Resolved "Zentom Security Guide" malware

[NoobAtTheMouse]

so i was just browsing around on youtube when suddenly i got a program opened on my desktop called "Zentom Security" i instantly unplugged my ethernet cable and spent around 3 hours going through files and folders deleting anything that was related to this program, i then opened task manager to see if there was anything running in the back-ground and as soon as it opened, (IT CLOSED INSTANTLY) so i opened regedit to inspect some other files and see if the Task Manager registry on was to anything other than "0" and surprise surprise, it done the same as task manager.
i tried rebooting into safe mode and it did exactly the same thing which i thaught was strange, so i downloaded HiJackThis, Spybot S&D & CWShredder as i read that from another thread in this forum.
installed all of them and all worked fine... "AT FIRST" spybot is still working fine as i type, HiJackThis was scanning when it suddenly closed at around 35%, CWShredder closed at about 52% both of them gave the same error message when i tried to run them again,
"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item"

I am the only user on my PC, im the administrator, so why cant i get access to them.

any help would be very much appreciated.

thanks, Dan aKa NoobAtTheMouse

 

[Bobbye]

Welcome to TechSpot! I have changed the subject of your thread to something more suitable.

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
======================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

 

[NoobAtTheMouse]

just wanted to check if you want me to post log files as soon as one completes, or do all scanns and post together,

PS: AVG Scan was running as i posted my first thread, its currently at 96% and found 5 threats so far, i will post a log file when completed if it saves one

 

[NoobAtTheMouse]

this is the AVG Scan

this was the avg scan that was in process befor i posted, sorry if it counts as double posting


"Scan ""Whole computer scan"" completed."
"Infections";"21";"21";"0"
"Warnings";"507";"507";"0"
"Folders selected for scanning:";"Whole computer scan"
"Scan started:";"08 October 2011, 20:09:30"
"Scan finished:";"08 October 2011, 22:08:29 (1 hour(s) 58 minute(s) 58 second(s))"
"Total object scanned:";"2465982"
"User who launched the scan:";"Andy"

"Infections"
"";"File";"Infection";"Result"
"";"C:\Users\andy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1fa0057e-739e9812";"Trojan horse Java/Exploit.IZ";"Moved to Virus Vault"
"";"C:\Users\andy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1fa0057e-739e9812:\glass\lulux.class";"Trojan horse Java/Exploit.IZ";"Moved to Virus Vault"
"";"C:\Users\andy\Desktop\Release - EvilHook V1\EvilHookv1.exe";"Trojan horse BackDoor.Generic12.BMNM";"Moved to Virus Vault"
"";"C:\Users\andy\Downloads\EvilHookv1.zip";"Trojan horse BackDoor.Generic12.BMNM";"Moved to Virus Vault"
"";"C:\Users\andy\Downloads\EvilHookv1.zip:\Release - EvilHook V1\EvilHookv1.exe";"Trojan horse BackDoor.Generic12.BMNM";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-76a307bd";"Trojan horse Java/Exploit.EO";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-7ccb00e1";"Trojan horse Java/Downloader.DW";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\4ff6a7d8-141afa0d";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\4ff6a7d8-141afa0d:\glass\lulux$Woka.class";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\5070075d-310ac836";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\5070075d-310ac836:\glass\lulux$Woka.class";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\1ef03c5f-49bd6963";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\1ef03c5f-49bd6963:\glass\lulux$Woka.class";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\17475c66-4c7a68ee";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\17475c66-4c7a68ee:\glass\lulux$Woka.class";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1aa0963e-7f8afcdf";"Trojan horse Generic22.DKS";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3ce9e9c8-2813c6e4";"Trojan horse Generic22.LRW";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3ce9e9c8-4ceeeab3";"Trojan horse Generic22.LRW";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3OZ1SYZ\inthego21[1].htm";"Virus found HTML/Framer";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z0C1BTOG\1e31f[1].pdf";"Virus identified Exploit.PDF.gen";"Moved to Virus Vault"
"";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z0C1BTOG\inthego21[1].htm";"Virus found HTML/Framer";"Moved to Virus Vault"

 

[NoobAtTheMouse]

sorry for posting many times, but i just installed malewarebits and GMER and im getting the same error as it trys to scan
"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item"

now im starting to get worried, it seems that anything i try to use to defeat the virus, the virus is infecting the programs itsself

 

[NoobAtTheMouse]

Well sorry but this is all that would work for me, i unplugged my ethernet cable, closed all programsd that i could without task manager so here it is,

DDS.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19120 BrowserJavaVersion: 1.6.0_22
Run by andy at 23:29:28 on 2011-10-08
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2047.1113 [GMT 1:00]
.
AV: AVG Internet Security 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.sky.com
uWindow Title = Internet Explorer Provided By Sky Broadband
mStart Page = about:blank
uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.6\youtubedownloaderToolbarIE.dll
uWinlogon: Shell=explorer.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.6\youtubedownloaderToolbarIE.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.6\youtubedownloaderToolbarIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [*apisrvdebug.exe] "c:\users\andy\appdata\roaming\microsoft\windows\start menu\programs\apisrvdebug.exe"
mRun: [<NO NAME>]
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=SUFaUDItUko3UFItN0dOTVUtQUJMRTYtVFBRQ0ktNg"&"inst=NzYtOTQxMDY3ODQyLVNUMTJGT0krMS1ERFQrMC1TVDEyQVBQKzEtRVVMQSsx"&"prod=94"&"ver=2012.0.1831"&"mid=3f0ce54b27e447d1ab09d15e77db6c75-91dbc6ec60053b57d00d45615f418951813a78fc
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {063F7D71-5E0B-48F2-87D5-F63C5917947E} - hxxp://ahnlabdownload.nefficient.co.kr/aos/plugin/aosmgr.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E}
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9334370E-664D-41E7-A183-CEE0649B51D8} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\andy\appdata\roaming\mozilla\firefox\profiles\2qlrmpqr.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.sky.com/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B2a71c541-d91b-4a62-8340-90166abfd1f1%7D&mid=3f0ce54b27e447d1ab09d15e77db6c75-91dbc6ec60053b57d00d45615f418951813a78fc&ds=AVG&v=8.0.0.34.1&lang=en&pr=pr&d=2011-10-08%2019%3A47%3A08&sap=ku&q=
FF - plugin: c:\program files\battlelog web plugins\0.80.0\npesnlaunch.dll
FF - plugin: c:\program files\battlelog web plugins\sonar\0.70.0\npesnsonar.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\virgin media\service manager\nprpspa.dll
FF - plugin: c:\users\andy\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\andy\appdata\roaming\mozilla\firefox\profiles\2qlrmpqr.default\extensions\battlefieldheroespatcher@ea.com\plugins\npBFHUpdater.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-8-17 402328]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-3 21504]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-9-29 2253120]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-4-20 1153368]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-10-8 41272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-10-3 21504]
S3 Alpham;Ideazon Merc Composite Keyboard Driver;c:\windows\system32\drivers\Alpham.sys [2005-12-4 34944]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2010-10-3 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2010-10-3 79360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-1 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-1 135664]
S4 ServicepointService;ServicepointService;"c:\program files\virgin media\hub\servicepointservice.exe" --> c:\program files\virgin media\hub\ServicepointService.exe [?]
.
=============== Created Last 30 ================
.
2011-10-08 22:23:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-08 22:22:37 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-08 22:22:37 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-08 22:11:47 -------- dc----w- c:\program files\Avira
2011-10-08 22:02:54 209408 -c--a-w- c:\users\andy\appdata\roaming\microsoft\windows\start menu\programs\apisrvdebug.exe
2011-10-08 19:08:41 -------- dc----w- c:\users\andy\appdata\roaming\AVG
2011-10-08 18:47:02 -------- dc-h--w- c:\programdata\Common Files
2011-10-08 18:45:14 -------- dc----w- c:\programdata\AVG2012
2011-10-08 18:44:27 -------- dc----w- c:\program files\AVG
2011-10-08 18:39:46 -------- dc----w- c:\program files\Trend Micro
2011-10-08 18:39:22 -------- dc----w- c:\programdata\MFAData
2011-09-30 20:55:09 -------- dc----w- c:\program files\PopCap Games
2011-09-29 16:07:20 -------- dc----w- c:\users\andy\appdata\roaming\RIFT
2011-09-29 16:06:53 -------- dc----w- c:\program files\RIFT Game
2011-09-29 15:37:33 -------- dc----w- c:\program files\GameShadow
2011-09-29 14:54:36 3074368 ----a-w- c:\windows\system32\nvsvcr.dll
2011-09-29 14:54:30 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-09-29 14:50:18 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2011-09-29 14:50:18 877376 ----a-w- c:\windows\system32\nvgenco32.dll
2011-09-29 14:50:18 5576000 ----a-w- c:\windows\system32\nvcuda.dll
2011-09-29 14:50:18 2099520 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-09-29 14:50:18 18870592 ----a-w- c:\windows\system32\nvoglv32.dll
2011-09-29 14:50:18 10318656 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-09-29 14:50:17 61248 ----a-w- c:\windows\system32\OpenCL.dll
2011-09-29 14:50:17 2401088 ----a-w- c:\windows\system32\nvcuvid.dll
2011-09-29 14:50:17 17248576 ----a-w- c:\windows\system32\nvcompiler.dll
2011-09-29 14:30:33 -------- dc----w- c:\program files\Battlelog Web Plugins
2011-09-29 14:28:24 -------- dc----w- c:\programdata\EA Core
2011-09-29 14:25:27 -------- dc-h--w- c:\program files\common files\EAInstaller
2011-09-28 20:46:09 -------- dc----w- c:\users\andy\appdata\roaming\Origin
2011-09-28 20:46:06 -------- dc----w- c:\users\andy\appdata\local\Origin
2011-09-28 20:45:45 -------- dc----w- c:\program files\Origin Games
2011-09-28 20:45:21 -------- dc----w- c:\program files\Origin
2011-09-27 18:29:29 -------- dc----w- c:\program files\Application Updater
2011-09-27 18:29:27 -------- dc----w- c:\program files\YouTube Downloader Toolbar
2011-09-27 18:29:27 -------- dc----w- c:\program files\common files\Spigot
2011-09-27 18:28:45 -------- dc----w- c:\programdata\YouTube Downloader
2011-09-27 18:27:57 -------- dc----w- c:\program files\YouTube Downloader
2011-09-26 12:14:20 -------- dc----w- c:\program files\Activision
2011-09-23 02:12:10 -------- dc----w- c:\users\andy\My Videos
2011-09-21 17:10:57 138160 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-09-21 17:10:34 271200 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-09-21 17:10:33 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-09-19 11:29:38 -------- dc----w- c:\programdata\Steam
2011-09-16 12:33:54 2106216 -c--a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-09-16 12:33:53 1998168 -c--a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-09-16 02:00:48 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-09-15 08:37:18 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-09-15 08:33:15 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-09-15 08:33:12 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-09-15 08:33:05 2048 ----a-w- c:\windows\system32\tzres.dll
2011-09-15 08:32:43 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-15 07:36:20 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-09-15 07:36:20 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
.
==================== Find3M ====================
.
2011-10-06 15:45:11 271200 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-09-29 14:25:10 138056 -c--a-w- c:\users\andy\appdata\roaming\PnkBstrK.sys
2011-09-22 22:40:00 6350144 ----a-w- c:\windows\system32\nvcpl.dll
2011-09-22 22:40:00 3840832 ----a-w- c:\windows\system32\nvsvc.dll
2011-09-22 22:40:00 2458432 ----a-w- c:\windows\system32\nvapi.dll
2011-09-22 22:40:00 203072 ----a-w- c:\windows\system32\nvmctray.dll
2011-09-22 22:40:00 13200704 ----a-w- c:\windows\system32\nvd3dum.dll
2011-09-22 22:40:00 123712 ----a-w- c:\windows\system32\nvshext.dll
2011-09-22 22:40:00 1136448 ----a-w- c:\windows\system32\nvvsvc.exe
2011-08-12 14:49:54 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-07-23 11:04:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-07-23 11:00:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-23 10:59:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-23 10:59:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-07-23 10:59:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-23 10:03:47 385024 ----a-w- c:\windows\system32\html.iec
2011-07-23 09:27:04 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-23 09:25:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: WDC_WD3200JB-00KFA0 rev.08.05J08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AD71340]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x86050912] -> \Device\Harddisk0\DR0[0x89171AC8]
3 CLASSPNP[0x8BF9E8B3] -> ntkrnlpa!IofCallDriver[0x86050912] -> [0x8ACCD340]
\Driver\00001146[0x8ACCD478] -> IRP_MJ_CREATE -> 0x8AD71340
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskWDC_WD3200JB-00KFA0_____________________08.05J08#5&341e3395&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 625142446 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 23:30:22.75 ===============
Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 03/01/2006 09:23:52
System Uptime: 08/10/2011 23:00:17 (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | A8N-SLI SE
Processor: AMD Athlon(tm) 64 Processor 3000+ | Socket 939 | 1809/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 47.253 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ACPI\PNPB006\3&2411E6FE&0
Manufacturer:
Name:
PNP Device ID: ACPI\PNPB006\3&2411E6FE&0
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
AC3Filter 1.63b
Adobe Acrobat 5.0
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
Akamai NetSession Interface
µTorrent
Battlefield 2(TM)
Battlefield 3™ Open Beta
Battlefield Heroes
Battlelog Web Plugins
BitLord v2.0
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
ConvertXtoDVD 3.3.0.96
Counter-Strike: Source
DivX Setup
ESN Sonar
GameShadow V3.1
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java(TM) 6 Update 22
Junk Mail filter update
Malwarebytes' Anti-Malware version 1.51.2.1300
Medal of Honor Allied Assault
Medal of Honor Allied Assault(tm) Spearhead
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
MobileMe Control Panel
Mozilla Firefox 7.0.1 (x86 en-GB)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Neffy 1,3,29,0
NVIDIA Control Panel 285.38
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA Graphics Driver 285.38
NVIDIA Install Application
NVIDIA Update 1.5.20
NVIDIA Update Components
Origin
Peggle Extreme
Project64 1.6
PunkBuster Services
QuickTime
Realtek AC'97 Audio
RIFT
RPS CRT
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Silkroad
Sky Broadband Browser Branding
Sky Go Desktop
Skype Toolbars
Skype™ 4.2
Source SDK Base 2006
Spybot - Search & Destroy
Steam
System Requirements Lab
TeamSpeak 2 RC2
TuneUp Utilities 2008
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
USB Storage Driver
VC_MergeModuleToMSI
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6d
Virgin Media Service Manager 3.7.47
Virtual DJ Home Edition - Atomix Productions
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
World of Tanks closed Beta v.0.6.3.8
YouTube Downloader 3.3
YouTube Downloader Toolbar v4.6
Z Engine
Zentom System Guard
Zuma's Revenge!
.
==== Event Viewer Messages From Past Week ========
.
08/10/2011 23:03:03, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service.
08/10/2011 23:02:42, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1057] - The Terminal Server has failed to create a new self signed certificate to be used for Terminal Server authentication on SSL connections. The relevant status code was Key not valid for use in specified state. .
08/10/2011 23:02:40, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
08/10/2011 23:02:31, Error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: Access is denied.
08/10/2011 23:02:17, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
08/10/2011 22:23:09, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0017313F8586. The following error occurred: The wait operation timed out.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
08/10/2011 21:02:22, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {56EA1054-1959-467F-BE3B-A2A787C4B6EA}. The error: "50" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
08/10/2011 19:58:25, Error: Service Control Manager [7034] - The AVGIDSAgent service terminated unexpectedly. It has done this 2 time(s).
08/10/2011 19:47:51, Error: Service Control Manager [7034] - The AVGIDSAgent service terminated unexpectedly. It has done this 1 time(s).
08/10/2011 19:05:41, Error: Microsoft-Windows-WMPNSS-Service [14322] - Service 'WMPNetworkSvc' did not start correctly because MFStartup encountered error '0xc00d36ef'. If possible, reinstall Windows Media Player.
08/10/2011 19:02:57, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt spldr
08/10/2011 19:02:51, Error: Service Control Manager [7023] -
08/10/2011 19:02:51, Error: Service Control Manager [7000] - The Link-Layer Topology Discovery Responder service failed to start due to the following error: The driver was not loaded because the system is booting into safe mode.
08/10/2011 19:02:51, Error: Service Control Manager [7000] - The Link-Layer Topology Discovery Mapper I/O Driver service failed to start due to the following error: The driver was not loaded because the system is booting into safe mode.
08/10/2011 18:53:38, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
08/10/2011 18:52:22, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt spldr Wanarpv6
08/10/2011 18:52:22, Error: Service Control Manager [7001] - The Windows Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
08/10/2011 18:52:22, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
08/10/2011 18:52:08, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
08/10/2011 18:52:06, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
08/10/2011 18:51:56, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
08/10/2011 18:51:47, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
08/10/2011 18:51:38, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
08/10/2011 18:51:38, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
08/10/2011 18:24:50, Error: Service Control Manager [7031] - The Windows Modules Installer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
08/10/2011 18:24:39, Error: Service Control Manager [7034] - The NVIDIA Update Service Daemon service terminated unexpectedly. It has done this 1 time(s).
08/10/2011 18:23:27, Error: Service Control Manager [7034] - The Application Updater service terminated unexpectedly. It has done this 1 time(s).
08/10/2011 17:49:20, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom0.
08/10/2011 17:31:27, Error: EventLog [6008] - The previous system shutdown at 17:28:31 on 08/10/2011 was unexpected.
03/10/2011 11:44:58, Error: Service Control Manager [7034] - The SBSD Security Center Service service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================

 

[Bobbye]

Zentom Security Guide is a member of the Rogue Antimalware Family. It can be downloaded by Trojans or when an online link is clicked. The program tries to connect to an external server to display payment information to try to trick the user into giving credit card information.

This infection is classified as a rogue anti-spyware program because it uses false security alerts and fake scan results to try and trick you into thinking that your computer is infected so that you will then purchase it. It scans then goes on to display a variety of fake security alerts and warnings that are designed to make you think your computer has a serious security problem.

The rogue "scareware" also usually displays a screen called System Security Pack Upgrade again trying to scam you into clicking on their link.
======================================
We need to do some housekeeping first:

1. Disable Tea Timer: Right click the TeaTimer icon in the system Tray
   
   
   [o]Then click Exit Spybot-S&D Resident
   [o](One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe
   -------------------------------
2. 2 antiviruses? I see both AVG and Avira. I also see an uninstall entry for AVG. If you have uninstalled AVG and gotten the temporary Avast for now, okay leave it that way. I will have you run Combofix later and it won't run with AVG.
   -------------------------------
3. Disable the RealView Debugger for now. You can uncheck it on the Startup Menu; start menu\programs\apisrvdebug.exe"
   --------------------------------
4. Please disable these addons:Open Internet Explorer> Tools> Manage addons>
   [o]Ahnlab anti-virus( aosmgr.cab )> {063F7D71-5E0B-48F2-87D5-F63C5917947E}
   [o]Facebook Photo Uploader 5> {0CCA191D-13A6-4E29-B746-314DEE697D83}
   [o] 2 Old versions of Java> {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
   {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
   (I'm not sure how the addons will display as they are not set up correctly)
   ---------------------------------
5. Please do not use the YouTube Download
   while I am helping you. There are numerous entries for this running and we don't want to chance getting more malware.

==========================================
==========================================
Print the following out if you can.Please follow the order of the scan below> that is important:
There is a rootkit on the system:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.

This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer

• Access Internet Options through Tools> Connections tab
• Click on the Lan Settings at the bottom
• Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
• Then click on OK> and OK again to close Internet Options.

===============================
This malware came with the TDSS rootkit, so do the following:

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• After clicking Next, the utility applies selected actions and outputs the result.
• A reboot is required after disinfection.

====================================
If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
====================================
To end the processes that belong to Zentom Security Guide:
Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 3 different versions. If one of them won't run then download and try to run the other one. (Vista and Win7 users need to right click Rkill and choose Run as Administrator)

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

• Rkill.com
• Rkill.scr
• Rkill.exe
  
• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.

Do not reboot until instructed. as it will start the malware again
==================================
Please update Malwarebytes and attempt the scan again. It should run nowYou will run another scan with Mbam, after it updates, but this time, on the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

When scan has finished, you will see this image:

• Click on OK to close box and continue.
• Click on the Show Results button.
• Click on the Remove Selected button to remove all the listed malware.
• At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.

========================================
Housekeeping first, then leave logs for the following in your next reply:
TDSSKiller
RKill
Malwarebytes

 

[NoobAtTheMouse]

scanned with malwarebits but i did a quick scan as when i tried to do a full scan the program terminated, rkill ran once i think, it showed the DOS window but as soon as it stoped flashing i got a blue screen, dumping physical memory,TDSSKiller ran and found 1 or 2 things, but i cant find the log file you requested, this is the log file for the malwarebits quick scann Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7907

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19120

09/10/2011 13:27:52
mbam-log-2011-10-09 (13-27-52).txt

Scan type: Quick scan
Objects scanned: 237110
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\srvbridgequeue.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\andy\AppData\Local\Temp\FY6509.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\andy\AppData\Local\Temp\FY93D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\andy\AppData\Local\Temp\FYD58B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\andy\AppData\Local\Temp\FYFAA7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

[NoobAtTheMouse]

and now there is a new error after restating from the malwarbits scan, windows firewall is turned off and i cant turn it back on, "Service cannot be started"
what am i doing wrong

also my system is saying i dont have sufficiant rights to run some programs like mHiJackThis, i cant instal it, Windows Defender also won't open at all.

Getting to that point now and the sledge hammer is moving a lil bit closer each minuite

 

[NoobAtTheMouse]

Fixed

i justwanted to update the helpers in this thread that ihave solvedmy problem, Formatted my hard Drive, replaced with a 1TB hard drive and took the sledge hammer to the hold one as i couldnt boot my system AT ALL, safe mode with networking was the only way to boot the system and it would boot with no connection, everytime i tried to boot my system i would get blue screen, IRQL_Less_Than_Equal
or something like that, so to save all problems i smashed the old hard drive to a thousand pieces, but i just wanted to say thanks for the help that you guys gave me anyway, i now know one or two more things to keep on my pc for good messures

Thanks, Dan aKa NoobAtTheMouse

 

[Bobbye]

Sorry you decided to go drastic Dan. But thanks for letting me know. Stay safe

Tips for added security and safer browsing: (Links are in Bold Blue)

1. Browser Security
   [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
   [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
   [o] Replace the Host Files
   [o] Google Toolbar Pop Up Blocker
   [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
   
2. Have layered Security:
   [o]Antivirus :(only one):Both of the following programs are free and known to be good:
   [o]Avira-AntiVir-Personal-Free-Antivirus
   [o]Avast-Free Antivirus
   [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
   [o]Comodo
   [o]Zone Alarm
   
3. Antimalware: I recommend all of the following:
   [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
   [o]Spybot Search & Destroy
   
4. Updates: Stay current:
   [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
   [o]Adobe Reader Install current, uninstall old.
   [o]Java Updates Install current, uninstall old.
   
5. Tracking Cookies
   Reset Cookie:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
   
6. Do regular Maintenance
   Clean the temporary internet files often:
   [o] Temporary File Cleaner]
   or
   [o] ATF Cleaner by Atribune
7. Restore Points:
   [o]See System Restore Guide
8. Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Please let me know if you find any bad link.