookie:p-jizzle@careers.peopleclick.com/ ]

    Thanks
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, but you're still getting Tracking Cookies, so do this first:

    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    ===============================
    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
      [o] Click START> then RUN
      [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
      [o] Double click OTCleanIt.exe.
      [o] Click the CleanUp! button.
      [o] If you are prompted to Reboot during the cleanup, select Yes.
      [o]The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • Set a new, clean Restore Point
      [o] Click on Start> right click on Computer> Properties
      [o] Select System Protection
      [o] Click on the Create button (near bottom)
      [o] Type a name for the Restore Point
      [o] Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
      [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
      [o] Click Disk Cleanup from there.
      [​IMG]
      [o] Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
      [o] Click the More Options tab
      [​IMG]
      [o] Click the Clean up under System Restore and Shadow Copies.
      [o] Click OK.
      [o] You will get a confirmation screen> Just click Delete.
      [o] Click OK on the Disk Cleanup Screen.
      [o] Click Delete Files on the Confirmation screen.
    [​IMG]
    This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin
    ==========================================
    Just a comment about pirating programs: Doing this is like breaking and entering and stealing merchandise. The only differences are that there are sites like Warez and torrent sites that give you the 'key' to open the door and no one 'sees' you steal! ALL pirating comes with a malware price!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...