Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Malware Infection

  1. #1
    Junior Member
    Join Date
    Mar 2013
    Posts
    11

    Default Malware Infection

    Redirected from google sites to a variety of unwanted sites

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.15.2
    Run by Jayne at 13:37:57 on 2013-03-03
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3069.1299 [GMT 0:00]
    .
    AV: AVG Internet Security 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AVG Internet Security 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
    FW: AVG Internet Security 2013 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
    .
    ============== Running Processes ================
    .
    C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
    C:\Program Files\AVG\AVG2013\avgcsrvx.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Windows\System32\WLTRYSVC.EXE
    C:\Windows\System32\bcmwltry.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\WLANExt.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\system32\aestsrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG2013\avgfws.exe
    C:\Program Files\AVG\AVG2013\avgidsagent.exe
    C:\Program Files\AVG\AVG2013\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Windows\system32\STacSV.exe
    C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe
    C:\Program Files\AVG\AVG2013\avgnsx.exe
    C:\Program Files\AVG\AVG2013\avgemcx.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\AVG\AVG2013\avgcsrvx.exe
    C:\Program Files\Dell\DellDock\DellDock.exe
    C:\Windows\OEM02Mon.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG2013\avgui.exe
    C:\Program Files\AVG Secure Search\vprot.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Windows Photo Gallery\Helper\EyeFiHelper.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Users\Jayne\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Betting Assistant\Betting Assistant.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files\ERUNT\ERUNT.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    uWindow Title = Internet Explorer provided by Dell
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Page_URL = hxxp://www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=4081218
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: {95B7759C-8C7F-4BF1-B163-73684A933233} - <orphaned>
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    uRun: [Eye-Fi] "c:\program files\windows photo gallery\helper\EyeFiHelper.exe"
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Google Update] "c:\users\jayne\appdata\local\google\update\GoogleUpdate.exe" /c
    mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
    mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    StartupFolder: c:\users\jayne\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
    StartupFolder: c:\users\jayne\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\jayne\appdata\roaming\dropbox\bin\Dropbox.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: DisableCAD = dword:1
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    LSP: c:\windows\system32\wpclsp.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: NameServer = 192.168.1.1 0.0.0.0
    TCP: Interfaces\{A3739997-8883-44FE-B40A-152D29022AF8} : DHCPNameServer = 192.168.1.1 0.0.0.0
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\14.2.0\ViProtocol.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    Notify: psfus - c:\windows\system32\psqlpwd.dll
    LSA: Notification Packages = scecli psqlpwd
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-10-15 55776]
    R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 177376]
    R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-11-15 94048]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-9-14 35552]
    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2013-2-13 102008]
    R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2012-8-31 18544]
    R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2012-9-4 50296]
    R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-10-22 179936]
    R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2012-9-21 19936]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-10-2 159712]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-9-21 164832]
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-3-2 33112]
    R1 RapportCerberus_50414;RapportCerberus_50414;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_50414.sys [2013-2-23 316984]
    R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-2-13 102680]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-2-13 173880]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-12-18 73728]
    R2 avgfws;AVG Firewall;c:\program files\avg\avg2013\avgfws.exe [2012-12-10 1342024]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2012-11-15 5814904]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2012-10-22 196664]
    R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-2-13 1124184]
    R2 TuneUp.UtilitiesSvc;AVG PC TuneUp Service;c:\program files\avg\avg pc tuneup\TuneUpUtilitiesService32.exe [2012-8-23 1532280]
    R2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\14.2.0\ToolbarUpdater.exe [2013-3-2 968880]
    R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\RapportIaso.sys [2013-2-21 55448]
    R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\avg\avg pc tuneup\TuneUpUtilitiesDriver32.sys [2012-7-4 10088]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 PCloudCleanerService;Panda Security CloudCLeaner Service;c:\windows\system32\PCloudCleanerService.EXE [2013-3-2 83168]
    S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-6-7 160944]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-12-18 209408]
    .
    =============== Created Last 30 ================
    .
    2013-03-02 16:18:21 32120 ----a-w- c:\windows\system32\TURegOpt.exe
    2013-03-02 16:18:16 21880 ----a-w- c:\windows\system32\authuitu.dll
    2013-03-02 16:06:04 -------- d-----w- c:\users\jayne\appdata\roaming\AVG2013
    2013-03-02 15:46:41 -------- d-----w- c:\users\jayne\appdata\local\AVG Secure Search
    2013-03-02 15:46:34 -------- d-----w- c:\programdata\AVG Secure Search
    2013-03-02 15:46:28 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2013-03-02 15:46:24 -------- d-----w- c:\program files\common files\AVG Secure Search
    2013-03-02 15:46:23 -------- d-----w- c:\program files\AVG Secure Search
    2013-03-02 15:42:28 -------- d--h--w- C:\$AVG
    2013-03-02 15:42:27 -------- d-----w- c:\programdata\AVG2013
    2013-03-02 15:40:23 -------- d-----w- c:\program files\AVG
    2013-03-02 15:37:50 -------- d-----w- c:\users\jayne\appdata\local\MFAData
    2013-03-02 15:37:50 -------- d-----w- c:\users\jayne\appdata\local\Avg2013
    2013-03-02 15:37:50 -------- d-----w- c:\programdata\MFAData
    2013-03-02 12:07:27 83168 ----a-w- c:\windows\system32\PCloudCleanerService.EXE
    2013-03-02 12:07:21 9464 ----a-w- c:\windows\system32\drivers\DasBootI.SYS
    2013-03-02 12:07:21 9464 ----a-w- c:\windows\system32\drivers\DasBootE.SYS
    2013-03-02 12:07:21 59640 ----a-w- c:\windows\system32\drivers\DasBootF.SYS
    2013-03-02 12:07:21 31480 ----a-w- c:\windows\system32\drivers\DasPtct.SYS
    2013-03-02 12:07:21 3072 ----a-w- c:\windows\system32\drivers\DasBootD.SYS
    2013-03-02 12:07:21 28024 ----a-w- c:\windows\system32\drivers\PRSBDRVR.SYS
    2013-03-02 12:07:21 27896 ----a-w- c:\windows\system32\drivers\DasBootK.SYS
    2013-03-02 12:07:21 237816 ----a-w- c:\windows\system32\drivers\DasBootS.SYS
    2013-03-02 12:07:21 -------- d-----w- c:\windows\system32\DBBK
    2013-03-02 12:07:20 21240 ----a-w- c:\windows\system32\drivers\DasBoot.SYS
    2013-03-02 11:55:26 6954968 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c5fc1602-3c05-41f4-a487-b85e93356c7d}\mpengine.dll
    2013-03-02 11:51:05 -------- d-----w- c:\program files\Panda Security
    2013-02-21 17:51:58 -------- d-----w- c:\users\jayne\appdata\roaming\Malwarebytes
    2013-02-21 17:50:14 -------- d-----w- c:\programdata\Malwarebytes
    2013-02-21 11:40:14 -------- d-----w- c:\program files\Trusteer
    2013-02-20 17:10:20 -------- d-----w- c:\users\jayne\appdata\roaming\f-secure
    2013-02-20 17:09:13 -------- d-----w- c:\programdata\F-Secure
    2013-02-20 16:57:46 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    2013-02-16 13:29:20 -------- d-----w- c:\users\jayne\appdata\roaming\Anvisoft
    2013-02-16 13:28:20 -------- d-----w- c:\programdata\Anvisoft
    2013-02-16 13:28:16 -------- d-----w- c:\program files\Anvisoft
    2013-02-15 22:31:23 186432 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2013-02-13 14:02:48 -------- d-----w- c:\programdata\Ad-Aware Antivirus
    2013-02-13 14:02:39 -------- d-----w- c:\users\jayne\appdata\roaming\LavasoftStatistics
    2013-02-13 13:56:44 -------- d-----w- c:\program files\Ad-Aware Antivirus
    2013-02-13 13:55:38 -------- d-----w- c:\programdata\blekko toolbars
    2013-02-13 13:55:38 -------- d-----w- c:\programdata\adawaretb
    2013-02-13 13:55:37 -------- d-----w- c:\users\jayne\appdata\local\adawarebp
    2013-02-13 13:55:36 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
    2013-02-13 13:55:28 -------- d-----w- c:\program files\Toolbar Cleaner
    2013-02-13 13:55:18 -------- d-----w- c:\program files\adawaretb
    2013-02-13 13:54:43 -------- d-----w- c:\users\jayne\appdata\roaming\Ad-Aware Antivirus
    2013-02-13 09:19:12 102008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    .
    ==================== Find3M ====================
    .
    2013-03-02 13:22:09 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-03-02 13:22:09 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-02-20 16:57:22 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
    2013-02-20 16:57:21 782240 ----a-w- c:\windows\system32\deployJava1.dll
    2013-01-17 01:28:58 232336 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 13:40:18.18 ===============


    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2013-03-03 13:53:17
    -----------------------------
    13:53:17.709 OS Version: Windows 6.0.6001 Service Pack 1
    13:53:17.709 Number of processors: 2 586 0xF0D
    13:53:17.711 ComputerName: JAYNE-PC UserName: Jayne
    13:53:19.940 Initialize success
    13:54:08.312 AVAST engine defs: 13030300
    13:54:20.132 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    13:54:20.134 Disk 0 Vendor: WDC_WD12 01.0 Size: 114473MB BusType: 3
    13:54:20.154 Disk 0 MBR read successfully
    13:54:20.157 Disk 0 MBR scan
    13:54:20.167 Disk 0 Windows VISTA default MBR code
    13:54:20.172 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 125 MB offset 63
    13:54:20.208 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 258048
    13:54:20.231 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 101545 MB offset 21229568
    13:54:20.240 Disk 0 Partition - 00 0F Extended LBA 2560 MB offset 229195776
    13:54:20.279 Disk 0 Partition 4 00 DD MSDOS5.0 2559 MB offset 229197824
    13:54:20.291 Disk 0 scanning sectors +234438656
    13:54:20.359 Disk 0 scanning C:\Windows\system32\drivers
    13:54:39.845 Service scanning
    13:55:13.267 Modules scanning
    13:55:13.776 Module: C:\Windows\system32\drivers\DasBootD.SYS **SUSPICIOUS**
    13:55:20.433 Disk 0 trace - called modules:
    13:55:20.453 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    13:55:20.458 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87f84758]
    13:55:20.464 3 CLASSPNP.SYS[8bfbf745] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x87fe6030]
    13:55:21.753 AVAST engine scan C:\Windows
    13:55:27.406 AVAST engine scan C:\Windows\system32
    14:04:23.300 AVAST engine scan C:\Windows\system32\drivers
    14:04:43.362 AVAST engine scan C:\Users\Jayne
    14:08:15.401 Disk 0 MBR has been saved successfully to "C:\Users\Jayne\Desktop\MBR.dat"
    14:08:15.404 The log file has been saved successfully to "C:\Users\Jayne\Desktop\aswMBR.txt"



    Many thanks

  2. #2
    Visiting Fellow
    Join Date
    Mar 2011
    Location
    Canada
    Posts
    142

    Default Malware Infection

    Hello Rebos.

    My name is fbfbfb. I will gladly assist you with your concerns.

    Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice. This may cause a delay, but I will do my best to keep it as short as possible.

    I am checking over your DDS and aswMBR logs now, and I will post back shortly with instructions.

    While working to resolve the issues with your machine, please follow these guidelines:
    • Please be patient. Logs are lengthy and can take time to analyze.
    • Read and follow my directions carefully, in the sequence they are posted.
    • If you are unsure about anything, please ask for clarification before continuing.
    • Use only those tools that you have been directed to use.
    • Do not install or uninstall any applications or run any other scans without being directed to do so.
    • Copy and Paste the log files inside your post. Do not send them as attachments unless otherwise instructed.
    • Stay with me until your machine has been deemed all clear.
    • Please reply within 3 days to avoid closing this topic.



    _____ In Training at WTT Classroom _____

  3. #3
    Visiting Fellow
    Join Date
    Mar 2011
    Location
    Canada
    Posts
    142

    Default Malware Infection

    Hello, Rebos.

    Please work through the following scan:


    Note: Before you begin, please read through these instructions completely, noting all important messages and warnings.
    • Please download ComboFix from HERE or HERE.

    Very Important! Save ComboFix.exe to to your Desktop.
    • Close all browsers.
    • Disable your AntiVirus and AntiSpyware applications as they can interfere with running ComboFix. To disable any security programs:
    • Right click on the System Tray icon, or
    • Refer to this link HERE for further assistance.
    • Double click on ComboFix.exe and follow the prompts.
    • When finished, ComboFix will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Warnings:
    • Do not mouse-click on ComboFix's window while it is running. This may cause it to stall.
    • Do not re-run ComboFix. If problems occur with the installation or running of ComboFix, please reply back for further instructions.
    • Do not attempt to surf the internet while ComboFix is scanning.
    Note: If there is no internet connection after running ComboFix, reboot your computer to restore the connection.
    Very Important! Make sure you re-enable your security programs when ComboFix is finished.


    _____ In Training at WTT Classroom _____

  4. #4
    Junior Member
    Join Date
    Mar 2013
    Posts
    11

    Default

    Hi FbFbFb

    Combofix started to run before I had a chance to save and switch off security. I stopped it and deleted and have now savd it to desktop.

    Do you want me to run it?

  5. #5
    Visiting Fellow
    Join Date
    Mar 2011
    Location
    Canada
    Posts
    142

    Default Malware Infection

    Hello, Rebos.

    Yes, please run ComboFix again.

  6. #6
    Junior Member
    Join Date
    Mar 2013
    Posts
    11

    Default

    ComboFix 13-03-05.01 - Jayne 05/03/2013 17:20:08.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3069.1954 [GMT 0:00]
    Running from: c:\users\Jayne\Desktop\ComboFix.exe
    AV: AVG Internet Security 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    FW: AVG Internet Security 2013 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
    SP: AVG Internet Security 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\PFRO.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-02-05 to 2013-03-05 )))))))))))))))))))))))))))))))
    .
    .
    2013-03-05 17:47 . 2013-03-05 17:47 -------- d-----w- c:\users\Denis\AppData\Local\temp
    2013-03-05 17:47 . 2013-03-05 17:51 -------- d-----w- c:\users\Jayne\AppData\Local\temp
    2013-03-05 17:47 . 2013-03-05 17:47 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-03-05 17:47 . 2013-03-05 17:47 -------- d-----w- c:\users\Max\AppData\Local\temp
    2013-03-03 13:31 . 2013-03-03 13:31 -------- d-----w- c:\program files\ERUNT
    2013-03-02 16:18 . 2012-08-23 11:31 32120 ----a-w- c:\windows\system32\TURegOpt.exe
    2013-03-02 16:18 . 2012-08-23 11:31 21880 ----a-w- c:\windows\system32\authuitu.dll
    2013-03-02 16:06 . 2013-03-02 16:06 -------- d-----w- c:\users\Jayne\AppData\Roaming\AVG2013
    2013-03-02 15:46 . 2013-03-02 15:46 -------- d-----w- c:\users\Jayne\AppData\Local\AVG Secure Search
    2013-03-02 15:46 . 2013-03-02 15:46 -------- d-----w- c:\programdata\AVG Secure Search
    2013-03-02 15:46 . 2013-03-02 15:46 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2013-03-02 15:46 . 2013-03-02 15:46 -------- d-----w- c:\program files\Common Files\AVG Secure Search
    2013-03-02 15:46 . 2013-03-02 15:46 -------- d-----w- c:\program files\AVG Secure Search
    2013-03-02 15:42 . 2013-03-02 15:42 -------- d-----w- C:\$AVG
    2013-03-02 15:42 . 2013-03-02 15:47 -------- d-----w- c:\programdata\AVG2013
    2013-03-02 15:40 . 2013-03-02 16:17 -------- d-----w- c:\program files\AVG
    2013-03-02 15:37 . 2013-03-05 16:44 -------- d-----w- c:\programdata\MFAData
    2013-03-02 15:37 . 2013-03-02 16:10 -------- d-----w- c:\users\Jayne\AppData\Local\Avg2013
    2013-03-02 15:37 . 2013-03-02 15:37 -------- d-----w- c:\users\Jayne\AppData\Local\MFAData
    2013-03-02 12:07 . 2013-02-21 18:11 83168 ----a-w- c:\windows\system32\PCloudCleanerService.EXE
    2013-03-02 12:07 . 2013-03-05 17:51 -------- d-----w- c:\windows\system32\DBBK
    2013-03-02 12:07 . 2013-01-04 15:34 9464 ----a-w- c:\windows\system32\drivers\DasBootI.SYS
    2013-03-02 12:07 . 2013-01-04 15:34 9464 ----a-w- c:\windows\system32\drivers\DasBootE.SYS
    2013-03-02 12:07 . 2013-01-04 15:34 59640 ----a-w- c:\windows\system32\drivers\DasBootF.SYS
    2013-03-02 12:07 . 2013-01-04 15:34 31480 ----a-w- c:\windows\system32\drivers\DasPtct.SYS
    2013-03-02 12:07 . 2013-01-04 15:34 28024 ----a-w- c:\windows\system32\drivers\PRSBDRVR.SYS
    2013-03-02 12:07 . 2013-01-04 15:34 27896 ----a-w- c:\windows\system32\drivers\DasBootK.SYS
    2013-03-02 12:07 . 2013-01-04 15:34 237816 ----a-w- c:\windows\system32\drivers\DasBootS.SYS
    2013-03-02 12:07 . 2011-03-11 13:26 3072 ----a-w- c:\windows\system32\drivers\DasBootD.SYS
    2013-03-02 12:07 . 2013-01-04 15:34 21240 ----a-w- c:\windows\system32\drivers\DasBoot.SYS
    2013-03-02 11:55 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C5FC1602-3C05-41F4-A487-B85E93356C7D}\mpengine.dll
    2013-03-02 11:51 . 2013-03-02 11:51 -------- d-----w- c:\program files\Panda Security
    2013-02-23 13:05 . 2013-02-23 13:05 -------- d-----w- c:\users\Default\AppData\Local\Trusteer
    2013-02-21 17:51 . 2013-02-21 17:51 -------- d-----w- c:\users\Jayne\AppData\Roaming\Malwarebytes
    2013-02-21 17:50 . 2013-02-21 17:50 -------- d-----w- c:\programdata\Malwarebytes
    2013-02-21 11:40 . 2013-02-21 11:40 -------- d-----w- c:\program files\Trusteer
    2013-02-20 17:10 . 2013-02-20 17:10 -------- d-----w- c:\users\Jayne\AppData\Roaming\f-secure
    2013-02-20 17:09 . 2013-02-20 17:09 -------- d-----w- c:\programdata\F-Secure
    2013-02-20 16:57 . 2013-02-20 16:57 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    2013-02-16 13:29 . 2013-02-16 13:45 -------- d-----w- c:\users\Jayne\AppData\Roaming\Anvisoft
    2013-02-16 13:28 . 2013-02-16 13:28 -------- d-----w- c:\programdata\Anvisoft
    2013-02-16 13:28 . 2013-02-16 13:45 -------- d-----w- c:\program files\Anvisoft
    2013-02-15 22:31 . 2013-02-15 22:31 186432 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2013-02-13 14:02 . 2013-02-13 14:05 -------- d-----w- c:\programdata\Ad-Aware Antivirus
    2013-02-13 14:02 . 2013-02-13 14:02 -------- d-----w- c:\users\Jayne\AppData\Roaming\LavasoftStatistics
    2013-02-13 13:56 . 2013-02-13 13:56 -------- d-----w- c:\programdata\Lavasoft
    2013-02-13 13:56 . 2013-02-13 16:53 -------- d-----w- c:\program files\Ad-Aware Antivirus
    2013-02-13 13:55 . 2013-02-13 13:55 -------- d-----w- c:\programdata\blekko toolbars
    2013-02-13 13:55 . 2013-02-13 13:55 -------- d-----w- c:\programdata\adawaretb
    2013-02-13 13:55 . 2013-02-13 13:55 -------- d-----w- c:\users\Jayne\AppData\Local\adawarebp
    2013-02-13 13:55 . 2013-02-13 13:55 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
    2013-02-13 13:55 . 2013-02-13 13:55 -------- d-----w- c:\program files\Toolbar Cleaner
    2013-02-13 13:55 . 2013-02-13 13:55 -------- d-----w- c:\program files\adawaretb
    2013-02-13 13:54 . 2013-02-13 14:05 -------- d-----w- c:\users\Jayne\AppData\Roaming\Ad-Aware Antivirus
    2013-02-13 09:19 . 2013-02-13 09:19 102008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-03-02 13:22 . 2012-07-28 09:05 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-03-02 13:22 . 2011-05-20 08:15 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-02-20 16:57 . 2012-08-23 09:19 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
    2013-02-20 16:57 . 2010-05-29 08:23 782240 ----a-w- c:\windows\system32\deployJava1.dll
    2013-01-17 01:28 . 2009-10-04 07:28 232336 ------w- c:\windows\system32\MpSigStub.exe
    2013-01-07 09:58 . 2013-01-07 09:58 784144 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Jayne\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Jayne\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Jayne\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2007-04-16 22:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2007-04-16 22:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Eye-Fi"="c:\program files\Windows Photo Gallery\Helper\EyeFiHelper.exe" [2011-12-21 3961464]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-12-03 405504]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
    "AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
    "vProt"="c:\program files\AVG Secure Search\vprot.exe" [2013-03-02 1151152]
    .
    c:\users\Max\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
    .
    c:\users\Jayne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
    Dropbox.lnk - c:\users\Jayne\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "DisableCAD"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-12-18 13:08 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-04-16 22:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli psqlpwd
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
    backup=c:\windows\pss\QuickSet.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^Users^Denis^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
    path=c:\users\Denis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
    backup=c:\windows\pss\Dell Dock.lnk.Startup
    backupExtension=.Startup
    .
    [HKLM\~\startupfolder\C:^Users^Denis^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Monitor Ink Alerts - HP Photosmart 5510 series (Network).lnk]
    path=c:\users\Denis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart 5510 series (Network).lnk
    backup=c:\windows\pss\Monitor Ink Alerts - HP Photosmart 5510 series (Network).lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
    2008-01-25 05:42 167936 ----a-w- c:\program files\DellTPad\Apoint.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2011-11-02 07:51 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2011-11-01 23:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
    2008-07-03 12:29 3563520 ----a-w- c:\windows\System32\WLTRAY.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
    2008-10-04 12:58 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-10-17 14:19 136176 ----atw- c:\users\Denis\AppData\Local\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2011-05-10 02:41 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
    2007-03-21 12:00 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-01-16 17:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2012-03-08 17:50 4280184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2009-06-16 09:27 13793824 ----a-w- c:\windows\System32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
    2009-06-16 09:27 92704 ----a-w- c:\windows\System32\nvhotkey.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
    2008-03-04 05:05 36864 ----a-w- c:\windows\OEM02Mon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2007-12-21 09:58 184320 ----a-w- c:\program files\Dell\MediaDirect\PCMService.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
    2007-04-16 21:50 49168 ----a-w- c:\program files\Fingerprint Reader Suite\launcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-07-05 17:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2007-12-03 04:28 405504 ----a-w- c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2012-07-03 08:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WPCUMI]
    2006-11-02 12:35 176128 ----a-w- c:\windows\System32\wpcumi.exe
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\users\Jayne\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    "doubleTwist"=c:\program files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    .
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-03-05 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-28 13:22]
    .
    2013-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 19:59]
    .
    2013-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 19:59]
    .
    2013-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3704117945-1433447086-1109901018-1000Core.job
    - c:\users\Jayne\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-02 18:28]
    .
    2013-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3704117945-1433447086-1109901018-1000UA.job
    - c:\users\Jayne\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-02 18:28]
    .
    2013-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3704117945-1433447086-1109901018-1001Core.job
    - c:\users\Max\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-24 13:14]
    .
    2013-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3704117945-1433447086-1109901018-1001UA.job
    - c:\users\Max\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-24 13:14]
    .
    2013-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3704117945-1433447086-1109901018-1002Core.job
    - c:\users\Denis\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-22 14:19]
    .
    2013-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3704117945-1433447086-1109901018-1002UA.job
    - c:\users\Denis\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-22 14:19]
    .
    2013-03-05 c:\windows\Tasks\HP Photo Creations Messager.job
    - c:\programdata\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    LSP: c:\windows\system32\wpclsp.dll
    TCP: DhcpNameServer = 192.168.1.1 0.0.0.0
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\14.2.0\ViProtocol.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
    Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-03-05 17:51
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(1040)
    c:\windows\system32\psqlpwd.dll
    c:\program files\Fingerprint Reader Suite\homefus2.dll
    c:\program files\Fingerprint Reader Suite\infra.dll
    .
    Completion time: 2013-03-05 17:55:23
    ComboFix-quarantined-files.txt 2013-03-05 17:55
    .
    Pre-Run: 3,596,492,800 bytes free
    Post-Run: 4,659,183,616 bytes free
    .
    - - End Of File - - 91738C99D886BD6B6A12C6A9989A44F9

  7. #7
    Visiting Fellow
    Join Date
    Mar 2011
    Location
    Canada
    Posts
    142

    Default Malware Infection

    Hello, Rebos.

    Thank you for the log. Please work through each of the following tasks. For your convenience, you may wish to print these instructions.

    Please uninstall the following programs:

    1. Uninstall Anti-Virus Program

    It appears you are currently running multiple antivirus programs—AVG and Ad-Aware Anti-Virus. This can trigger system slow downs, crashes, and/or conflicts with each other causing them not to work properly. I am recommending that you keep one good antivirus program installed on your computer. To delete the other one, please follow these steps:
    • Click Start and select Control Panel.
    • When the Control Panel window opens, click on Uninstall a program found under the Programs category.
    • If you are using the Classic View of the Control Panel, then you would double-click on the Programs and Features icon instead.
    • Look through the list of programs for the one that you would like to uninstall, and then left-click on it once to highlight it.
    • Click on the Uninstall button.
    • When asked if you are sure you want to uninstall, click Yes.
    • The program will uninstall, and when completed you will be back at the list of programs installed on your computer.
    • To uninstall Ad-Aware Security Toolbar and Blekko Toolbar, repeat the above procedure.
    • When finished, close the Programs and Features screen.


    2. Uninstall Toolbars from Internet Explorer

    If the Ad-Aware Security Toolbar and Blekko Toolbar still appear in your browser, continue as follows:
    • Click Tools > Manage add-ons.
    • In the Manage Add-ons window, under Add-on Types (found on left side) highlight Toolbars and Extensions.
    • Under the Show: drop-down menu (found on left side) make sure All add-ons is selected.
    • Highlight the toolbars you wish to remove, and select Disable.
    • The Disable add-on window may pop up to warn you that related services and add-ons will also be disabled. Click OK.
    • Click Close to dismiss the add-ons window.


    3. Reset Your Home Page and Default Search Engine

    Removing the toolbars may have changed your browser settings (homepage, default search engines). If so, please follow the instructions found HERE.


    Please run the following scans:

    1. JRT (Junkware Removal Tool)

    Please download Junkware Removal Tool from HERE and save it to your desktop.
    • Shutdown your antivirus to avoid any potential conflicts.
    • Right-mouse click JRT.exe and select Run as Administrator.
    • JRTwill begin to backup your registry and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, the log JRT.txt is saved on your desktop and will automatically open.

    Post the contents of JRT.txt into your next reply.


    2. AdwCleaner

    Please download AdwCleaner from HERE.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on the Delete button.
    • A logfile will automatically open after the scan has finished.
    • You can also find the logfile at C:\AdwCleaner[S1].txt.

    Copy and paste the adwcleaner.txt report into your next reply.


    3. Malwarebytes Anti-Malware

    Please download Malwarebytes from Here or Here
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.

    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
      Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
    Post the report please.


    4. ESET Online Scan
    Note:
    • Disable any antivirus program and antispyware programs to avoid conflicts.
    • If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted, then double click on it to install.
    • Please do not surf the internet while your security programs are disabled.
    • Let the scan run uninterrupted to avoid a stall.
    • Remember to enable your security programs when the scan has finished.

    Run ESET Online Scanner from HERE.
    • Click the green ESET Online Scanner button.
    • Read the End User License Agreement and check the box YES, I accept the Terms of Use.
    • Click on the Start button next to it.
    • If prompted, allow the Add-On/Active X to install.

    Under Computer scan settings:
    • Do not check Remove found threats
    • Check Scan Archives.
    • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
    • Click Start. ESET will download updates, install itself, and begin scanning your computer. Please be patient as this scan could take up to a few hours to complete.
    • Wait for the scan to finish. When the scan completes, click List of found threats.
    • Click Export and save the file to your desktop using a unique name, such as ESETScan.
    • Copy and paste the contents of this report in your next reply.
    • Click the Back button.
    • Click the Finish button.



    SUMMARY: In your next reply, please post the following:
    • JRT.txt
    • adwcleaner.txt
    • MBAM log
    • ESET log
    • Let me know how your computer is running.


    ____ In Training at WTT Classroom ____

  8. #8
    Junior Member
    Join Date
    Mar 2013
    Posts
    11

    Default

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 4.6.8 (03.04.2013:1)
    OS: Windows Vista (TM) Home Premium x86
    Ran by Jayne on 06/03/2013 at 9:19:52.29
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values



    ~~~ Registry Keys

    Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}
    Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\0e12f736682067fde4d1158d5940a82e"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\1a24b5bb8521b03e0c8d908f5abc0ae6"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\2b0d56c4f4c46d844a57ffed6f0d2852"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\49d4375fe41653242aea4c969e4e65e0"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\6aa0923513360135b272e8289c5f13fa"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\6f7467af8f29c134cbbab394eccfde96"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\922525dcc5199162f8935747ca3d8e59"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\bcda179d619b91648538e3394cac94cc"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\d677b1a9671d4d4004f6f2a4469e86ea"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\dd1402a9dd4215a43abde169a41afa0e"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\e36e114a0ead2ad46b381d23ad69cddf"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\ef8e618db3aedfbb384561b5c548f65e"



    ~~~ Files



    ~~~ Folders

    Successfully deleted: [Folder] "C:\ProgramData\adawaretb"
    Successfully deleted: [Folder] "C:\ProgramData\blekko toolbars"
    Successfully deleted: [Folder] "C:\Users\Jayne\appdata\local\adawarebp"
    Successfully deleted: [Folder] "C:\Users\Jayne\appdata\locallow\adawaretb"
    Successfully deleted: [Folder] "C:\Program Files\adawaretb"
    Successfully deleted: [Folder] "C:\Program Files\driver-soft"
    Successfully deleted: [Folder] "C:\ProgramData\ask"
    Successfully deleted: [Folder] "C:\Users\Jayne\appdata\locallow\asktoolbar"



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on 06/03/2013 at 9:29:24.74
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  9. #9
    Junior Member
    Join Date
    Mar 2013
    Posts
    11

    Default

    # AdwCleaner v2.114 - Logfile created 03/06/2013 at 09:34:28
    # Updated 05/03/2013 by Xplode
    # Operating system : Windows Vista (TM) Home Premium Service Pack 1 (32 bits)
    # User : Jayne - JAYNE-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Jayne\Desktop\AdwCleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\Users\Jayne\AppData\Local\Temp\Uninstall.exe
    Folder Deleted : C:\Users\Max\AppData\LocalLow\AskToolbar

    ***** [Registry] *****

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    [OK] Registry is clean.

    *************************

    AdwCleaner[S1].txt - [1162 octets] - [06/03/2013 09:34:28]

    ########## EOF - C:\AdwCleaner[S1].txt - [1222 octets] ##########

  10. #10
    Junior Member
    Join Date
    Mar 2013
    Posts
    11

    Default

    Malwarebytes Anti-Malware (Trial) 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.03.06.07

    Windows Vista Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Jayne :: JAYNE-PC [administrator]

    Protection: Disabled

    06/03/2013 10:45:26
    mbam-log-2013-03-06 (10-45-26).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 253526
    Time elapsed: 6 minute(s), 51 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •