-
Montera.toolbar returns after removal
I am running a dual boot XP/Win7 installation and on using Spybot on the revently installed Win7, it picked up Montera.toolbar. I moved the infection to the Quarantine, re-started and re-scanned. It re-appeared fully formed on the re-scan. I have now purged the Quarantine of both instances and have come to the Forum for help.
I have found the manual removal instructions but am wary of using Regedit as I am not very technically competent.
Firstly, should I attempt to use the manual instructions, and secondly, if not, then can I request a helper to advise me?
I have read the forum instructions , but as stated, I am not that technical and refernces to DDS and aswMBR mean little to me. I am also unfamiliar with the new version of Spybot which was only installed at the upgrade last week, so please have patience. I have to go out for a couple of hours but will respond ASAP to any mails.
Thanks in advance
I now believe that I have managed to create the log files required. I have used Reply to Post as I could not find a way to edit it to add the information.
Apologies if this contravenes the normal way of doing things, but I am a tyro at this.
ken turbine
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16428
Run by Ken at 13:50:10 on 2013-12-14
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4094.2726 [GMT 0:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit = userinit.exe
BHO: Zonealarm Helper Object: {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.22.0\bh\zonealarm.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: ZoneAlarm Security Toolbar: {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmTlbr.dll
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRun: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{66F97BA9-EE03-4850-8AB8-12D757D9D6A4} : DHCPNameServer = 192.168.0.1
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
x64-BHO: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-TB: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\ulatodbn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.stayfreemusic.co.uk/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll
FF - ExtSQL: 2013-12-07 02:42; ; C:\Program Files\AVAST Software\Avast\WebRep\FF
FF - ExtSQL: 2013-12-07 02:51; ; C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\ulatodbn.default\extensions\ffxtlbr@zonealarm.com
FF - ExtSQL: 2013-12-07 10:01; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\ulatodbn.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-12-07 10:03; {73a6fe31-595d-460b-a920-fcc0f8843232}; C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\ulatodbn.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-12-08 16:56; {3d7eb24f-2740-49df-8937-200b1cc08f8a}; C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\ulatodbn.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?src=tb&tbid=goughGA&Lan={dfltLng}&gu=c6b26ceede4848c9a6c5fe96fc353863 [INSTALLTOOLBAR] [SETSEARCH] [SETHOME]&tu=10G9y00BO2C01g0&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.id - 40e4afec00000000000000226852030c
FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}
FF - user.js: extensions.zonealarm.instlDay - 16046
FF - user.js: extensions.zonealarm.vrsn - 1.8.22.0
FF - user.js: extensions.zonealarm.vrsni - 1.8.22.0
FF - user.js: extensions.zonealarm.vrsnTs - 1.8.22.02:49:46
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1001
FF - user.js: extensions.zonealarm.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - goughGA
FF - user.js: extensions.zonealarm.instlRef - ZLN35006816490563-1001
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.ffxUnstlRst - false
FF - user.js: extensions.zonealarm.admin - false
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm.rvrt - false
FF - user.js: extensions.zonealarm.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2013-12-7 65776]
R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswVmm.sys [2013-12-7 205320]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-12-7 1032416]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-12-7 409832]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-10-10 144152]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-4-20 203776]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-12-7 38984]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-12-7 84328]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-12-7 50344]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-12-8 3921880]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-12-8 1042272]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-12-8 171416]
R2 ZAPrivacyService;ZoneAlarm Privacy Service;C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [2013-10-15 50704]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2013-12-6 79360]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2013-12-7 111616]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-12-7 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-12-7 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-12-7 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-12-7 1255736]
.
=============== Created Last 30 ================
.
2013-12-13 18:17:02 -------- d-----w- C:\Users\Ken\AppData\Roaming\SUPERAntiSpyware.com
2013-12-13 18:16:15 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2013-12-13 18:16:15 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2013-12-13 18:02:35 -------- d-----w- C:\Users\Ken\AppData\Roaming\Malwarebytes
2013-12-13 18:02:17 -------- d-----w- C:\ProgramData\Malwarebytes
2013-12-13 18:02:16 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-12-13 18:02:16 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-12-12 17:46:54 -------- d-----w- C:\Users\Ken\AppData\Local\stellarium
2013-12-12 17:46:53 -------- d-----w- C:\Users\Ken\AppData\Roaming\Stellarium
2013-12-12 17:46:41 -------- d-----w- C:\Program Files\Stellarium
2013-12-10 18:58:47 -------- d-----w- C:\Program Files (x86)\Foolish IT
2013-12-08 16:57:41 -------- d-----w- C:\Users\Ken\AppData\Local\Macromedia
2013-12-08 16:54:02 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-08 16:54:02 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-12-08 16:50:14 -------- d-----w- C:\Users\Ken\AppData\Local\Adobe
2013-12-08 16:13:04 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2013-12-08 16:13:04 7808 ----a-w- C:\Windows\System32\drivers\usbd.sys
2013-12-08 16:13:04 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2013-12-08 16:13:04 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2013-12-08 16:13:04 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2013-12-08 16:13:04 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2013-12-08 16:13:04 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2013-12-08 13:11:29 21040 ----a-w- C:\Windows\System32\sdnclean64.exe
2013-12-08 13:11:27 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2013-12-08 13:11:23 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-12-08 13:10:44 -------- d-----w- C:\Users\Ken\AppData\Local\Programs
2013-12-08 12:28:42 -------- d-----w- C:\Users\Ken\AppData\Roaming\Windows Live Writer
2013-12-08 12:28:42 -------- d-----w- C:\Users\Ken\AppData\Local\Windows Live Writer
2013-12-07 16:39:26 -------- d-----w- C:\Users\Ken\AppData\Local\Microsoft Games
2013-12-07 15:41:55 348672 ----a-w- C:\Windows\System32\CNC280L.dll
2013-12-07 15:41:55 307200 ----a-w- C:\Windows\SysWow64\CNC280L.dll
2013-12-07 15:41:55 17920 ----a-w- C:\Windows\System32\CNHMCA6.dll
2013-12-07 15:41:55 15872 ----a-w- C:\Windows\SysWow64\CNHMCA.dll
2013-12-07 15:41:55 1354240 ----a-w- C:\Windows\System32\CNC280C.dll
2013-12-07 15:41:55 112128 ----a-w- C:\Windows\System32\CNC280I.dll
2013-12-07 15:41:55 106496 ----a-w- C:\Windows\SysWow64\CNC280U.dll
2013-12-07 15:41:41 99840 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\CNMPPAA.DLL
2013-12-07 15:41:41 30208 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\CNMPDAA.DLL
2013-12-07 15:41:27 385024 ----a-w- C:\Windows\System32\CNMLMAA.DLL
2013-12-07 15:11:44 -------- d-----w- C:\My_temp
2013-12-07 10:07:37 -------- d-----w- C:\Users\Ken\AppData\Roaming\OpenOffice
2013-12-07 06:17:00 -------- d-----w- C:\Windows\Panther
2013-12-07 02:49:45 -------- d-----w- C:\Program Files (x86)\Check Point Software Technologies LTD
2013-12-07 02:44:44 -------- d-----w- C:\Program Files (x86)\CheckPoint
2013-12-07 02:43:32 -------- d-----w- C:\ProgramData\CheckPoint
2013-12-07 02:42:37 -------- d-----w- C:\Users\Ken\AppData\Roaming\AVAST Software
2013-12-07 02:42:20 205320 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2013-12-07 02:42:18 65776 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2013-12-07 02:42:18 1032416 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2013-12-07 02:42:17 92544 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2013-12-07 02:42:17 84328 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2013-12-07 02:42:15 43152 ----a-w- C:\Windows\avastSS.scr
2013-12-07 02:41:07 -------- d-----w- C:\Program Files\AVAST Software
2013-12-07 02:40:38 -------- d-----w- C:\ProgramData\AVAST Software
2013-12-07 02:37:31 -------- d-----w- C:\Windows\PCHEALTH
2013-12-07 02:34:41 -------- d-----w- C:\Users\Ken\AppData\Local\Windows Live
2013-12-07 02:34:16 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2013-12-07 02:33:28 -------- d-----w- C:\Users\Ken\AppData\Local\Mozilla
2013-12-07 02:22:46 -------- d-----w- C:\Users\Ken\AppData\Local\Diagnostics
2013-12-07 02:15:30 -------- d-----w- C:\Windows\Migration
2013-12-07 02:14:02 -------- d-----w- C:\Program Files (x86)\OpenOffice 4
2013-12-07 02:00:32 -------- d-----w- C:\Windows\SysWow64\Wat
2013-12-07 02:00:32 -------- d-----w- C:\Windows\System32\Wat
2013-12-07 01:57:40 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2013-12-07 01:07:39 758272 ----a-w- C:\Windows\System32\cohelper.dll
2013-12-07 01:07:39 11164 ----a-w- C:\Windows\System32\drivers\nvphy.bin
2013-12-07 01:07:38 -------- d-----w- C:\Program Files\NVIDIA Corporation
2013-12-07 00:58:55 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2013-12-07 00:05:56 -------- d-sh--w- C:\Windows\Installer
2013-12-07 00:05:41 294912 ----a-w- C:\Windows\System32\browserchoice.exe
2013-12-07 00:04:46 -------- d-----w- C:\Users\Ken\AppData\Local\Google
2013-12-06 23:50:41 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-12-06 23:50:38 10285968 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F2C24003-6866-4009-B445-24EA0CE5F3D5}\mpengine.dll
2013-12-06 23:49:34 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2013-12-06 23:49:34 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2013-12-06 23:49:34 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2013-12-06 23:49:34 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2013-12-06 23:49:34 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2013-12-06 23:49:34 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2013-12-06 23:49:34 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2013-12-06 23:46:25 -------- d-----w- C:\Windows\System32\MRT
2013-12-06 23:40:40 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2013-12-06 23:40:40 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2013-12-06 23:40:40 5120 ----a-w- C:\Windows\System32\wmi.dll
2013-12-06 23:40:40 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2013-12-06 23:40:40 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-12-06 23:33:57 55296 ----a-w- C:\Windows\SysWow64\cero.rs
2013-12-06 23:32:59 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2013-12-06 23:31:59 983488 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-12-06 23:31:59 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2013-12-06 23:31:59 144384 ----a-w- C:\Windows\System32\cdd.dll
2013-12-06 23:31:58 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll
2013-12-06 23:31:58 230400 ----a-w- C:\Windows\System32\wwansvc.dll
2013-12-06 23:25:54 77312 ----a-w- C:\Windows\System32\packager.dll
2013-12-06 23:25:54 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2013-12-06 23:25:52 461312 ----a-w- C:\Windows\System32\scavengeui.dll
2013-12-06 22:54:49 7062 ----a-w- C:\Windows\SysWow64\audiopid.vxd
2013-12-06 22:54:16 -------- d-----w- C:\Program Files (x86)\Common Files\Creative
2013-12-06 22:54:15 -------- d--h--w- C:\Program Files (x86)\Creative Installation Information
2013-12-06 22:54:12 419840 ----a-w- C:\Windows\System32\wrap_oal.dll
2013-12-06 22:54:12 413696 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2013-12-06 22:54:12 2873820 ------w- C:\Windows\SysWow64\Sens_oal.dll
2013-12-06 22:54:12 133632 ----a-w- C:\Windows\System32\OpenAL32.dll
2013-12-06 22:54:12 110592 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2013-12-06 22:54:11 1908736 ------w- C:\Windows\System32\Sens_oal.dll
2013-12-06 22:30:42 89088 ----a-w- C:\Windows\System32\CmdRtr64.DLL
2013-12-06 22:30:42 73728 ----a-w- C:\Windows\SysWow64\CmdRtr.DLL
2013-12-06 22:30:42 214528 ----a-w- C:\Windows\System32\APOMgr64.DLL
2013-12-06 22:30:42 166912 ----a-w- C:\Windows\SysWow64\APOMngr.DLL
2013-12-06 22:30:16 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2013-12-06 22:30:16 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2013-12-06 22:30:15 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2013-12-06 22:19:21 0 ----a-w- C:\Windows\ativpsrm.bin
.
==================== Find3M ====================
.
2013-11-19 03:33:38 267936 ------w- C:\Windows\System32\MpSigStub.exe
2013-10-23 11:00:56 454168 ----a-w- C:\Windows\System32\drivers\vsdatant.sys
2013-10-12 02:30:42 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2013-10-12 02:29:21 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-12 02:29:08 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2013-10-12 02:03:08 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2013-10-12 02:01:25 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-05 20:25:35 1474048 ----a-w- C:\Windows\System32\crypt32.dll
2013-10-05 19:57:25 1168384 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-10-04 02:28:31 190464 ----a-w- C:\Windows\System32\SmartcardCredentialProvider.dll
2013-10-04 02:25:17 197120 ----a-w- C:\Windows\System32\credui.dll
2013-10-04 02:24:49 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-10-04 01:58:50 152576 ----a-w- C:\Windows\SysWow64\SmartcardCredentialProvider.dll
2013-10-04 01:56:25 168960 ----a-w- C:\Windows\SysWow64\credui.dll
2013-10-04 01:56:00 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-10-03 02:23:48 404480 ----a-w- C:\Windows\System32\gdi32.dll
2013-10-03 02:00:44 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll
2013-09-28 01:09:10 497152 ----a-w- C:\Windows\System32\drivers\afd.sys
2013-09-25 02:26:40 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2013-09-25 02:26:40 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2013-09-25 02:23:33 28672 ----a-w- C:\Windows\System32\sspisrv.dll
2013-09-25 02:23:33 135680 ----a-w- C:\Windows\System32\sspicli.dll
2013-09-25 02:23:01 28160 ----a-w- C:\Windows\System32\secur32.dll
2013-09-25 02:22:59 340992 ----a-w- C:\Windows\System32\schannel.dll
2013-09-25 02:21:50 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2013-09-25 02:21:07 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2013-09-25 01:58:17 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2013-09-25 01:57:26 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2013-09-25 01:57:24 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2013-09-25 01:56:42 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2013-09-25 01:03:24 30720 ----a-w- C:\Windows\System32\lsass.exe
.
============= FINISH: 13:50:43.78 ===============
attach.txt
attach.zipaswMBR.txt
Last edited by tashi; 2013-12-14 at 18:42.
Reason: Merged two posts
-
Sorry for the delay
Please download AdwCleaner by Xplode and save to your Desktop.
- Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator. - Click on the Scan button.
- AdwCleaner will begin...be patient as the scan may take some time to complete.
- After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
- The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
- Copy and paste the contents of that logfile in your next reply.
- A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
-
AdwCleaner report
Firstly, many thanks for the help. I was starting to get worried but can see you currently seem to be fighting a lone battle.
I will (try to) paste the log file and a attach a screenshot of where I got to, to make sure that I have done it right and stopped at the correct point.
(pretty sure that the attempt with the screenshot failed - I am not very good at this!)
AdwCleaner Log
# AdwCleaner v3.015 - Report created 20/12/2013 at 06:17:17
# Updated 10/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Ken - KEN-PC
# Running from : C:\Users\Ken\Desktop\AdwCleaner.exe
# Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
File Found : C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\ulatodbn.default\searchplugins\zonealarm.xml
File Found : C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\ulatodbn.default\user.js
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.16428
-\\ Mozilla Firefox v26.0 (en-GB)
[ File : C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\ulatodbn.default\prefs.js ]
*************************
AdwCleaner[R0].txt - [1971 octets] - [20/12/2013 06:17:17]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2031 octets] ##########
-
Hi,
You can go ahead and run the clean function, but you have Zone Alarm installed so you may want to keep this
File Found : C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\ulatodbn.default\searchplugins\zonealarm.xml
Double click on AdwCleaner.exe to run the tool again.
- Click on the Scan button.
- AdwCleaner will begin to scan your computer like it did before.
- After the scan has finished...
- This time, click on the Clean button.
- Press OK when asked to close all programs and follow the onscreen prompts.
- Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
- After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
- Copy and paste the contents of that logfile in your next reply.
- A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Please download Junkware Removal Tool to your desktop.
- Shut down your protection software now to avoid potential conflicts.
- Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
- The tool will open and start scanning your system.
- Please be patient as this can take a while to complete depending on your system's specifications.
- On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
-
Clarification
Hi Ken
I am assuming that
a) I go fully through the AdwCleaner exercise and then move to the Junkware Removal tool instructions
b) The protection software referred to is only Avast and not Zonealarm as well.
Regards,
Ken
-
Yes, just disable Avast if you can. Run AdwCleaner first and then Junkware removal
-
AdwCleaner 'Clean' report
Hi Ken,
Here are the results of the AdwCleaner.
I will now proceed to the Junkware removal tool section and submit the report from that when completed.
I took your advice on the ZoneAlarm file
Regards,
Ken
# Username : Ken - KEN-PC
# Running from : C:\Users\Ken\Desktop\AdwCleaner.exe
# Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
[x] Not Deleted : C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\ulatodbn.default\searchplugins\zonealarm.xml
File Deleted : C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\ulatodbn.default\user.js
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.16428
-\\ Mozilla Firefox v26.0 (en-GB)
[ File : C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\ulatodbn.default\prefs.js ]
*************************
AdwCleaner[R0].txt - [2111 octets] - [20/12/2013 06:17:17]
AdwCleaner[R1].txt - [2171 octets] - [20/12/2013 11:48:32]
AdwCleaner[S0].txt - [2131 octets] - [20/12/2013 11:52:42]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2191 octets] ##########
-
Junkware removal tool report
Hi Ken,
I am posting the Junkware removal report below. While I do not really understand it, I hope that the lack of entries is a good thing!
regards,
Ken
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Home Premium x64
Ran by Ken on 20/12/2013 at 12:04:05.38
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
~~~ Files
~~~ Folders
~~~ FireFox
Emptied folder: C:\Users\Ken\AppData\Roaming\mozilla\firefox\profiles\ulatodbn.default\minidumps [7 files]
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 20/12/2013 at 12:11:19.32
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
It is, not much junk removed so thats a good thing
Please download Malwarebytes from Here or Here
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected .
- When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
- Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
-
MBAM log
Ken,
When the scan was finished it went straight to the log with an Alert which stated 'No malicious items found...'.
The log it showed is pasted below as it is so short.
regards,
Ken
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.12.20.04
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16428
Ken :: KEN-PC [administrator]
20/12/2013 14:54:35
mbam-log-2013-12-20 (14-54-35).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205871
Time elapsed: 1 minute(s), 42 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules