View Full Version : Please help me with Scan results - how badly infected am i?
H0peless
2011-12-10, 17:36
Hi,
Please can anyone help me assessing the seriousness of my Scan results. Quite a lot of stuff was found but i'm afraid due to my complete computer illiteracy it means very little to me.
The reason i did the scan is because i have been a victim of bank fraud recently and my bank account, online banking, credit card have been hacked. I have been told to take my computer to a computer specialist and have it wiped but i can't afford it at the moment. Also i haven't been given an answer [and are unlikely to be] to how i was hacked yet so before i wipe my computer and any other computers i may have used i want to try and work out the source of my fraud, if i can. I realise the original source of my fraud may have not been online also.
Here are my results:
Search results from Spybot - Search & Destroy
08/12/2011 02:06:10
Scan took 00:24:05.
Babylon.Toolbar: [SBI $554A5FF0] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylnApp.appCore
Babylon.Toolbar: [SBI $554A5FF0] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1
Babylon.Toolbar: [SBI $554A5FF0] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}
Babylon.Toolbar: [SBI $554A5FF0] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1
Babylon.Toolbar: [SBI $554A5FF0] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}
Babylon.Toolbar: [SBI $554A5FF0] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylnApp.appCore
Babylon.Toolbar: [SBI $86348D5E] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Babylon.dskBnd
Babylon.Toolbar: [SBI $86348D5E] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1
Babylon.Toolbar: [SBI $86348D5E] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}
Babylon.Toolbar: [SBI $86348D5E] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1
Babylon.Toolbar: [SBI $86348D5E] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}
Babylon.Toolbar: [SBI $86348D5E] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Babylon.dskBnd
Babylon.Toolbar: [SBI $F75ED516] IE toolbar (Registry Value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{98889811-442D-49dd-99D7-DC866BE87DBC}
Babylon.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane
Babylon.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1
Babylon.Toolbar: [SBI $07586C96] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}
Babylon.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1
Babylon.Toolbar: [SBI $07586C96] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}
Babylon.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane
Babylon.Toolbar: [SBI $B04483F7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Babylon.Toolbar: [SBI $B04483F7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Babylon.Toolbar: [SBI $B04483F7] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}
Babylon.Toolbar: [SBI $B04483F7] Browser helper object (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}
Babylon.Toolbar: [SBI $B04483F7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Babylon.Toolbar: [SBI $B04483F7] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}
Babylon.Toolbar: [SBI $B04483F7] Browser helper object (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}
Babylon.Toolbar: [SBI $B04483F7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Babylon.Toolbar: [SBI $52C6ABB7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc
Babylon.Toolbar: [SBI $52C6ABB7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc.1
Babylon.Toolbar: [SBI $52C6ABB7] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}
Babylon.Toolbar: [SBI $52C6ABB7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc.1
Babylon.Toolbar: [SBI $52C6ABB7] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}
Babylon.Toolbar: [SBI $52C6ABB7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc
DoubleClick: [SBI $7F76510F] Tracking cookie (Firefox: Charmaine (default)) (Browser: Cookie, nothing done)
Log: [SBI $7F76510F] Install: setupact.log (File, nothing done)
C:\Windows\setupact.log
Properties.size=47261
Properties.md5=1328DC4A7D71CF897F599AC41F6C7365
Properties.filedate=1323271180
Properties.filedatetext=2011-12-07 15:19:40
Log: [SBI $7F76510F] Install: DtcInstall.log (File, nothing done)
C:\Windows\DtcInstall.log
Properties.size=2790
Properties.md5=26B91E0E7E8FDC29A64DD08089316F07
Properties.filedate=1292957106
Properties.filedatetext=2010-12-21 18:45:06
Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\Microsoft\DirectInput\MostRecentApplication\Name
MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\Microsoft\DirectInput\MostRecentApplication\Id
MS Paint: [SBI $07867C39] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
MS Wordpad: [SBI $4C02334D] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
Windows Explorer: [SBI $AA0766B5] Stream history (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
WinRAR: [SBI $0B56E92B] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\WinRAR\ArcHistory
WinRAR: [SBI $B84F9965] Last used directory (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\WinRAR\General\LastFolder
Cookie: [SBI $49804B54] Browser: Cookie (5) (Browser: Cookie, nothing done)
Cache: [SBI $49804B54] Browser: Cache (134) (Browser: Cache, nothing done)
History: [SBI $49804B54] Browser: History (3) (Browser: History, nothing done)
Cookie: [SBI $49804B54] Browser: Cookie (49) (Browser: Cookie, nothing done)
--- Spybot - Search & Destroy version: 2.0.6.131 DLL (build: 20111005) ---
I thought i should also let you know that i had problems with the Babylon toolbar before, which is mentioned in the results alot, but i thought it had all been removed a few months ago hence my continuing to use the computer.
My friend told me everything had been removed and it was safe to be used. I have actually had Avira antivirus running in real time protection mode since then, even though i was told not to because it will slow my computer down.
I also ran a full Avira scan the other day and it found nothing at all.
I also ran a Malwarebytes scan an it only found the following:
Files Infected:
c:\$RECYCLE.BIN\s-1-5-21-4054292811-2639179496-1958547070-1000\$RTSR0FK\CSDATA\1000000600002i\svchost.exe (Rootkit.Dropper) -> No action taken.
c:\$RECYCLE.BIN\s-1-5-21-4054292811-2639179496-1958547070-1000\$RTSR0FK\CSDATA\1000000800002i\svchost.exe (Rootkit.Dropper) -> No action taken.
c:\$RECYCLE.BIN\s-1-5-21-4054292811-2639179496-1958547070-1000\$RTSR0FK\CSDATA\1000000b00002i\rundll32.exe (Rootkit.Dropper) -> No action taken.
c:\$RECYCLE.BIN\s-1-5-21-4054292811-2639179496-1958547070-1000\$RTSR0FK\CSDATA\4000002c0600002i\photoshop.exe (Rootkit.Dropper) -> No action taken.
I realise no one is obliged to help me so i am very grateful for anyone that does if they can.
Cheers.
Hi H0pless,
Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.
Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")
Stay with this topic until I give you the all clean post.
----------
I am sorry for the delay in response but as you can see we are very busy here.
---------
Before we begin...if you believe you have been a victim of banking fraud be sure to call any and all financial institutions so that they are aware of the possibility of any problems that may arise. I would also go to a "clean" computer and immediately change all of your passwords to everything...banking sites, emails...anything.
----------
Please download DDS from one of the following links and save it to your desktop.
DDS.scr (http://download.bleepingcomputer.com/sUBs/dds.scr)
DDS.pif (http://download.bleepingcomputer.com/sUBs/dds.com)
Disable any script blocking protection (How to Disable your Security Programs (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html))
Double click DDS icon to run the tool (may take up to 3 minutes to run)
When done, DDS.txt will open.
After a few moments, attach.txt will open in a second window.
Save both reports to your desktop.
---------------------------------------------------
Post the contents of the DDS.txt report in your next reply
Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
----------
Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.
Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it
----------
In your next reply please post both of the logs created by DDS and the log created by aswMBR.exe. :)
Hi,
Do you still need help? :)
H0peless
2011-12-16, 03:08
Hi, sorry for the late reply, yes i would please :)
I'm just going to follow your advice now.
I have already got everything sorted with the bank except they are not very helpful when it comes to giving me details of the case and how the hacker has managed to access my account. I would really like to try and work out the original source of the hack if at all possible or at least try and work out if it was done using malware on my computer or not. The whole thing has sent me kind of paranoid lol. I wont be using online banking again until i can prove the internet wasn't involved.
Thanks a lot for your reply i will get it done now.
H0peless
2011-12-16, 04:01
DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Charmaine at 1:36:52 on 2011-12-16
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.44.1033.18.1918.1085 [GMT 0:00]
.
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Spybot - Search & Destroy *Enabled/Outdated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Spybot - Search & Destroy 2\SDHookSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\rundll32.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.4.31.2\bh\BabylonToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.4.31.2\BabylonToolbarTlbr.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Facebook Update] "c:\users\charmaine\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9F37D89F-EF3C-4875-8A58-4C92E1E69B1C} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9F37D89F-EF3C-4875-8A58-4C92E1E69B1C}\244524573796E6563737845726D2636363 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9F37D89F-EF3C-4875-8A58-4C92E1E69B1C}\2456C6B696E6F5533353645353 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{9F37D89F-EF3C-4875-8A58-4C92E1E69B1C}\349727573702478656026596275737 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{9F37D89F-EF3C-4875-8A58-4C92E1E69B1C}\37175796463747275656472716373616C637 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9F37D89F-EF3C-4875-8A58-4C92E1E69B1C}\6796277696E6022627F616462616E646 : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: SDWinLogon - SDWinLogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - component: c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components
\RadioWMPCoreGecko19.dll
FF - component: c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\charmaine\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-9 36000]
R1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\spybot - search & destroy 2\SDHookDrv32.sys [2011-12-8 38504]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-9 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-9 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-9 74640]
R2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\spybot - search & destroy 2\SDHookSvc.exe [2011-12-8 130976]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2011-12-8 892336]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2011-12-8 955816]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2011-12-8 169624]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-21 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-21 136176]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-7-2 15872]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-2 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-21 1343400]
.
=============== Created Last 30 ================
.
2011-12-14 23:24:01 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e89abdfd-d52b-45ed-b3ec-
fc3da2287f03}\mpengine.dll
2011-12-10 16:48:30 -------- d-----w- c:\programdata\Hitman Pro
2011-12-10 14:55:50 -------- d-----w- C:\ComboFix
2011-12-08 01:35:41 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-12-08 01:35:33 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-12-07 22:17:51 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
==================== Find3M ====================
.
2011-12-10 16:49:37 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-10-09 22:58:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 04:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-29 16:03:04 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-29 03:37:56 2341888 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 1:37:46.53 ===============
aswMBR:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-16 01:42:08
-----------------------------
01:42:08.853 OS Version: Windows 6.1.7601 Service Pack 1
01:42:08.853 Number of processors: 2 586 0x6802
01:42:08.853 ComputerName: CHARMAINE-PC UserName: Charmaine
01:42:10.009 Initialize success
01:42:40.336 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
01:42:40.336 Disk 0 Vendor: TOSHIBA_MK1246GSX LB212D Size: 114473MB BusType: 3
01:42:42.383 Disk 0 MBR read successfully
01:42:42.383 Disk 0 MBR scan
01:42:42.383 Disk 0 Windows 7 default MBR code
01:42:42.399 Disk 0 scanning sectors +234438656
01:42:42.477 Disk 0 scanning C:\Windows\system32\drivers
01:42:50.602 Service scanning
01:42:52.024 Modules scanning
01:42:59.540 Disk 0 trace - called modules:
01:42:59.571 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll pciide.sys PCIIDEX.SYS atapi.sys
01:42:59.571 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85561a38]
01:42:59.586 3 CLASSPNP.SYS[8879159e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x847c4908]
01:42:59.586 Scan finished successfully
01:43:22.946 Disk 0 MBR has been saved successfully to "C:\Users\Charmaine\Desktop\MBR.dat"
01:43:22.961 The log file has been saved successfully to "C:\Users\Charmaine\Desktop\aswMBR.txt"
I hope i have done that right.
Cheers.
Download Combofix from either of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
--------------------------------------------------------------------
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.
H0peless
2011-12-16, 07:33
I am really struggling to turn off Spybot to be honest. I have exited Windows defender and shut the umbrella on Avira. But even though i have unselected live protection on Spybot i can't work out a way to exit it and Combofix is telling me it is still running and will interfere. I have tried shutting everything on task manager but it wont let me and when i restarted all that happened was Windows ended up taking forever to update for some weird reason lol.
Bar uninstalling i don't know what to do. I will make sure live protection isn't selected and then run it anyway. Btw it is Spybot - Search & Destroy version: 2.0.6.131 DLL (build: 20111005).
H0peless
2011-12-16, 08:41
I couldn't get it to not say Spybot wasn't still running even though i went on options and unticked everything. I ran it anyway:
ComboFix 11-12-15.02 - Charmaine 16/12/2011 5:44.2.2 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.44.1033.18.1918.1267 [GMT 0:00]
Running from: c:\users\Charmaine\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Spybot - Search & Destroy *Enabled/Outdated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-16 05:57 . 2011-12-16 05:57 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-12-16 05:57 . 2011-12-16 05:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-16 03:01 . 2011-11-03 22:31 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-16 03:01 . 2011-11-03 23:16 141112 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-12-16 03:01 . 2011-11-03 22:37 194048 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2011-12-16 03:00 . 2011-11-03 22:47 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-12-16 03:00 . 2011-11-03 22:39 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-16 03:00 . 2011-11-03 22:42 678912 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-12-16 03:00 . 2011-11-03 22:40 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-14 23:24 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E89ABDFD-D52B-45ED-B3EC-FC3DA2287F03}\mpengine.dll
2011-12-14 23:23 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 23:23 . 2011-11-05 04:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 23:22 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 23:22 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 23:22 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-14 23:22 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-10 16:48 . 2011-12-10 16:48 -------- d-----w- c:\programdata\Hitman Pro
2011-12-08 01:35 . 2009-01-25 13:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-12-08 01:35 . 2011-12-08 01:35 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-12-07 22:17 . 2011-08-31 17:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 16:49 . 2011-10-09 23:12 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-12-08 19:08 . 2011-10-09 16:59 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-10-09 22:58 . 2011-08-20 16:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 04:06 . 2010-12-28 15:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-29 16:03 . 2011-11-09 15:38 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-21 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Facebook Update"="c:\users\Charmaine\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-09-02 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2011-10-05 3578272]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 136176]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-21 1343400]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-09-15 36000]
S1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\Spybot - Search & Destroy 2\SDHookDrv32.sys [2011-10-05 38504]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-09-23 86224]
S2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\Spybot - Search & Destroy 2\SDHookSvc.exe [2011-10-05 130976]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2011-10-05 892336]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2011-10-05 955816]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2011-10-05 169624]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4054292811-2639179496-1958547070-1000Core.job
- c:\users\Charmaine\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-02 19:43]
.
2011-12-16 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4054292811-2639179496-1958547070-1000UA.job
- c:\users\Charmaine\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-02 19:43]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 22:36]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Charmaine\AppData\Roaming\Mozilla\Firefox\Profiles\iirg01fc.default\
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-LogitechQuickCamRibbon - c:\program files\Logitech\QuickCam10\QuickCam10.exe
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-12-16 06:15:26
ComboFix-quarantined-files.txt 2011-12-16 06:15
ComboFix2.txt 2011-10-10 00:03
.
Pre-Run: 59,543,056,384 bytes free
Post-Run: 59,169,984,512 bytes free
Thanks again for your help.
Hi,
I couldn't get it to not say Spybot wasn't still running even though i went on options and unticked everything. I ran it anyway:It looks like it ran just fine. :)
----------
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
DDS::
uStart Page = hxxp://www.google.co.uk/
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.4.31.2\bh\BabylonToolbar.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.4.31.2\BabylonToolbarTlbr.dll
Firefox::
FF - ProfilePath - c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\
FF - component: c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components
\RadioWMPCoreGecko19.dll
FF - component: c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - Ext: Conduit Engine : - %profile%\extensions\engine@conduit.com
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
H0peless
2011-12-16, 20:27
Hi, just done.
I don't know if i am loosing it but i think the option "Services" has now appeared under Settings & More Tools in the Spybot Start Center. Doubt it matters and maybe i just missed it before somehow. Also the little icons for Avira and Spybot have now gone from the bottom right. Anyway, Ill post the log.
Cheers.
H0peless
2011-12-16, 20:28
ComboFix 11-12-16.01 - Charmaine 16/12/2011 17:28:47.3.2 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.44.1033.18.1918.1149 [GMT 0:00]
Running from: c:\users\Charmaine\Desktop\ComboFix.exe
Command switches used :: c:\users\Charmaine\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Spybot - Search & Destroy *Enabled/Outdated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\chrome.manifest
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\chrome\utorrentbar.jar
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\ConduitAutoCompleteSearch.js
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\ConduitAutoCompleteSearch.xpt
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\ConduitToolbar.idl
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\ConduitToolbar.js
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\ConduitToolbar.xpt
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCore.dll
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCore.xpt
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\defaults\alertSettingsComponent.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\defaults\appContextMenu.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\defaults\engineContextMenu.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\defaults\engineSettings.json
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\defaults\fbAlert.js
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\defaults\getAppsContextMenu.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\defaults\postAppsContextMenu.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\defaults\toolbarContextMenu.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\defaults\unsharedAppsContextMenu.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\install.rdf
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\lib\xpcom.js
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\META-INF\manifest.mf
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\META-INF\zigbert.rsa
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\META-INF\zigbert.sf
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\searchplugin\conduit.gif
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\searchplugin\conduit.ico
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\searchplugin\conduit.PNG
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\searchplugin\conduit.src
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\searchplugin\conduit.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\setup.ini
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\version.txt
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\chrome.manifest
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\chrome\conduitengine.jar
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\components\ConduitAutoCompleteSearch.js
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\components\ConduitAutoCompleteSearch.xpt
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\components\ConduitToolbar.idl
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\components\ConduitToolbar.js
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\components\ConduitToolbar.xpt
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\components\RadioWMPCore.xpt
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\defaults\alertSettingsComponent.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\defaults\appContextMenu.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\defaults\engineContextMenu.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\defaults\engineSettings.json
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\defaults\fbAlert.js
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\defaults\getAppsContextMenu.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\defaults\postAppsContextMenu.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\defaults\toolbarContextMenu.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\defaults\unsharedAppsContextMenu.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\DualPackage\install.rdf
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\install.rdf
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\lib\xpcom.js
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\META-INF\manifest.mf
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\META-INF\zigbert.rsa
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\META-INF\zigbert.sf
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\searchplugin\conduit.gif
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\searchplugin\conduit.ico
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\searchplugin\conduit.PNG
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\searchplugin\conduit.src
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\searchplugin\conduit.xml
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\setup.ini
c:\users\charmaine\appdata\roaming\mozilla\firefox\profiles\iirg01fc.default\extensions\engine@conduit.com\version.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-16 17:46 . 2011-12-16 17:47 -------- d-----w- c:\users\Charmaine\AppData\Local\temp
2011-12-16 17:46 . 2011-12-16 17:46 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-12-16 17:46 . 2011-12-16 17:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-16 03:01 . 2011-11-03 22:31 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-16 03:01 . 2011-11-03 23:16 141112 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-12-16 03:01 . 2011-11-03 22:37 194048 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2011-12-16 03:00 . 2011-11-03 22:47 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-12-16 03:00 . 2011-11-03 22:39 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-16 03:00 . 2011-11-03 22:42 678912 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-12-16 03:00 . 2011-11-03 22:40 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-14 23:24 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E89ABDFD-D52B-45ED-B3EC-FC3DA2287F03}\mpengine.dll
2011-12-14 23:23 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 23:23 . 2011-11-05 04:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 23:22 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 23:22 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 23:22 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-14 23:22 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-10 16:48 . 2011-12-10 16:48 -------- d-----w- c:\programdata\Hitman Pro
2011-12-08 01:35 . 2009-01-25 13:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-12-08 01:35 . 2011-12-08 01:35 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-12-07 22:17 . 2011-08-31 17:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 16:49 . 2011-10-09 23:12 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-12-08 19:08 . 2011-10-09 16:59 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-10-09 22:58 . 2011-08-20 16:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 04:06 . 2010-12-28 15:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-29 16:03 . 2011-11-09 15:38 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-16_05.57.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:55 . 2011-12-16 16:58 39770 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-12-21 19:25 . 2011-12-16 16:58 11586 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4054292811-2639179496-1958547070-1000_UserData.bin
- 2011-12-16 03:18 . 2011-12-16 03:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-16 16:56 . 2011-12-16 16:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-16 03:18 . 2011-12-16 03:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-16 16:56 . 2011-12-16 16:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:05 . 2011-12-16 17:04 628460 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2011-12-16 05:04 628460 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2011-12-16 05:04 110612 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2011-12-16 17:04 110612 c:\windows\System32\perfc009.dat
+ 2009-07-14 04:34 . 2011-12-16 17:09 114632 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-07-14 04:47 . 2011-12-16 03:16 274036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:47 . 2011-12-16 06:42 274036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-08-20 17:23 . 2011-12-16 06:43 694900 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4054292811-2639179496-1958547070-1000-8192.dat
- 2011-08-20 17:23 . 2011-12-16 03:16 694900 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4054292811-2639179496-1958547070-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-21 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Facebook Update"="c:\users\Charmaine\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-09-02 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2011-10-05 3578272]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 136176]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-21 1343400]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-09-15 36000]
S1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\Spybot - Search & Destroy 2\SDHookDrv32.sys [2011-10-05 38504]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-09-23 86224]
S2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\Spybot - Search & Destroy 2\SDHookSvc.exe [2011-10-05 130976]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2011-10-05 892336]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2011-10-05 955816]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2011-10-05 169624]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4054292811-2639179496-1958547070-1000Core.job
- c:\users\Charmaine\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-02 19:43]
.
2011-12-16 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4054292811-2639179496-1958547070-1000UA.job
- c:\users\Charmaine\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-02 19:43]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 22:36]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 22:36]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Charmaine\AppData\Roaming\Mozilla\Firefox\Profiles\iirg01fc.default\
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-12-16 18:03:54
ComboFix-quarantined-files.txt 2011-12-16 18:03
ComboFix2.txt 2011-12-16 06:15
ComboFix3.txt 2011-10-10 00:03
.
Pre-Run: 59,219,865,600 bytes free
Post-Run: 59,168,583,680 bytes free
.
- - End Of File - - EF11AB360B7CB8DDD18584052911F0A0
Hi,
I see that you have Malwarebytes on your system. Please open Malwarebytes, update it and then run a Quick Scan. Please save the log that is created for your next reply.
----------
ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
Do not use this instance of your browser for anything besides doing this scan
When the scan is complete and the results saved, close that instance of your browser
Open a new one the usual way and post the results in this topic.
Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the Start button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the Back button.
Push Finish
http://www.eset.com/onlinescan/
----------
In your next reply please post the logs created by Malwarebytes and ESET online scanner. :)
H0peless
2011-12-17, 01:39
Malwarebytes log:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8382
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
16/12/2011 22:06:11
mbam-log-2011-12-16 (22-06-11).txt
Scan type: Quick scan
Objects scanned: 156139
Time elapsed: 3 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ESET online scanner:
[it said i had to download something so i just did - 'onlinescanner.cab' from 'ESET, spol. s r.o.' - said it was ActiveX Control]
C:\Users\Charmaine\Desktop\BIE\bie_7install86.exe a variant of Win32/HackKMS.A application
Cheers
Hi,
First open an elevated command prompt > Click Start and type cmd in Start Search.
When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.
Copy the contents of the code box > right click in the command window and select paste
del C:\Users\Charmaine\Desktop\BIE\bie_7install86.exe
Press Enter
----------
How is your system running? :)
H0peless
2011-12-19, 03:13
Hi, just done :)
To be honest i have been too paranoid to use it much, except for a bit of general internet browsing, but that seems to be working fine thanks. It is a bit slow to start up though but i'm guessing that's just because of the Antivirus and Spybot loading up.
Do you know if anything serious has been found yet please? Anything that could have been tracking my activity/ stealing my details etc?
Could you tell me please what malware or viruses have been found?
I'm trying to work out how i had my bank account hacked recently and it doesn't seem like i'm ever going to get an answer from the bank now so from what has been found so far do you think any of it could of been responsible?
Thanks a lot for all your help!
Hi,
Do you know if anything serious has been found yet please? Anything that could have been tracking my activity/ stealing my details etc?There were many bad entries that I found in your logs that you posted for me, but to definitively say that there is one that is causing all of your problems with your bank site I just could not say.
---------
I'm trying to work out how i had my bank account hacked recentlyUnfortunately, like I said, there is no definitive way to determine how it happened? Sorry...
---------
P2P - I see you have P2P software uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation. This page (http://malwareremoval.com/p2pindex.php) will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Programs and Features.
---------
Please download JavaRa (http://raproducts.org/click/click.php?id=1) to your desktop and unzip it to its own
folder
Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
Java Runtime Environment (JRE) version for your computer.
----------
Please now run a new scan with DDS and post both of the logs that are created. :)
Hi,
Do you still need help? :)
Due to lack of feedback, this topic will now be closed.
If you are the original poster and you still require help, please start a new thread.