Results 1 to 7 of 7

Thread: Virus Please Help

  1. #1
    Member
    Join Date
    Oct 2009
    Posts
    87

    Default Virus Please Help

    Hi,

    I'm really sorry about this because I asked for help with this PC on my dad's behalf recently in this forum. Unfortunately, the other day Adobe stopped working so he tried to reinstall it on his own. I've told him to only get software from the publisher when possible; apparently he thought he was downloading Adobe Reader from Adobe, but instead he has downloaded what seems to be particularly nasty malware version from: http://www.pdf-reader.org.

    Your help would be 'really' appreciated. Thank you.

    Unfortunately, ERUNT would not run. I got error: ERROR Saving File C:Windows\ERDNT\10-6-2014\Security! RegCreateKKey EX-5 Access is denied

    Please find the logs below - (attach.txt is attached):
    __________________________
    DDS.txt

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16545 BrowserJavaVersion: 10.55.2
    Run by Alan at 11:15:08 on 2014-06-10
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.580 [GMT 1:00]
    .
    AV: Norton Internet Security *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
    SP: Norton Internet Security *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: Norton Internet Security *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Windows\system32\rundll32.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton Internet Security\Engine\21.3.0.12\NIS.exe
    C:\Program Files\004\rqpbhevlkc32.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\System32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Norton Internet Security\Engine\21.3.0.12\NIS.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    C:\Users\Alan\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Optimizer Pro\OptProSmartScan.exe
    C:\Program Files\Optimizer Pro\OptProReminder.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\DllHost.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://speedial.com/?f=1&a=spd_dsites02_14_23_ie&cd=2xzuyetn2y1l1qzutdtdtc0f0cycyd0ftayd0atbtbydzztdtn0d0tzu0szzzzzytn1l2xzutbtftbtdtftczytftdtn1l1czutcyetbzytdyd1v1ttn1l1g1b1v1n2y1l1qzu2std0e0c0f0a0d0atctg0btcyetbtgydtdyezytgyctdydybtgtdzz0azy0c0bzyyb0atbtd0d2qtn1m1f1b2z1v1n2y1l1qzu2stb0dtb0eye0f0c0etgyc0btdtatgydtd0fydtgtbybyd0atgyd0d0aydye0bybtatc0dzz0c2q&cr=1833245417&ir=
    mStart Page = hxxp://speedial.com/?f=1&a=spd_dsites02_14_23_ie&cd=2XzuyEtN2Y1L1QzutDtDtC0F0CyCyD0FtAyD0AtBtByDzztDtN0D0Tzu0SzzzzzytN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StD0E0C0F0A0D0AtCtG0BtCyEtBtGyDtDyEzytGyCtDyDyBtGtDzz0Azy0C0BzyyB0AtBtD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0DtB0EyE0F0C0EtGyC0BtDtAtGyDtD0FyDtGtByByD0AtGyD0D0AyDyE0ByBtAtC0Dzz0C2Q&cr=1833245417&ir=
    mDefault_Page_URL = hxxp://www.google.com
    BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.8.150\McAfeeMSS_IE.dll
    BHO: CouponDownloader: {10AD2C61-0898-4348-8600-14A342F22AC3} - c:\program files\coupon downloader\Coupon Downloader.dll
    BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\21.3.0.12\coieplg.dll
    BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\21.3.0.12\ips\ipsbho.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\21.3.0.12\coieplg.dll
    TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\21.3.0.12\coieplg.dll
    uRun: [SkyDrive] "c:\users\alan\appdata\local\microsoft\skydrive\SkyDrive.exe" /background
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [Optimizer Pro] c:\program files\optimizer pro\OptProLauncher.exe
    mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe" -delete
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    StartupFolder: c:\users\alan\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.8.150\SSScheduler.exe
    mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    TCP: NameServer = 192.168.0.1
    TCP: Interfaces\{BC8A0FF6-6E48-45C7-BD7D-7AAB53E677A3} : DHCPNameServer = 192.168.0.1
    AppInit_DLLs= c:\progra~1\optimi~1\optpro~2.dll
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\alan\appdata\roaming\mozilla\firefox\profiles\nig14d71.default-1398775423920\
    FF - prefs.js: browser.search.selectedEngine - Speedial
    FF - prefs.js: browser.startup.homepage - hxxp://speedial.com/?f=1&a=spd_dsites02_14_23_ie&cd=2xzuyetn2y1l1qzutdtdtc0f0cycyd0ftayd0atbtbydzztdtn0d0tzu0szzzzzytn1l2xzutbtftbtdtftczytftdtn1l1czutcyetbzytdyd1v1ttn1l1g1b1v1n2y1l1qzu2std0e0c0f0a0d0atctg0btcyetbtgydtdyezytgyctdydybtgtdzz0azy0c0bzyyb0atbtd0d2qtn1m1f1b2z1v1n2y1l1qzu2stb0dtb0eye0f0c0etgyc0btdtatgydtd0fydtgtbybyd0atgyd0d0aydye0bybtatc0dzz0c2q&cr=1833245417&ir=
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_13_0_0_214.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.nspdlsd.aflt - spd_dsites02_14_23_ie
    FF - user.js: extensions.nspdlsd.instlRef - 142905_a
    FF - user.js: extensions.nspdlsd.cr - 1833245417
    FF - user.js: extensions.nspdlsd.cd - 2XzuyEtN2Y1L1QzutDtDtC0F0CyCyD0FtAyD0AtBtByDzztDtN0D0Tzu0SzzzzzytN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StD0E0C0F0A0D0AtCtG0BtCyEtBtGyDtDyEzytGyCtDyDyBtGtDzz0Azy0C0BzyyB0AtBtD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0DtB0EyE0F0C0EtGyC0BtDtAtGyDtD0FyDtGtByByD0AtGyD0D0AyDyE0ByBtAtC0Dzz0C2Q
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1503000.00c\symds.sys [2014-5-20 367704]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1503000.00c\symefa.sys [2014-5-20 936152]
    R1 BHDrvx86;BHDrvx86;c:\program files\norton internet security\nortondata\21.2.0.38\definitions\bashdefs\20140510.001\BHDrvx86.sys [2014-5-10 1101616]
    R1 ccSet_NIS;NIS Settings Manager;c:\windows\system32\drivers\nis\1503000.00c\ccsetx86.sys [2014-5-20 127064]
    R1 IDSVix86;IDSVix86;c:\program files\norton internet security\nortondata\21.2.0.38\definitions\ipsdefs\20140606.002\IDSvix86.sys [2014-6-8 395992]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1503000.00c\ironx86.sys [2014-5-20 206936]
    R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1503000.00c\symtdiv.sys [2014-5-20 384728]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2013-4-30 217088]
    R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2013-4-29 291840]
    R2 ca82e1a5;Optimizer Pro Crash Monitor;c:\windows\system32\rundll32.exe [2006-11-2 44544]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2014-4-25 21504]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\21.3.0.12\nis.exe [2014-5-20 276376]
    R2 rqpbhevlkc32;rqpbhevlkc32;c:\program files\004\rqpbhevlkc32.exe run options=01100010040000000000000000000000 sourceguid=4b5f3986-688d-4ee0-8390-82983e6e96a7 --> c:\program files\004\rqpbhevlkc32.exe run options=01100010040000000000000000000000 sourceguid=4B5F3986-688D-4EE0-8390-82983E6E96A7 [?]
    R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2014-4-26 37944]
    R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-5-24 501248]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.8.150\McCHSvc.exe [2014-4-9 235696]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
    .
    =============== Created Last 30 ================
    .
    2014-06-08 10:10:53 -------- d-----w- c:\users\alan\appdata\roaming\Optimizer Pro
    2014-06-08 10:09:35 -------- d-----w- C:\temp
    2014-06-08 10:09:21 -------- d-----w- c:\program files\coupon downloader
    2014-06-08 10:05:53 -------- d-----w- c:\users\alan\appdata\roaming\Speedial
    2014-06-08 10:05:31 -------- d-----w- c:\program files\Speedial
    2014-06-08 10:05:31 -------- d-----w- c:\program files\Optimizer Pro
    2014-06-08 10:05:26 -------- d-----w- c:\users\alan\appdata\roaming\1H1Q
    2014-06-08 10:05:08 -------- d-----w- c:\program files\004
    2014-06-08 10:04:54 -------- d-----w- c:\users\alan\appdata\roaming\AppCloudUpdater
    2014-06-08 10:04:50 -------- d-----w- c:\program files\AppSafe
    2014-06-03 15:30:17 -------- d-----w- c:\users\alan\appdata\local\CrashDumps
    2014-06-01 17:55:27 -------- d-----w- c:\program files\McAfee Security Scan
    2014-05-30 10:38:29 -------- d-----w- c:\users\alan\appdata\local\Adobe
    2014-05-20 09:13:45 936152 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\symefa.sys
    2014-05-20 09:13:45 664280 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\srtsp.sys
    2014-05-20 09:13:45 447704 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\symnets.sys
    2014-05-20 09:13:45 384728 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\symtdiv.sys
    2014-05-20 09:13:45 367704 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\symds.sys
    2014-05-20 09:13:45 32344 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\srtspx.sys
    2014-05-20 09:13:45 21520 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\symelam.sys
    2014-05-20 09:13:45 206936 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\ironx86.sys
    2014-05-20 09:13:45 127064 ----a-r- c:\windows\system32\drivers\nis\1503000.00c\ccsetx86.sys
    2014-05-20 09:13:31 30068 ----a-w- c:\windows\system32\drivers\nis\1503000.00c\symvtcer.dat
    2014-05-20 09:13:31 -------- d-----w- c:\windows\system32\drivers\nis\1503000.00C
    2014-05-15 08:35:11 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2014-05-12 09:29:01 965232 ----a-w- c:\program files\mozilla firefox\icuuc52.dll
    2014-05-12 09:29:01 1266800 ----a-w- c:\program files\mozilla firefox\icuin52.dll
    2014-05-12 09:29:01 10594416 ----a-w- c:\program files\mozilla firefox\icudt52.dll
    .
    ==================== Find3M ====================
    .
    2014-05-16 08:53:10 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2014-05-16 08:53:10 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2014-04-26 14:23:20 142936 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2014-04-26 13:21:23 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2014-04-26 13:19:33 4096 ----a-w- c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
    2014-04-26 13:19:32 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
    2014-04-26 13:19:32 519680 ----a-w- c:\windows\system32\d3d11.dll
    2014-04-26 13:19:32 369664 ----a-w- c:\windows\system32\WMPhoto.dll
    2014-04-26 13:19:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
    2014-04-26 13:19:32 252928 ----a-w- c:\windows\system32\dxdiag.exe
    2014-04-26 13:19:32 195584 ----a-w- c:\windows\system32\dxdiagn.dll
    2014-04-26 13:19:32 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
    2014-04-25 15:04:13 101888 ----a-w- c:\windows\system32\ifxcardm.dll
    2014-04-25 15:04:10 82432 ----a-w- c:\windows\system32\axaltocm.dll
    2014-04-24 15:45:53 36864 ----a-w- c:\windows\system32\drivers\en-us\http.sys.mui
    2014-04-23 15:21:21 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    2014-04-23 13:28:10 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2014-04-23 12:31:36 23552 ----a-w- c:\windows\system32\lpk.dll
    2014-04-23 12:31:36 10240 ----a-w- c:\windows\system32\dciman32.dll
    2014-04-23 12:31:15 61440 ----a-w- c:\windows\system32\winipsec.dll
    2014-04-23 12:31:15 272896 ----a-w- c:\windows\system32\polstore.dll
    2014-04-23 12:30:12 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
    2014-04-23 12:30:12 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
    2014-04-23 12:30:12 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
    2014-04-23 12:30:12 19968 ----a-w- c:\windows\system32\ARP.EXE
    2014-04-23 12:30:12 17920 ----a-w- c:\windows\system32\ROUTE.EXE
    2014-04-23 12:30:12 11264 ----a-w- c:\windows\system32\MRINFO.EXE
    2014-04-23 12:30:12 105984 ----a-w- c:\windows\system32\netiohlp.dll
    2014-04-23 12:30:12 10240 ----a-w- c:\windows\system32\finger.exe
    2014-04-23 12:29:25 68096 ----a-w- c:\windows\system32\wlanhlp.dll
    2014-04-23 12:29:25 65024 ----a-w- c:\windows\system32\wlanapi.dll
    2014-04-23 12:29:25 513536 ----a-w- c:\windows\system32\wlansvc.dll
    2014-04-23 12:29:25 302592 ----a-w- c:\windows\system32\wlansec.dll
    2014-04-23 12:29:25 293376 ----a-w- c:\windows\system32\wlanmsm.dll
    2014-04-23 12:29:25 127488 ----a-w- c:\windows\system32\L2SecHC.dll
    2014-04-23 12:29:23 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
    2014-04-23 12:29:01 2048 ----a-w- c:\windows\system32\msxml3r.dll
    2014-04-23 12:29:00 2048 ----a-w- c:\windows\system32\msxml6r.dll
    2014-04-23 12:28:37 218624 ----a-w- c:\windows\system32\msv1_0.dll
    2014-04-23 12:27:56 53248 ----a-w- c:\windows\system32\rrinstaller.exe
    2014-04-23 12:27:55 24576 ----a-w- c:\windows\system32\mfpmp.exe
    2014-04-23 12:27:55 2048 ----a-w- c:\windows\system32\mferror.dll
    2014-04-23 12:26:35 71680 ----a-w- c:\windows\system32\atl.dll
    2014-04-23 12:25:58 41984 ----a-w- c:\windows\system32\drivers\monitor.sys
    2014-04-23 12:25:22 53248 ----a-w- c:\windows\system32\tsgqec.dll
    2014-04-23 12:25:22 136192 ----a-w- c:\windows\system32\aaclient.dll
    2014-04-23 12:24:23 714240 ----a-w- c:\windows\system32\timedate.cpl
    2014-04-23 12:20:31 499712 ----a-w- c:\windows\system32\kerberos.dll
    2014-04-23 12:20:31 175104 ----a-w- c:\windows\system32\wdigest.dll
    2014-04-23 12:19:36 6656 ----a-w- c:\windows\system32\kbd106n.dll
    2014-04-23 12:18:47 220672 ----a-w- c:\windows\system32\l3codecp.acm
    2014-04-23 12:18:46 62464 ----a-w- c:\windows\system32\l3codeca.acm
    2014-04-23 12:18:29 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2014-04-23 12:18:29 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2014-04-23 12:18:29 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
    2014-04-23 12:18:28 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
    2014-04-23 12:18:11 293376 ----a-w- c:\windows\system32\browserchoice.exe
    2014-04-23 12:17:37 98304 ----a-w- c:\windows\system32\cabview.dll
    2014-04-23 12:17:11 14848 ----a-w- c:\windows\system32\wshrm.dll
    2014-04-23 12:17:02 43520 ----a-w- c:\windows\system32\msdxm.tlb
    2014-04-23 12:17:02 313344 ----a-w- c:\windows\system32\wmpdxm.dll
    2014-04-23 12:17:02 18432 ----a-w- c:\windows\system32\amcompat.tlb
    2014-04-23 12:17:00 7680 ----a-w- c:\windows\system32\spwmp.dll
    2014-04-23 12:17:00 4096 ----a-w- c:\windows\system32\msdxm.ocx
    2014-04-23 12:17:00 4096 ----a-w- c:\windows\system32\dxmasf.dll
    2014-04-23 12:16:25 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2014-04-23 12:16:25 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2014-04-23 12:16:25 332288 ----a-w- c:\windows\system32\msdrm.dll
    2014-04-23 12:16:25 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2014-04-23 12:16:25 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2014-04-23 12:16:24 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2014-04-23 12:16:24 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2014-04-23 12:16:24 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2014-04-23 12:16:24 471552 ----a-w- c:\windows\system32\secproc.dll
    2014-04-22 17:44:23 160256 ----a-w- c:\windows\system32\wkssvc.dll
    2014-04-22 17:16:36 2560 ----a-w- c:\windows\apppatch\AcRes.dll
    2014-04-22 17:14:07 84480 ----a-w- c:\windows\system32\INETRES.dll
    2014-04-22 17:13:58 60928 ----a-w- c:\windows\system32\msasn1.dll
    2014-04-22 17:13:18 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2014-04-22 17:13:18 30720 ----a-w- c:\windows\system32\httpapi.dll
    2014-04-22 17:13:18 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2014-04-22 17:12:25 243712 ----a-w- c:\windows\system32\rastls.dll
    2014-04-22 17:12:16 355328 ----a-w- c:\windows\system32\WSDApi.dll
    2014-04-22 17:11:47 91136 ----a-w- c:\windows\system32\avifil32.dll
    2014-04-22 17:11:47 82944 ----a-w- c:\windows\system32\mciavi32.dll
    2014-04-22 17:11:47 65024 ----a-w- c:\windows\system32\avicap32.dll
    2014-04-22 17:11:47 31744 ----a-w- c:\windows\system32\msvidc32.dll
    2014-04-22 17:11:47 13312 ----a-w- c:\windows\system32\msrle32.dll
    2014-04-22 17:11:47 123904 ----a-w- c:\windows\system32\msvfw32.dll
    2014-04-22 17:11:46 50176 ----a-w- c:\windows\system32\iyuv_32.dll
    2014-04-22 17:11:46 22528 ----a-w- c:\windows\system32\msyuv.dll
    2014-04-22 17:11:46 12288 ----a-w- c:\windows\system32\tsbyuv.dll
    2014-04-22 17:11:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
    2014-04-22 17:11:22 310784 ----a-w- c:\windows\system32\unregmp2.exe
    2014-03-31 21:46:48 130712 ----a-w- c:\windows\system32\MSSTDFMT.DLL
    2014-03-31 21:46:48 1070232 ----a-w- c:\windows\system32\MSCOMCTL.OCX
    .
    ============= FINISH: 11:16:08.99 ===============
    _________________________________-

    aswMBR

    aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
    Run date: 2014-06-10 11:18:51
    -----------------------------
    11:18:51.963 OS Version: Windows 6.0.6002 Service Pack 2
    11:18:51.964 Number of processors: 2 586 0x6B02
    11:18:51.965 ComputerName: ALAN-PC UserName: Alan
    11:18:54.083 Initialize success
    11:22:52.840 AVAST engine defs: 14060901
    11:29:57.924 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005a
    11:29:57.929 Disk 0 Vendor: ST336032 3.CH Size: 343399MB BusType: 6
    11:29:58.069 Disk 0 MBR read successfully
    11:29:58.075 Disk 0 MBR scan
    11:29:58.182 Disk 0 unknown MBR code
    11:29:58.189 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 332744 MB offset 63
    11:29:58.224 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10652 MB offset 681461235
    11:29:58.241 Disk 0 scanning sectors +703277505
    11:29:58.410 Disk 0 scanning C:\Windows\system32\drivers
    11:30:08.564 Service scanning
    11:30:13.310 Service BHDrvx86 C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\BASHDefs\20140606.001\BHDrvx86.sys **LOCKED** 5
    11:30:13.934 Service ccSet_NIS C:\Windows\system32\drivers\NIS\1503000.00C\ccSetx86.sys **LOCKED** 5
    11:30:16.524 Service eeCtrl C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys **LOCKED** 5
    11:30:20.315 Service IDSVix86 C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\IPSDefs\20140608.001\IDSvix86.sys **LOCKED** 5
    11:30:24.090 Service NAVENG C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\VirusDefs\20140609.033\NAVENG.SYS **LOCKED** 5
    11:30:24.449 Service NAVEX15 C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\VirusDefs\20140609.033\NAVEX15.SYS **LOCKED** 5
    11:30:31.687 Service SRTSPX C:\Windows\system32\drivers\NIS\1503000.00C\SRTSPX.SYS **LOCKED** 5
    11:30:32.420 Service SymDS C:\Windows\system32\drivers\NIS\1503000.00C\SYMDS.SYS **LOCKED** 5
    11:30:32.670 Service SymEvent C:\Windows\system32\Drivers\SYMEVENT.SYS **LOCKED** 5
    11:30:32.841 Service SymIRON C:\Windows\system32\drivers\NIS\1503000.00C\Ironx86.SYS **LOCKED** 5
    11:30:33.013 Service SYMTDIv C:\Windows\System32\Drivers\NIS\1503000.00C\SYMTDIV.SYS **LOCKED** 5
    11:30:38.972 Modules scanning
    11:30:46.086 Disk 0 trace - called modules:
    11:30:46.117 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
    11:30:46.117 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85110310]
    11:30:46.117 3 CLASSPNP.SYS[8072e8b3] -> nt!IofCallDriver -> [0x84a415e8]
    11:30:46.133 5 acpi.sys[8060c6bc] -> nt!IofCallDriver -> \Device\0000005a[0x846178f0]
    11:30:47.303 AVAST engine scan C:\Windows
    11:30:50.001 AVAST engine scan C:\Windows\system32
    11:34:20.857 AVAST engine scan C:\Windows\system32\drivers
    11:35:03.086 AVAST engine scan C:\Users\Alan
    11:35:05.691 Disk 0 MBR has been saved successfully to "C:\Users\Alan\Desktop\MBR.dat"
    11:35:05.707 The log file has been saved successfully to "C:\Users\Alan\Desktop\aswMBR.txt"
    11:55:41.927 AVAST engine scan C:\ProgramData
    11:56:53.786 Scan finished successfully
    11:58:03.171 Disk 0 MBR has been saved successfully to "C:\Users\Alan\Desktop\MBR.dat"
    11:58:03.182 The log file has been saved successfully to "C:\Users\Alan\Desktop\aswMBR.txt"

    _________________________________________

    Thank you, very much.
    Attached Files Attached Files

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi danib,
    I've told him to only get software from the publisher when possible
    thats good advice. you can see way down at the bottom of the page it says
    This product is totally free and offers the user additional bundle products that may include advertisement.
    Look in the add/remove programs panel and uninstall:
    Optimizer Pro
    CouponDownloader

    with IE open go to tools> Internet options>advanced tab and near the bottom click on the reset button to reset IE back to its defaults. Reboot machine and see how things look and we will go from there.
    How Can I Reduce My Risk?

  3. #3
    Member
    Join Date
    Oct 2009
    Posts
    87

    Default Virus Please Help

    Hi shelf life,

    Thanks for your support.

    Just like you, I am giving up my time to help with this. I couldn't believe it when I was told that there was a problem again with the PC; only a couple of weeks ago Ken and me spent the best part of a week getting it to run fine. Anyway, mistakes happen. I've made them before.

    I have removed Optimizer Pro and CouponDownloader. I have reset explorer and I reset Firefox too while I was at it.

    My concern is that ERUNT did not run initially - could the registry have been taken over? Also, dad had an external hard drive plugged in. There are no apps on the drive, just files which are still accessible; so, do you think the external drive should be OK please?

    I'll await your next generous instructions.

    Thanks again.

  4. #4
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi,

    Dont know why ERUNT didnt function correctly. I wouldnt worry about it. No this didnt take over your registry. External drive most likely also ok.

    You had all too common, well documented and easily removed malware. Nothing hideous. Believe me, the bad stuff wont add entries in your add/remove programs panel. Not to make light of this adware though.

    Now the two program uninstallers may not do a efficient job of removing all the files and entries but for that we can run adwcleaner and see if it picks up any stray leftovers:

    Adwcleaner
    click the link that says: Download Now @BleepingComputer.
    Install, right click and "run as admin" Click the Scan button. Once the Scan is complete, click the clean button. Machine will reboot and at restart display a log of any items it removed.
    How Can I Reduce My Risk?

  5. #5
    Member
    Join Date
    Oct 2009
    Posts
    87

    Default Virus Please Help

    Hi Shelf Life,

    That's reassuring, thank you.

    I ran the cleaner; so, please find the log below:

    _________________________________________

    # AdwCleaner v3.212 - Report created 12/06/2014 at 17:17:36
    # Updated 05/06/2014 by Xplode
    # Operating System : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
    # Username : Alan - ALAN-PC
    # Running from : C:\Users\Alan\Downloads\AdwCleaner.exe
    # Option : Clean

    ***** [ Services ] *****

    Service Deleted : rqpbhevlkc32

    ***** [ Files / Folders ] *****

    Folder Deleted : C:\ProgramData\2308189059
    Folder Deleted : C:\Program Files\004
    Folder Deleted : C:\Users\Alan\AppData\Roaming\AppCloudUpdater
    Folder Deleted : C:\Users\Alan\Documents\Optimizer Pro
    File Deleted : C:\Users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\nig14d71.default-1398775423920\searchplugins\safesearch.xml
    File Deleted : C:\Users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\nig14d71.default-1398775423920\user.js
    File Deleted : C:\Windows\Tasks\AppCloudUpdater.job
    File Deleted : C:\Windows\System32\Tasks\AppCloudUpdater

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    [#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EB448A38-D6AC-45E7-9141-817DCB5EAF52}
    [#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB448A38-D6AC-45E7-9141-817DCB5EAF52}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}
    Key Deleted : HKCU\Software\AppCloudUpdater
    Key Deleted : HKCU\Software\InstallCore
    Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
    Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
    Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
    Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
    Key Deleted : HKLM\Software\LevelQualityWatcher

    ***** [ Browsers ] *****

    -\\ Internet Explorer v9.0.8112.16555

    Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]

    -\\ Mozilla Firefox v30.0 (en-US)

    [ File : C:\Users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\nig14d71.default-1398775423920\prefs.js ]


    *************************

    AdwCleaner[R0].txt - [2558 octets] - [12/06/2014 17:12:01]
    AdwCleaner[S0].txt - [2147 octets] - [12/06/2014 17:17:36]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2207 octets] ##########

  6. #6
    Member
    Join Date
    Oct 2009
    Posts
    87

    Default Virus Please Help

    PS.

    I tried to run ERUNT again as admin and it worked; apparently this is what has to be done on Vista PC's.

    Thanks.

  7. #7
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    ok. good. I see adwcleaner removed some strays left behind by the uninstallers. If all is good on your end I think we are done. See link below if your interested in some prevention tips. Happy safe surfing out there.
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •