Virus Please Help [Archive] - Safer-Networking Forums

danib

2014-06-10, 13:06

Hi,

I'm really sorry about this because I asked for help with this PC on my dad's behalf recently in this forum. Unfortunately, the other day Adobe stopped working so he tried to reinstall it on his own. I've told him to only get software from the publisher when possible; apparently he thought he was downloading Adobe Reader from Adobe, but instead he has downloaded what seems to be particularly nasty malware version from: http://www.pdf-reader.org.

Your help would be 'really' appreciated. Thank you.

Unfortunately, ERUNT would not run. I got error: ERROR Saving File C:Windows\ERDNT\10-6-2014\Security! RegCreateKKey EX-5 Access is denied

Please find the logs below - (attach.txt is attached):
__________________________
DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16545 BrowserJavaVersion: 10.55.2
Run by Alan at 11:15:08 on 2014-06-10
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.580 [GMT 1:00]
.
AV: Norton Internet Security *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
SP: Norton Internet Security *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Internet Security *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\rundll32.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\21.3.0.12\NIS.exe
C:\Program Files\004\rqpbhevlkc32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton Internet Security\Engine\21.3.0.12\NIS.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Users\Alan\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Optimizer Pro\OptProSmartScan.exe
C:\Program Files\Optimizer Pro\OptProReminder.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\DllHost.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://speedial.com/?f=1&a=spd_dsites02_14_23_ie&cd=2xzuyetn2y1l1qzutdtdtc0f0cycyd0ftayd0atbtbydzztdtn0d0tzu0szzzzzytn1l2xzutbtftbtdtftczytftdtn1l1czutcyetbzytdyd1v1ttn1l1g1b1v1n2y1l1qzu2std0e0c0f0a0d0atctg0btcyetbtgydtdyezytgyctdydybtgtdzz0azy0c0bzyyb0atbtd0d2qtn1m1f1b2z1v1n2y1l1qzu2stb0dtb0eye0f0c0etgyc0btdtatgydtd0fydtgtbybyd0atgyd0d0aydye0bybtatc0dzz0c2q&cr=1833245417&ir=
mStart Page = hxxp://speedial.com/?f=1&a=spd_dsites02_14_23_ie&cd=2XzuyEtN2Y1L1QzutDtDtC0F0CyCyD0FtAyD0AtBtByDzztDtN0D0Tzu0SzzzzzytN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StD0E0C0F0A0D0AtCtG0BtCyEtBtGyDtDyEzytGyCtDyDyBtGtDzz0Azy0C0BzyyB0AtBtD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0DtB0EyE0F0C0EtGyC0BtDtAtGyDtD0FyDtGtByByD0AtGyD0D0AyDyE0ByBtAtC0Dzz0C2Q&cr=1833245417&ir=
mDefault_Page_URL = hxxp://www.google.com
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.8.150\McAfeeMSS_IE.dll
BHO: CouponDownloader: {10AD2C61-0898-4348-8600-14A342F22AC3} - c:\program files\coupon downloader\Coupon Downloader.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\21.3.0.12\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\21.3.0.12\ips\ipsbho.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\21.3.0.12\coieplg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\21.3.0.12\coieplg.dll
uRun: [SkyDrive] "c:\users\alan\appdata\local\microsoft\skydrive\SkyDrive.exe" /background
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Optimizer Pro] c:\program files\optimizer pro\OptProLauncher.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe" -delete
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
StartupFolder: c:\users\alan\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.8.150\SSScheduler.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{BC8A0FF6-6E48-45C7-BD7D-7AAB53E677A3} : DHCPNameServer = 192.168.0.1
AppInit_DLLs= c:\progra~1\optimi~1\optpro~2.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\alan\appdata\roaming\mozilla\firefox\profiles\nig14d71.default-1398775423920\
FF - prefs.js: browser.search.selectedEngine - Speedial
FF - prefs.js: browser.startup.homepage - hxxp://speedial.com/?f=1&a=spd_dsites02_14_23_ie&cd=2xzuyetn2y1l1qzutdtdtc0f0cycyd0ftayd0atbtbydzztdtn0d0tzu0szzzzzytn1l2xzutbtftbtdtftczytftdtn1l1czutcyetbzytdyd1v1ttn1l1g1b1v1n2y1l1qzu2std0e0c0f0a0d0atctg0btcyetbtgydtdyezytgyctdydybtgtdzz0azy0c0bzyyb0atbtd0d2qtn1m1f1b2z1v1n2y1l1qzu2stb0dtb0eye0f0c0etgyc0btdtatgydtd0fydtgtbybyd0atgyd0d0aydye0bybtatc0dzz0c2q&cr=1833245417&ir=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_13_0_0_214.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.nspdlsd.aflt - spd_dsites02_14_23_ie
FF - user.js: extensions.nspdlsd.instlRef - 142905_a
FF - user.js: extensions.nspdlsd.cr - 1833245417
FF - user.js: extensions.nspdlsd.cd - 2XzuyEtN2Y1L1QzutDtDtC0F0CyCyD0FtAyD0AtBtByDzztDtN0D0Tzu0SzzzzzytN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StD0E0C0F0A0D0AtCtG0BtCyEtBtGyDtDyEzytGyCtDyDyBtGtDzz0Azy0C0BzyyB0AtBtD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0DtB0EyE0F0C0EtGyC0BtDtAtGyDtD0FyDtGtByByD0AtGyD0D0AyDyE0ByBtAtC0Dzz0C2Q
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1503000.00c\symds.sys [2014-5-20 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1503000.00c\symefa.sys [2014-5-20 936152]
R1 BHDrvx86;BHDrvx86;c:\program files\norton internet security\nortondata\21.2.0.38\definitions\bashdefs\20140510.001\BHDrvx86.sys [2014-5-10 1101616]
R1 ccSet_NIS;NIS Settings Manager;c:\windows\system32\drivers\nis\1503000.00c\ccsetx86.sys [2014-5-20 127064]
R1 IDSVix86;IDSVix86;c:\program files\norton internet security\nortondata\21.2.0.38\definitions\ipsdefs\20140606.002\IDSvix86.sys [2014-6-8 395992]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1503000.00c\ironx86.sys [2014-5-20 206936]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1503000.00c\symtdiv.sys [2014-5-20 384728]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2013-4-30 217088]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2013-4-29 291840]
R2 ca82e1a5;Optimizer Pro Crash Monitor;c:\windows\system32\rundll32.exe [2006-11-2 44544]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2014-4-25 21504]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\21.3.0.12\nis.exe [2014-5-20 276376]
R2 rqpbhevlkc32;rqpbhevlkc32;c:\program files\004\rqpbhevlkc32.exe run options=01100010040000000000000000000000 sourceguid=4b5f3986-688d-4ee0-8390-82983e6e96a7 --> c:\program files\004\rqpbhevlkc32.exe run options=01100010040000000000000000000000 sourceguid=4B5F3986-688D-4EE0-8390-82983E6E96A7 [?]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2014-4-26 37944]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-5-24 501248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.8.150\McCHSvc.exe [2014-4-9 235696]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
.
=============== Created Last 30 ================
.
2014-06-08 10:10:53 -------- d-----w- c:\users\alan\appdata\roaming\Optimizer Pro
2014-06-08 10:09:35 -------- d-----w- C:\temp
2014-06-08 10:09:21 -------- d-----w- c:\program files\coupon downloader
2014-06-08 10:05:53 -------- d-----w- c:\users\alan\appdata\roaming\Speedial
2014-06-08 10:05:31 -------- d-----w- c:\program files\Speedial
2014-06-08 10:05:31 -------- d-----w- c:\program files\Optimizer Pro
2014-06-08 10:05:26 -------- d-----w- c:\users\alan\appdata\roaming\1H1Q
2014-06-08 10:05:08 -------- d-----w- c:\program files\004
2014-06-08 10:04:54 -------- d-----w- c:\users\alan\appdata\roaming\AppCloudUpdater
2014-06-08 10:04:50 -------- d-----w- c:\program files\AppSafe
2014-06-03 15:30:17 -------- d-----w- c:\users\alan\appdata\local\CrashDumps
2014-06-01 17:55:27 -------- d-----w- c:\program files\McAfee Security Scan
2014-05-30 10:38:29 -------- d-----w- c:\users\alan\appdata\local\Adobe
2014-05-20 09:13:45 936152 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\symefa.sys
2014-05-20 09:13:45 664280 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\srtsp.sys
2014-05-20 09:13:45 447704 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\symnets.sys
2014-05-20 09:13:45 384728 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\symtdiv.sys
2014-05-20 09:13:45 367704 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\symds.sys
2014-05-20 09:13:45 32344 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\srtspx.sys
2014-05-20 09:13:45 21520 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\symelam.sys
2014-05-20 09:13:45 206936 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\ironx86.sys
2014-05-20 09:13:45 127064 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\ccsetx86.sys
2014-05-20 09:13:31 30068 ----a-w- c:\windows\system32\drivers\nis\1503000.00c\symvtcer.dat
2014-05-20 09:13:31 -------- d-----w- c:\windows\system32\drivers\nis\1503000.00C
2014-05-15 08:35:11 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-12 09:29:01 965232 ----a-w- c:\program files\mozilla firefox\icuuc52.dll
2014-05-12 09:29:01 1266800 ----a-w- c:\program files\mozilla firefox\icuin52.dll
2014-05-12 09:29:01 10594416 ----a-w- c:\program files\mozilla firefox\icudt52.dll
.
==================== Find3M ====================
.
2014-05-16 08:53:10 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-05-16 08:53:10 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-04-26 14:23:20 142936 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2014-04-26 13:21:23 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2014-04-26 13:19:33 4096 ----a-w- c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
2014-04-26 13:19:32 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-04-26 13:19:32 519680 ----a-w- c:\windows\system32\d3d11.dll
2014-04-26 13:19:32 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2014-04-26 13:19:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2014-04-26 13:19:32 252928 ----a-w- c:\windows\system32\dxdiag.exe
2014-04-26 13:19:32 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2014-04-26 13:19:32 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2014-04-25 15:04:13 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2014-04-25 15:04:10 82432 ----a-w- c:\windows\system32\axaltocm.dll
2014-04-24 15:45:53 36864 ----a-w- c:\windows\system32\drivers\en-us\http.sys.mui
2014-04-23 15:21:21 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-04-23 13:28:10 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-23 12:31:36 23552 ----a-w- c:\windows\system32\lpk.dll
2014-04-23 12:31:36 10240 ----a-w- c:\windows\system32\dciman32.dll
2014-04-23 12:31:15 61440 ----a-w- c:\windows\system32\winipsec.dll
2014-04-23 12:31:15 272896 ----a-w- c:\windows\system32\polstore.dll
2014-04-23 12:30:12 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2014-04-23 12:30:12 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2014-04-23 12:30:12 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2014-04-23 12:30:12 19968 ----a-w- c:\windows\system32\ARP.EXE
2014-04-23 12:30:12 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2014-04-23 12:30:12 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2014-04-23 12:30:12 105984 ----a-w- c:\windows\system32\netiohlp.dll
2014-04-23 12:30:12 10240 ----a-w- c:\windows\system32\finger.exe
2014-04-23 12:29:25 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2014-04-23 12:29:25 65024 ----a-w- c:\windows\system32\wlanapi.dll
2014-04-23 12:29:25 513536 ----a-w- c:\windows\system32\wlansvc.dll
2014-04-23 12:29:25 302592 ----a-w- c:\windows\system32\wlansec.dll
2014-04-23 12:29:25 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2014-04-23 12:29:25 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2014-04-23 12:29:23 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2014-04-23 12:29:01 2048 ----a-w- c:\windows\system32\msxml3r.dll
2014-04-23 12:29:00 2048 ----a-w- c:\windows\system32\msxml6r.dll
2014-04-23 12:28:37 218624 ----a-w- c:\windows\system32\msv1_0.dll
2014-04-23 12:27:56 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2014-04-23 12:27:55 24576 ----a-w- c:\windows\system32\mfpmp.exe
2014-04-23 12:27:55 2048 ----a-w- c:\windows\system32\mferror.dll
2014-04-23 12:26:35 71680 ----a-w- c:\windows\system32\atl.dll
2014-04-23 12:25:58 41984 ----a-w- c:\windows\system32\drivers\monitor.sys
2014-04-23 12:25:22 53248 ----a-w- c:\windows\system32\tsgqec.dll
2014-04-23 12:25:22 136192 ----a-w- c:\windows\system32\aaclient.dll
2014-04-23 12:24:23 714240 ----a-w- c:\windows\system32\timedate.cpl
2014-04-23 12:20:31 499712 ----a-w- c:\windows\system32\kerberos.dll
2014-04-23 12:20:31 175104 ----a-w- c:\windows\system32\wdigest.dll
2014-04-23 12:19:36 6656 ----a-w- c:\windows\system32\kbd106n.dll
2014-04-23 12:18:47 220672 ----a-w- c:\windows\system32\l3codecp.acm
2014-04-23 12:18:46 62464 ----a-w- c:\windows\system32\l3codeca.acm
2014-04-23 12:18:29 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2014-04-23 12:18:29 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2014-04-23 12:18:29 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2014-04-23 12:18:28 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2014-04-23 12:18:11 293376 ----a-w- c:\windows\system32\browserchoice.exe
2014-04-23 12:17:37 98304 ----a-w- c:\windows\system32\cabview.dll
2014-04-23 12:17:11 14848 ----a-w- c:\windows\system32\wshrm.dll
2014-04-23 12:17:02 43520 ----a-w- c:\windows\system32\msdxm.tlb
2014-04-23 12:17:02 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2014-04-23 12:17:02 18432 ----a-w- c:\windows\system32\amcompat.tlb
2014-04-23 12:17:00 7680 ----a-w- c:\windows\system32\spwmp.dll
2014-04-23 12:17:00 4096 ----a-w- c:\windows\system32\msdxm.ocx
2014-04-23 12:17:00 4096 ----a-w- c:\windows\system32\dxmasf.dll
2014-04-23 12:16:25 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2014-04-23 12:16:25 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2014-04-23 12:16:25 332288 ----a-w- c:\windows\system32\msdrm.dll
2014-04-23 12:16:25 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2014-04-23 12:16:25 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2014-04-23 12:16:24 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2014-04-23 12:16:24 518144 ----a-w- c:\windows\system32\RMActivate.exe
2014-04-23 12:16:24 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2014-04-23 12:16:24 471552 ----a-w- c:\windows\system32\secproc.dll
2014-04-22 17:44:23 160256 ----a-w- c:\windows\system32\wkssvc.dll
2014-04-22 17:16:36 2560 ----a-w- c:\windows\apppatch\AcRes.dll
2014-04-22 17:14:07 84480 ----a-w- c:\windows\system32\INETRES.dll
2014-04-22 17:13:58 60928 ----a-w- c:\windows\system32\msasn1.dll
2014-04-22 17:13:18 411648 ----a-w- c:\windows\system32\drivers\http.sys
2014-04-22 17:13:18 30720 ----a-w- c:\windows\system32\httpapi.dll
2014-04-22 17:13:18 24064 ----a-w- c:\windows\system32\nshhttp.dll
2014-04-22 17:12:25 243712 ----a-w- c:\windows\system32\rastls.dll
2014-04-22 17:12:16 355328 ----a-w- c:\windows\system32\WSDApi.dll
2014-04-22 17:11:47 91136 ----a-w- c:\windows\system32\avifil32.dll
2014-04-22 17:11:47 82944 ----a-w- c:\windows\system32\mciavi32.dll
2014-04-22 17:11:47 65024 ----a-w- c:\windows\system32\avicap32.dll
2014-04-22 17:11:47 31744 ----a-w- c:\windows\system32\msvidc32.dll
2014-04-22 17:11:47 13312 ----a-w- c:\windows\system32\msrle32.dll
2014-04-22 17:11:47 123904 ----a-w- c:\windows\system32\msvfw32.dll
2014-04-22 17:11:46 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2014-04-22 17:11:46 22528 ----a-w- c:\windows\system32\msyuv.dll
2014-04-22 17:11:46 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2014-04-22 17:11:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2014-04-22 17:11:22 310784 ----a-w- c:\windows\system32\unregmp2.exe
2014-03-31 21:46:48 130712 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2014-03-31 21:46:48 1070232 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
============= FINISH: 11:16:08.99 ===============
_________________________________-

aswMBR

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-06-10 11:18:51
-----------------------------
11:18:51.963 OS Version: Windows 6.0.6002 Service Pack 2
11:18:51.964 Number of processors: 2 586 0x6B02
11:18:51.965 ComputerName: ALAN-PC UserName: Alan
11:18:54.083 Initialize success
11:22:52.840 AVAST engine defs: 14060901
11:29:57.924 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005a
11:29:57.929 Disk 0 Vendor: ST336032 3.CH Size: 343399MB BusType: 6
11:29:58.069 Disk 0 MBR read successfully
11:29:58.075 Disk 0 MBR scan
11:29:58.182 Disk 0 unknown MBR code
11:29:58.189 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 332744 MB offset 63
11:29:58.224 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10652 MB offset 681461235
11:29:58.241 Disk 0 scanning sectors +703277505
11:29:58.410 Disk 0 scanning C:\Windows\system32\drivers
11:30:08.564 Service scanning
11:30:13.310 Service BHDrvx86 C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\BASHDefs\20140606.001\BHDrvx86.sys **LOCKED** 5
11:30:13.934 Service ccSet_NIS C:\Windows\system32\drivers\NIS\1503000.00C\ccSetx86.sys **LOCKED** 5
11:30:16.524 Service eeCtrl C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys **LOCKED** 5
11:30:20.315 Service IDSVix86 C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\IPSDefs\20140608.001\IDSvix86.sys **LOCKED** 5
11:30:24.090 Service NAVENG C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\VirusDefs\20140609.033\NAVENG.SYS **LOCKED** 5
11:30:24.449 Service NAVEX15 C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\VirusDefs\20140609.033\NAVEX15.SYS **LOCKED** 5
11:30:31.687 Service SRTSPX C:\Windows\system32\drivers\NIS\1503000.00C\SRTSPX.SYS **LOCKED** 5
11:30:32.420 Service SymDS C:\Windows\system32\drivers\NIS\1503000.00C\SYMDS.SYS **LOCKED** 5
11:30:32.670 Service SymEvent C:\Windows\system32\Drivers\SYMEVENT.SYS **LOCKED** 5
11:30:32.841 Service SymIRON C:\Windows\system32\drivers\NIS\1503000.00C\Ironx86.SYS **LOCKED** 5
11:30:33.013 Service SYMTDIv C:\Windows\System32\Drivers\NIS\1503000.00C\SYMTDIV.SYS **LOCKED** 5
11:30:38.972 Modules scanning
11:30:46.086 Disk 0 trace - called modules:
11:30:46.117 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
11:30:46.117 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85110310]
11:30:46.117 3 CLASSPNP.SYS[8072e8b3] -> nt!IofCallDriver -> [0x84a415e8]
11:30:46.133 5 acpi.sys[8060c6bc] -> nt!IofCallDriver -> \Device\0000005a[0x846178f0]
11:30:47.303 AVAST engine scan C:\Windows
11:30:50.001 AVAST engine scan C:\Windows\system32
11:34:20.857 AVAST engine scan C:\Windows\system32\drivers
11:35:03.086 AVAST engine scan C:\Users\Alan
11:35:05.691 Disk 0 MBR has been saved successfully to "C:\Users\Alan\Desktop\MBR.dat"
11:35:05.707 The log file has been saved successfully to "C:\Users\Alan\Desktop\aswMBR.txt"
11:55:41.927 AVAST engine scan C:\ProgramData
11:56:53.786 Scan finished successfully
11:58:03.171 Disk 0 MBR has been saved successfully to "C:\Users\Alan\Desktop\MBR.dat"
11:58:03.182 The log file has been saved successfully to "C:\Users\Alan\Desktop\aswMBR.txt"

_________________________________________

Thank you, very much.

shelf life

2014-06-11, 00:37

hi danib,

I've told him to only get software from the publisher when possible thats good advice. you can see way down at the bottom of the page it says

This product is totally free and offers the user additional bundle products that may include advertisement.

Look in the add/remove programs panel and uninstall:
Optimizer Pro
CouponDownloader

with IE open go to tools> Internet options>advanced tab and near the bottom click on the reset button to reset IE back to its defaults. Reboot machine and see how things look and we will go from there.

danib

2014-06-11, 17:49

Hi shelf life,

Thanks for your support.

Just like you, I am giving up my time to help with this. I couldn't believe it when I was told that there was a problem again with the PC; only a couple of weeks ago Ken and me spent the best part of a week getting it to run fine. Anyway, mistakes happen. I've made them before.

I have removed Optimizer Pro and CouponDownloader. I have reset explorer and I reset Firefox too while I was at it.

My concern is that ERUNT did not run initially - could the registry have been taken over? Also, dad had an external hard drive plugged in. There are no apps on the drive, just files which are still accessible; so, do you think the external drive should be OK please?

I'll await your next generous instructions.

Thanks again.

shelf life

2014-06-12, 00:50

hi,

Dont know why ERUNT didnt function correctly. I wouldnt worry about it. No this didnt take over your registry. External drive most likely also ok.

You had all too common, well documented and easily removed malware. Nothing hideous. Believe me, the bad stuff wont add entries in your add/remove programs panel. Not to make light of this adware though.

Now the two program uninstallers may not do a efficient job of removing all the files and entries but for that we can run adwcleaner and see if it picks up any stray leftovers:

Adwcleaner (http://www.bleepingcomputer.com/download/adwcleaner/)
click the link that says: Download Now @BleepingComputer.
Install, right click and "run as admin" Click the Scan button. Once the Scan is complete, click the clean button. Machine will reboot and at restart display a log of any items it removed.

danib

2014-06-12, 18:29

Hi Shelf Life,

That's reassuring, thank you.

I ran the cleaner; so, please find the log below:

_________________________________________

# AdwCleaner v3.212 - Report created 12/06/2014 at 17:17:36
# Updated 05/06/2014 by Xplode
# Operating System : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Username : Alan - ALAN-PC
# Running from : C:\Users\Alan\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : rqpbhevlkc32

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\2308189059
Folder Deleted : C:\Program Files\004
Folder Deleted : C:\Users\Alan\AppData\Roaming\AppCloudUpdater
Folder Deleted : C:\Users\Alan\Documents\Optimizer Pro
File Deleted : C:\Users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\nig14d71.default-1398775423920\searchplugins\safesearch.xml
File Deleted : C:\Users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\nig14d71.default-1398775423920\user.js
File Deleted : C:\Windows\Tasks\AppCloudUpdater.job
File Deleted : C:\Windows\System32\Tasks\AppCloudUpdater

***** [ Shortcuts ] *****

***** [ Registry ] *****

[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EB448A38-D6AC-45E7-9141-817DCB5EAF52}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB448A38-D6AC-45E7-9141-817DCB5EAF52}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}
Key Deleted : HKCU\Software\AppCloudUpdater
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\Software\LevelQualityWatcher

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16555

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v30.0 (en-US)

[ File : C:\Users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\nig14d71.default-1398775423920\prefs.js ]

*************************

AdwCleaner[R0].txt - [2558 octets] - [12/06/2014 17:12:01]
AdwCleaner[S0].txt - [2147 octets] - [12/06/2014 17:17:36]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2207 octets] ##########

danib

2014-06-12, 18:33

PS.

I tried to run ERUNT again as admin and it worked; apparently this is what has to be done on Vista PC's.

Thanks.

shelf life

2014-06-13, 00:25

ok. good. I see adwcleaner removed some strays left behind by the uninstallers. If all is good on your end I think we are done. See link below if your interested in some prevention tips. Happy safe surfing out there.