PDA

View Full Version : problems getting rid of malicious cookies



eve.online
2013-03-30, 04:33
I foolishly installed Privitize VPM an now have a mess. Actually, I don't even know if that was the source of my problem, but it may have been. I completed a removal using SB S&D 2 but I am left with cookies from every tracking site and porn site on the internet that repopulate every time I delete them. (S&D wasn't effective) What can I do to get rid of the source so that it doesn't keep coming back?

DSS Log
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.16800
Run by me at 21:52:35 on 2013-03-29
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2814.1702 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\lxducoms.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Lexmark 5600-6600 Series\lxdumon.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1331&r=173611095203p0324v115r4841s22o
mStart Page = hxxp://searchou.com/?affil=7&uid=db7d2b60-8c3c-11e2-8bcd-001f16fd7d03
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1331&r=173611095203p0324v115r4841s22o
uURLSearchHooks: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - <orphaned>
mWinlogon: Userinit = userinit.exe
BHO: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
BHO: Lexmark Printable Web: {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
TB: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
uRun: [Global Registration] "C:\Program Files (x86)\eMachines\Registration\GREG.exe" BOOT
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Organizer Pro] C:\Program Files (x86)\Organizer Pro\AtDem.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
mRun: [Lexmark 5600-6600 Series] "C:\Program Files (x86)\Lexmark 5600-6600 Series\fm3032.exe" /s
mRun: [atr.exe] <no file>
StartupFolder: C:\Users\me\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\Users\me\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{7534CCD2-2C51-4A20-9540-82EDBC5C9D8A} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{81C171C3-4CE2-42E6-AA66-D6B1A6F3A632} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{81C171C3-4CE2-42E6-AA66-D6B1A6F3A632}\035324430333837353735343 : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{81C171C3-4CE2-42E6-AA66-D6B1A6F3A632}\140707C65602E4564777F627B602336303366333 : DHCPNameServer = 10.0.1.1
TCP: Interfaces\{81C171C3-4CE2-42E6-AA66-D6B1A6F3A632}\16733616 : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{81C171C3-4CE2-42E6-AA66-D6B1A6F3A632}\854414D275966696D23586162796E676 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{81C171C3-4CE2-42E6-AA66-D6B1A6F3A632}\C696E6B6379737 : DHCPNameServer = 209.18.47.61 209.18.47.62
Notify: SDWinLogon - SDWinLogon.dll
AppInit_DLLs=
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1331&r=173611095203p0324v115r4841s22o
x64-mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1331&r=173611095203p0324v115r4841s22o
x64-BHO: Expat Shield Class: {3706EE7C-3CAD-445D-8A43-03EBC3B75908} -
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
x64-Run: [lxdumon.exe] "C:\Program Files (x86)\Lexmark 5600-6600 Series\lxdumon.exe"
x64-Run: [lxduamon] "C:\Program Files (x86)\Lexmark 5600-6600 Series\lxduamon.exe"
x64-Run: [Windows Mobile Device Center] C:\Windows\WindowsMobile\wmdc.exe
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll
.
============= SERVICES / DRIVERS ===============
.
R2 lxdu_device;lxdu_device;C:\Windows\System32\lxducoms.exe -service --> C:\Windows\System32\lxducoms.exe -service [?]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-3-28 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-3-28 1369624]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-3-28 168384]
R2 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-8-14 240160]
R3 athrusb;Netgear WG111T modded device driver;C:\Windows\System32\drivers\athrxusb.sys [2009-11-29 1037312]
S2 Greg_Service;GRegService;C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe --> C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [?]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;C:\Windows\System32\spool\drivers\x64\3\lxduserv.exe [2010-1-14 29184]
S3 TFsExDisk;TFsExDisk;C:\Windows\System32\drivers\TFsExDisk.sys [2010-3-6 16392]
.
=============== Created Last 30 ================
.
2013-03-30 01:07:50 -------- d-----w- C:\Users\me\AppData\Local\Macromedia
2013-03-28 22:05:41 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2013-03-28 22:05:25 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
2013-03-28 22:05:16 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-03-26 09:32:21 9311288 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D04DAA15-4027-41A0-96E8-3FF986C9CD7A}\mpengine.dll
2013-03-14 01:03:52 -------- d-----w- C:\Users\me\AppData\Roaming\BitTorrent
2013-03-14 00:58:22 -------- d-----w- C:\Users\me\AppData\Local\Torch
2013-03-14 00:22:03 -------- d-----w- C:\ProgramData\CLSoft LTD
2013-03-14 00:21:47 -------- d-----w- C:\ProgramData\MAgoniPicc
2013-03-14 00:21:44 -------- d-----w- C:\ProgramData\InstallMate
.
==================== Find3M ====================
.
2013-01-31 13:15:21 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-31 13:15:21 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-01-17 05:28:58 273840 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 21:53:00.89 ===============

aswMBR Log
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-03-29 21:56:57
-----------------------------
21:56:57.192 OS Version: Windows x64 6.1.7600
21:56:57.193 Number of processors: 1 586 0x7F02
21:56:57.194 ComputerName: ME-PC UserName: me
21:56:58.779 Initialize success
21:59:51.383 AVAST engine defs: 13032901
22:00:00.365 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000057
22:00:00.369 Disk 0 Vendor: ST332041 CC44 Size: 305245MB BusType: 3
22:00:00.462 Disk 0 MBR read successfully
22:00:00.466 Disk 0 MBR scan
22:00:00.475 Disk 0 unknown MBR code
22:00:00.496 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 14336 MB offset 2048
22:00:00.514 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 29362176
22:00:00.524 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 290807 MB offset 29566976
22:00:00.552 Disk 0 scanning C:\Windows\system32\drivers
22:00:11.254 Service scanning
22:00:34.720 Modules scanning
22:00:34.769 Disk 0 trace - called modules:
22:00:34.800 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
22:00:35.184 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8002fa5680]
22:00:35.195 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa8002b907b0]
22:00:35.205 5 ACPI.sys[fffff88000e1a781] -> nt!IofCallDriver -> \Device\00000057[0xfffffa8002b909d0]
22:00:36.235 AVAST engine scan C:\Windows
22:00:38.529 AVAST engine scan C:\Windows\system32
22:05:03.820 AVAST engine scan C:\Windows\system32\drivers
22:05:17.472 AVAST engine scan C:\Users\me
22:05:59.301 Disk 0 MBR has been saved successfully to "C:\Users\me\Desktop\MBR.dat"
22:05:59.318 The log file has been saved successfully to "C:\Users\me\Desktop\aswMBR.txt"


I hope you can help. Thanks in advance.

fbfbfb
2013-04-04, 20:33
Hello, eve.online. :snwelcome:

My name is fbfbfb. I will gladly assist you with your concerns.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice. This may cause a delay, but I will do my best to keep it as short as possible.

I am checking over your DDS and aswMBR logs now, and I will post back shortly with instructions.

While working to resolve the issues with your machine, please follow these guidelines:
Please be patient. Logs are lengthy and can take time to analyze.
Read and follow my directions carefully, in the sequence they are posted. If you are unsure about anything, please ask for clarification before continuing.
Use only those tools that you have been directed to use.
Do not install or uninstall any applications or run any other scans without being directed to do so.
Copy and Paste the log files inside your post. Do not send them as attachments unless otherwise instructed.
Stay with me until your machine has been deemed all clear.
Please reply within 3 days to avoid closing this topic.

fbfbfb
2013-04-05, 14:41
Hello, eve.online.

Thank you for submitting your DDS log. DDS should have produced a second log named attach.txt and saved it to your desktop. If it is there, please submit this log to me. If you are unable to locate this report, please rerun DDS and submit both reports.

Please run the following scans

1. Rogue Killer

Please download Rogue Killer from HERE (http://tigzy.geekstogo.com/roguekiller.php).
Quit all running programs before continuing.
Double-click roguekiller.exe to run it.
Wait for the Prescan to finish.
Click Scan and wait for the scan to complete.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

A report will be created and saved on your desktop.
Exit the program.Copy and paste the RKreport.txt report into your next reply.


2. Security Check

Please download Security Check by screen317 from HERE (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or HERE (http://screen317.changelog.fr/SecurityCheck.exe). Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt. This may take a few minutes.Please copy and paste the contents of that document into your next reply.

eve.online
2013-04-05, 20:15
First, Thanks for your help!!

the Security Check report is here:
Results of screen317's Security Check version 0.99.61
Windows 7 x64 (UAC is disabled!)
Out of date service pack!! (http://windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
Spybot - Search & Destroy
Java(TM) 6 Update 17
Java 7 Update 17
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 11.5.502.146 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (19.0.2)
````````Process Check: objlist.exe by Laurent````````
Spybot Teatimer.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

and the RogueKiller report is here
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : me [Admin rights]
Mode : Scan -- Date : 04/05/2013 13:00:37
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST332041 8AS SCSI Disk Device +++++
--- User ---
[MBR] b435e5ae8313687691ff18e4df5b708f
[BSP] 4bd9425129f5f628c8bdf1d528185e52 : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 14336 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 29362176 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 29566976 | Size: 290807 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_S_04052013_02d1300.txt >>
RKreport[1]_S_04052013_02d1253.txt ; RKreport[2]_S_04052013_02d1300.txt

When I ran Rogue Killer it prompted to delete the items it found but I did not do that yet. Please let me know if I should go ahead and delete them.

I have attached the attach zip

Thanks Again
E.O

fbfbfb
2013-04-06, 17:24
Hello, eve.online.

You're welcome, and thank you for your logs.

Please run the following scans


1. Rogue Killer

Please run Rogue Killer again (double click on roguekiller.exe to start).
Note: Please remove any usb or external drives from the computer and quit any running programs before you run this scan. When the scan has completed, click Delete.
Please copy and paste the RKreport.txt located on your desktop into your next reply.

2. ComboFix

Note: Before you begin, please read through these instructions completely, noting all important messages and warnings. Please download ComboFix from HERE (http://www.bleepingcomputer.com/download/combofix/dl/12/) or HERE (http://www.infospyware.net/antimalware/combofix/).Very Important! Save ComboFix.exe to to your Desktop.
Close all browsers.
Disable your AntiVirus and AntiSpyware applications as they can interfere with running ComboFix. To disable any security programs:
Right click on the System Tray icon, or
Refer to this link HERE (http://forums.whatthetech.com/index.php?showtopic=96260&pid=494216#entry494216) for further assistance. Double click on ComboFix.exe and follow the prompts.
When finished, ComboFix will produce a log for you. Please include the C:\ComboFix.txt in your next reply.Warnings:
Do not mouse-click on ComboFix's window while it is running. This may cause it to stall.
Do not re-run ComboFix. If problems occur with the installation or running of ComboFix, please reply back for further instructions.
Do not attempt to surf the internet while ComboFix is scanning.
Note: If there is no internet connection after running ComboFix, reboot your computer to restore the connection.Very Important! Make sure you re-enable your security programs when ComboFix is finished.

eve.online
2013-04-06, 19:32
Ok here is the Combofix report

ComboFix 13-04-06.01 - me 04/06/2013 12:07:14.1.1 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2814.1862 [GMT -4:00]
Running from: c:\users\me\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\prefs.js
c:\programdata\SPL7CFA.tmp
c:\programdata\SPLA88.tmp
c:\users\me\Logo.png
c:\users\me\videos\ExpatShield-cnet-DM-232.exe
c:\users\me\videos\mobcoach2.exe
c:\windows\wininit.ini
.
Infected copy of c:\windows\SysWow64\userinit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-03-06 to 2013-04-06 )))))))))))))))))))))))))))))))
.
.
2013-04-06 16:16 . 2013-04-06 16:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-05 07:16 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EB4B2C6F-BBFA-4BBE-997E-7449DC699B2D}\mpengine.dll
2013-04-01 21:23 . 2013-04-04 16:38 -------- d-----w- c:\users\me\AppData\Roaming\dvdcss
2013-04-01 21:22 . 2013-04-04 16:39 -------- d-----w- c:\users\me\AppData\Roaming\vlc
2013-04-01 21:17 . 2013-04-01 21:17 -------- d-----w- c:\program files (x86)\VideoLAN
2013-03-31 22:56 . 2013-03-31 22:56 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-03-31 22:56 . 2013-03-31 22:54 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-31 22:56 . 2013-03-31 22:54 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-31 22:55 . 2013-03-31 22:54 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-31 22:45 . 2013-03-31 22:45 -------- d-----w- c:\programdata\McAfee
2013-03-30 01:42 . 2013-03-30 01:42 -------- d-----w- c:\program files (x86)\ERUNT
2013-03-30 01:07 . 2013-03-30 01:07 -------- d-----w- c:\users\me\AppData\Local\Macromedia
2013-03-30 00:48 . 2013-03-30 00:48 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-03-28 22:05 . 2013-03-30 02:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-03-28 22:05 . 2009-01-25 16:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-03-28 22:05 . 2013-03-28 22:05 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-03-14 01:03 . 2013-04-05 08:55 -------- d-----w- c:\users\me\AppData\Roaming\BitTorrent
2013-03-14 00:58 . 2013-03-14 00:58 -------- d-----w- c:\users\me\AppData\Local\Torch
2013-03-14 00:22 . 2013-03-14 00:22 -------- d-----w- c:\programdata\CLSoft LTD
2013-03-14 00:21 . 2013-03-14 00:33 -------- d-----w- c:\programdata\MAgoniPicc
2013-03-14 00:21 . 2013-03-14 00:33 -------- d-----w- c:\programdata\InstallMate
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-12 05:10 . 2009-11-30 15:39 282744 ------w- c:\windows\system32\MpSigStub.exe
2013-01-31 13:15 . 2012-04-28 14:02 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-31 13:15 . 2012-04-28 14:02 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Global Registration"="c:\program files (x86)\eMachines\Registration\GREG.exe" [2009-07-31 2844704]
"Organizer Pro"="c:\program files (x86)\Organizer Pro\AtDem.exe" [2005-12-19 32768]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"Spybot-S&D Cleaning"="c:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2012-11-13 3713032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Lexmark 5600-6600 Series"="c:\program files (x86)\Lexmark 5600-6600 Series\fm3032.exe" [2009-05-11 311976]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
.
c:\users\me\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-3-29 1014112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R2 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [x]
R2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxduserv.exe [2009-10-16 29184]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2009-11-02 16392]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe [2009-10-16 1039360]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-11-13 1103392]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-11-13 1369624]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-11-13 168384]
S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2009-07-04 240160]
S3 athrusb;Netgear WG111T modded device driver;c:\windows\system32\DRIVERS\athrxusb.sys [2009-11-29 1037312]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2009-12-10 c:\windows\Tasks\eMachines Registration Reminder.job
- c:\program files (x86)\eMachines\Registration\GREG.exe [2009-07-31 06:55]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]
"lxdumon.exe"="c:\program files (x86)\Lexmark 5600-6600 Series\lxdumon.exe" [2009-05-11 684712]
"lxduamon"="c:\program files (x86)\Lexmark 5600-6600 Series\lxduamon.exe" [2009-05-11 16040]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1331&r=173611095203p0324v115r4841s22o
mStart Page = hxxp://searchou.com/?affil=7&uid=db7d2b60-8c3c-11e2-8bcd-001f16fd7d03
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - ExtSQL: 2013-03-31 17:52; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-03-31 17:57; jid1-F9UJ2thwoAm5gQ@jetpack; c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi
FF - ExtSQL: 2013-03-31 21:24; {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}; c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF - ExtSQL: 2013-03-31 21:24; {bed1bcec-57d3-47e1-a32b-b4e5f3003019}; c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\extensions\{bed1bcec-57d3-47e1-a32b-b4e5f3003019}.xpi
FF - ExtSQL: 2013-03-31 21:24; extension@stitcher.com; c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\extensions\extension@stitcher.com.xpi
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-atr.exe - (no file)
Notify-SDWinLogon - SDWinLogon.dll
BHO-{3706EE7C-3CAD-445D-8A43-03EBC3B75908} - c:\program files (x86)\Expat Shield\HssIE\ExpatIE_64.dll
Toolbar-Locked - (no file)
AddRemove-InstallShield_{7CFA46E3-CC2F-4355-82AE-6012DC3633FD} - c:\program files (x86)\InstallShield Installation Information\{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}\setup.exe
AddRemove-{7F811A54-5A09-4579-90E1-C93498E230D9} - c:\program files (x86)\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
AddRemove-{EE171732-BEB4-4576-887D-CB62727F01CA} - c:\program files (x86)\InstallShield Installation Information\{EE171732-BEB4-4576-887D-CB62727F01CA}\setup.exe
AddRemove-{1E8EB086-AE5F-45F6-887C-E5178868290F} - c:\users\me\AppData\Local\{45E721C2-9A3D-4E9E-9572-644CE1F67A8B}\LCSETUP30.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-04-06 12:22:40 - machine was rebooted
ComboFix-quarantined-files.txt 2013-04-06 16:22
.
Pre-Run: 204,478,431,232 bytes free
Post-Run: 204,486,074,368 bytes free
.
- - End Of File - - 3E5289B2D63DF9B790D39EA455998786


And Here is the Rogue Killer report again:
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : me [Admin rights]
Mode : Remove -- Date : 04/06/2013 11:51:22
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST332041 8AS SCSI Disk Device +++++
--- User ---
[MBR] b435e5ae8313687691ff18e4df5b708f
4bd9425129f5f628c8bdf1d528185e52 : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 14336 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 29362176 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 29566976 | Size: 290807 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[4]_D_04062013_02d1151.txt >>
RKreport[1]_S_04052013_02d1253.txt ; RKreport[2]_S_04052013_02d1300.txt ; RKreport[3]_S_04062013_02d1150.txt ; RKreport[4]_D_04062013_02d1151.txt


[B]I did get an error message during bootup but I didn't recognize what it was referring to and I can't remember what it said. It was something about a moving on to the next file. I clicked "no" and the error went away.

Let me know what's next. I really appreciate the help!

fbfbfb
2013-04-08, 05:19
Hello, eve.online.

Thank you for the logs.

Please run the following scans

1. Junkware Removal Tool

Please download Junkware Removal Tool from HERE (http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/) and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Right-mouse click JRT.exe and select Run as Administrator.
JRTwill begin to backup your registry and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, the log JRT.txt is saved on your desktop and will automatically open.Post the contents of JRT.txt into your next reply.

2. AdwCleaner

Please download AdwCleaner from HERE (http://www.bleepingcomputer.com/download/adwcleaner/dl/125/).
Close all open programs and internet browsers.
Double click on adwcleaner.exe to run the tool.
Click on the Delete button.
A logfile will automatically open after the scan has finished.
You can also find the logfile at C:\AdwCleaner[S1].txt.Copy and paste the adwcleaner.txt report into your next reply.

3. Malwarebytes Anti-Malware

Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html).
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.Post the report please.

4. ESET Online Scanner
Note: Disable any antivirus program and antispyware programs to avoid conflicts.
If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted, then double click on it to install.
Please do not surf the internet while your security programs are disabled.
Let the scan run uninterrupted to avoid a stall.
Remember to enable your security programs when the scan has finished.Run ESET Online Scanner from HERE (http://www.eset.eu/online-scanner).
Click the green ESET Online Scanner button.
Read the End User License Agreement and check the box YES, I accept the Terms of Use.
Click on the Start button next to it.
If prompted, allow the Add-On/Active X to install.Under Computer scan settings:
Do not check Remove found threats
Check Scan Archives.
Click Advanced settings and select the following:
Scan potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology Click Start. ESET will download updates, install itself, and begin scanning your computer. Please be patient as this scan could take up to a few hours to complete.
Wait for the scan to finish. When the scan completes, click List of found threats.
Click Export and save the file to your desktop using a unique name, such as ESETScan.
Copy and paste the contents of this report in your next reply.
Click the Back button.
Click the Finish button.5. Clean Up Temp Files

Please download TFC (http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer) by OldTimer to your desktop.
Close any open windows.
Double click the TFC icon to run the program.
TFC will close all open programs itself in order to run.
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish.
Once complete, it should automatically reboot your machine.
If your computer does not automatically reboot, manually reboot to ensure a complete clean.
SUMMARY: In your next reply, please post the following:
JRT.txt
adwcleaner.txt
MBAM log
ESET log
Let me know how your computer is running at this stage.

fbfbfb
2013-04-11, 04:48
Hello, eve.online.

Do you still need help?

eve.online
2013-04-13, 23:57
Sorry it took so long to run the last batch of scans. I had a deadline and couldn't risk a problem. thanks for your patience.

here is the latest batch of scans. the only problem I ran into was the last scan TFC which stalled the two times I tried to run it, the first time I forgot to run it as administrator so when it stalled I aborted and ran it as admin and it stalled again.

Thanks
E


eset scan
C:\$RECYCLE.BIN\S-1-5-21-1342298365-2549134341-3604237475-1000\$RNN9NU2.exe Win32/InstalleRex.I.Gen application
C:\Users\me\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljidpgmdpigjjgieiifpdpkhcbabgabb\1\51411f9b31a0d4.61490956.js Win32/Adware.MultiPlug.H application
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\74558a21-2600181b a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\74558a21-31f26178 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\74558a21-3f8f007b a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\74558a21-49778fb3 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\74558a21-534bcfd7 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\74558a21-59ae07b3 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\fc6cc7a-6e9f197b Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\Downloads\cnet2_DoubleCAD-XT-3-1_exe.exe a variant of Win32/InstallCore.D application


Junkware
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.8.3 (04.05.2013:1)
OS: Windows 7 Home Premium x64
Ran by me on Sat 04/13/2013 at 13:43:37.10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\main\\Start Page



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\startsearch
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\sprotector
Successfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\sp global
Successfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\sprotector
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{3bd44f0e-0596-4008-aee0-45d47e3a8f0e}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\clsoft ltd"
Successfully deleted: [Folder] "C:\ProgramData\installmate"
Successfully deleted: [Folder] "C:\Users\me\appdata\local\torch"
Successfully deleted: [Folder] "C:\Users\me\appdata\locallow\adawaretb"



~~~ FireFox

Successfully deleted: [File] "C:\Users\me\AppData\Roaming\mozilla\firefox\profiles\bvhir24s.default\extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi"
Successfully deleted: [Folder] C:\Users\me\AppData\Roaming\mozilla\firefox\profiles\bvhir24s.default\jetpack
Emptied folder: C:\Users\me\AppData\Roaming\mozilla\firefox\profiles\bvhir24s.default\minidumps [9 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 04/13/2013 at 13:58:18.42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adw Cleaner

# AdwCleaner v2.200 - Logfile created 04/13/2013 at 14:02:16
# Updated 02/04/2013 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : me - ME-PC
# Boot Mode : Normal
# Running from : C:\Users\me\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16800

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\me\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v12.14.1738.0

File : C:\Users\me\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1342 octets] - [13/04/2013 14:00:25]
AdwCleaner[S1].txt - [1279 octets] - [13/04/2013 14:02:16]

########## EOF - C:\AdwCleaner[S1].txt - [1339 octets] ##########

and finally MalwareBytes

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.13.04

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
me :: ME-PC [administrator]

4/13/2013 2:08:02 PM
mbam-log-2013-04-13 (14-08-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215610
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\ProgramData\MAgoniPicc\51411f9b31c4a.dll (Adware.MultiPlug) -> Quarantined and deleted successfully.

(end)

fbfbfb
2013-04-15, 05:01
Hello, eve.online.

Thank you for your logs. If you require more response time while we work to clean your system, please drop me a quick note so that we do not close this thread.

Please continue with the following tasks

1. Show Hidden System Files and Folders

Some of the files and folders we need to delete are hidden and need to be shown before they can be removed. Do the following:
Click Start, then click Control Panel.
Locate and double-click Folder Options.
Click on the View tab.
Under the Advanced Settings section, please do the following:
Under Hidden files and folders, check Show hidden files, folders, or drives.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files (Recommended) . When the warning message appears, click YES.
Click Apply > OK.2. Empty Recycler Folder
Empty the Recycle Bin on your desktop.
Close all running programs.
Click Start > Computer .
Double click Local Disk (C) > Scroll down to and double click the Recycler folder.
Double click the following Recycle bin to show the contents:
S-1-5-21-1342298365-2549134341-3604237475-1000 Click Edit > Select All.
Click File > Delete.
Exit all windows.3. Hide System Files and Folders

We need to rehide the system files and folders to keep them from being accidentally changed or deleted. Do the following:
Click Start, then click Control Panel.
Locate and double-click Folder Options.
Click on the View tab.
Under the Advanced Settings section, please do the following:
Under Hidden files and folders, uncheck Show hidden files, folders, or drives.
Check Hide file extensions for known file types.
Check Hide protected operating system files (Recommended) . When the warning message appears, click YES.
Click Apply > OK.4. Clear Java Cache
Click Start and select Control Panel.
In Classic View, double-click the Java Icon (coffee cup symbol)
Under Temporary Internet Files, click Settings.
Click the Delete Files button.
There are two options in the window to clear the cache. Leave both of these unchecked:
Applications and Applets
Trace and Log Files Click OK on Delete Temporary Files Window.
Note: This deletes all the Downloaded Applications and Applets from the cache. Click OK to exit the Temporary Files Settings.
Click OK to exit the Java Control Panel.5. Delete Extension(s) in Google Chrome

To completely remove the following extension from your browser, do this:
Open Google Chrome.
Click the Chrome menu on the browser toolbar (symbol of 3 horizontal lines).
Go to Settings.
Click Extensions in the pop-up menu.
From the list of installed Extensions, find the following extension:
ljidpgmdpigjjgieiifpdpkhcbabgabb\1\51411f9b31a0d4.61490956.js Click on the trash can icon to the right of Enable.
Close your browser completely and reopen it. The toolbar extension should no longer appear in your Chrome browser.6. Reset Your Home Page and Default Search Engine

Removing the toolbars may have changed your browser settings (homepage, default search engines). If so, please follow the instructions found HERE (http://eula.mindspark.com/reset-homepage-default-search-settings/).

7. Clean Temp Files with CCleaner

Since you were unable to run TFC, try this cleaner instead.
Download CCleaner from HERE (http://www.piriform.com/ccleaner).
Double click on the file to begin the installation.
Select your language > Click OK > Click Next.
Read the license agreement > click I Agree.
Click Next to use the default install location > Click Install > Finish.
Double click the CCleaner shortcut on the desktop to start the program(only if you do not want them deleted.)
Note: If you use Firefox, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla. Click on the Options icon (left side) > Click Advanced.
Deselect Only delete files in Windows Temp folders older than 48 hours.
Click on the Cleaner icon (left side) > Click Run Cleaner.
Click Exit when finished.

Please run DDS again and send me a fresh log. Are there any other issues we need to address?

eve.online
2013-04-17, 19:50
Ok, attached is the final reports from DDS. Everything seems OK.

Thanks for all your help.
:thanks:
E

fbfbfb
2013-04-18, 03:29
Hello, eve.online. Thank you for the DDS log. It is clean , and you are reporting that all is well with your computer. Let's wrap up with some final housekeeping.

Please work through the following steps to ensure that unnecessary programs and files have been removed and your system is up-to-date.

Uninstall Combofix.
Press the Win Key + R to open up the Run dialog box.
In the Open field type combofix /uninstall. Please note that there is a space between combofix and /uninstall.
Click OK. The Open File security warning will appear asking if you are sure you want to run ComboFix. Please click the Run button to start the program. This will uninstall Combofix and anything associated with it.
When ComboFix has finished uninstalling, delete the ComboFix.exe program from your computer.Tool Removal

You no longer need the following tools. Please delete these tools and any logs from your machine: DDS, RogueKiller, Security Check, JRT, AdwCleaner, MBAM, ESET, and TFC. You can keep Malwarebytes for future use if you choose.

To uninstall ESET Online Scanner, please do the following:
Click Start and select Control Panel.
Click the Uninstall a Program option found under the Programs category.
Select the ESET Online Scanner.
Click Remove.
A restart may be required to complete uninstallation.Anti-Virus Protection

I do not see an anti-virus program listed in your logs. You are currently running Windows Defender. This is an anti-spyware program, not an anti-virus program, and will not protect your computer against malicious infections. Check to ensure you have an anti-virus program installed and enabled, or you can download Microsoft Security Essentials or any one good free anti-virus program from HERE (http://www.geekstogo.com/forum/topic/38-free-antivirus-and-antispyware-software/).

Update Java (Version 7 Update 17)

To improve your software's performance and stability, please remove any older versions of Java and update to the latest version.
Click Start > Control Panel.
Click on the Java icon (coffee cup symbol) > Update > Update Now .
Follow the prompts to install the latest version of Java.To remove older versions:
Click Start and select Control Panel.
When the Control Panel window opens, click on Uninstall a program found under the Programs category.
If you are using the Classic View of the Control Panel, then you would double-click on the Programs and Features icon instead.
Look through the list of programs for any old versions of Java, and then left-click on it once to highlight it.
Click on the Uninstall button.
When finished, close the Programs and Features screen.Windows 7 Service Pack Update

Security Check indicates that you have an outdated Service Pack. To update to the latest Service Pack for your version of Windows, please visit Microsoft HERE (http://windows.microsoft.com/en-CA/windows/service-packs-download#sptabs=win7).

Internet Explorer 10

Download the latest version of Internet Explorer HERE (http://windows.microsoft.com/en-CA/internet-explorer/downloads/ie-10/worldwide-languages).

Turn On Automatic Updates

You can stay up to date with the latest critical and security updates by using Automatic Updates. To turn on Automatic Updates:
Click Start > click Control Panel > Click Windows Update.
In the left pane, click Change Settings.
Under Important Updates, click the down arrow and select Install updates automatically (recommended).
Under Recommended Updates, check Give me updates the same way I receive Important Updates.
Under Who can install updates, check Allow all users to install updates on this computer.
Click OK to apply the changes.

Note: If Windows prompts you to confirm these changes, allow it. Close the window.Adobe Updates

Adobe Reader 11 (Version 11.0.02)

To improve the funtionaility and security of your software, please update Adobe Reader HERE (http://get.adobe.com/reader/). Updates safeguard your system against malicious attacks through PDF files.

Update Adobe Flash 11 (Version 11.7.700.169)

Please update Adobe Flash HERE (http://get2.adobe.com/flashplayer/). Updating your Flash player ensures that it is working properly and guards against security vulnerabilities.

Recommended Reading

To maintain a clean and healthy system, please take the time to read through the following informative articles:
The Dangers of P2P File Sharing HERE (http://www.esecurityguy.com/p2p_file_sharing)
How to Prevent Malware by Miekiemoes HERE (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
So How Did I Get Infected In the First Place? By Tony Klein HERE (http://www.spywareinfoforum.com/index.php?showtopic=60955)
Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams HERE (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/)
Help! My computer is Slow – How to improve system performance after malware removal by Miekiemoes HERE (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Create Strong Passwords by Microsoft HERE (http://www.microsoft.com/security/online-privacy/passwords-create.aspx)
PC Safety and Security – What do I need to do? by Glaswegian HERE (http://www.techsupportforum.com/forums/f112/pc-safety-and-security-what-do-i-need-525915.html)


Wishing you a very safe browsing experience. :)
~ fbfbfb