Dave76

HI MC, Here are the logs requested:- # AdwCleaner v2.105 - Logfile created 01/13/2013 at 16:10:55 # Updated 08/01/2013 by Xplode # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits) # User : David - DAVID-VAIO # Boot Mode : Normal # Running from : C:\Users\David\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Program Files (x86)\Conduit Folder Deleted : C:\ProgramData\boost_interprocess Folder Deleted : C:\ProgramData\Partner Folder Deleted : C:\Users\David\AppData\Local\Conduit Folder Deleted : C:\Users\David\AppData\LocalLow\Conduit Folder Deleted : C:\Users\David\AppData\LocalLow\PriceGong ***** [Registry] ***** Key Deleted : HKCU\Software\AppDataLow\Software\Conduit Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar Key Deleted : HKCU\Software\Ask&Record Key Deleted : HKCU\Software\Conduit Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3201318 Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{7D86A08B-0A8F-4BE0-B693-F05E6947E780} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{17BF1E05-C0E8-413C-BD1F-A481EEA3B8E9} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{21BA420E-161C-413A-B21E-4E42AE1F4226} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{453DB0C5-F41C-4D97-8DD6-CC72ECD5F699} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4AFC07D0-59BB-46B8-B097-1A46E88EEF71} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6511CE4C-4722-40D0-AD3D-4AFA2F50978A} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{65A16874-2ED0-460E-A547-5FE2EC3A13A7} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{71E02280-5212-45C3-B174-4D5A35DA254F} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{83B2FE06-BA20-4F7D-96C6-6FC3A4E877D3} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8AD9AD05-36BE-4E40-BA62-5422EB0D02FB} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BEC9B38-BF39-4899-806E-A1C5DFEB60A2} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AEBF09E2-0C15-43C8-99BF-928C645D98A0} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B32966A2-F7C2-4362-A6CF-399EC8B44110} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B86D82BF-D39F-439A-A07C-43EDDC6F6EA6} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8560AC2-21B5-4C1A-BDD4-BD12BC83B082} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DA6305B9-0869-4235-8C1D-533A65E639E5} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E25DA6D6-C365-46CF-ABAF-DC5893135D7A} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E6961C59-CFCE-4CCD-B794-BC78DB98413A} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F8B4EC8A-2407-4BE0-AEE2-0F430D65A90D} ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16457 [OK] Registry is clean. -\\ Mozilla Firefox v8.0.1 (en-GB) File : C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\zu7akxmu.default\prefs.js [OK] File is clean. ************************* AdwCleaner[R1].txt - [3438 octets] - [13/01/2013 09:21:44] AdwCleaner[s1].txt - [3533 octets] - [13/01/2013 16:10:55] ########## EOF - C:\AdwCleaner[s1].txt - [3593 octets] ########## Security Check Results of screen317's Security Check version 0.99.56 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Microsoft Security Essentials Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.70.0.1100 Java 6 Update 29 Java version out of Date! Adobe Reader 10.1.5 Adobe Reader out of Date! Mozilla Firefox (8.0.1) ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe Microsoft Security Essentials msseces.exe Acronis TrueImageHome OnlineBackupStandalone TrueImageMonitor.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 2% ````````````````````End of Log`````````````````````` Thanks Dave

Hi MC, Thanks for that. I could not find the file you referred to in the Drivers folder, I have the 'show hidden files' selected on my system at present. Here's the log, I can't see anything on the log which I would want to keep apart form the browsers but presume they won't be deleted if I select clean. # AdwCleaner v2.105 - Logfile created 01/13/2013 at 09:21:44 # Updated 08/01/2013 by Xplode # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits) # User : David - DAVID-VAIO # Boot Mode : Normal # Running from : C:\Users\David\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** Folder Found : C:\Program Files (x86)\Conduit Folder Found : C:\ProgramData\boost_interprocess Folder Found : C:\ProgramData\Partner Folder Found : C:\Users\David\AppData\Local\Conduit Folder Found : C:\Users\David\AppData\LocalLow\Conduit Folder Found : C:\Users\David\AppData\LocalLow\PriceGong ***** [Registry] ***** Key Found : HKCU\Software\AppDataLow\Software\Conduit Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes Key Found : HKCU\Software\AppDataLow\Software\PriceGong Key Found : HKCU\Software\AppDataLow\Software\SmartBar Key Found : HKCU\Software\Ask&Record Key Found : HKCU\Software\Conduit Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3201318 Key Found : HKLM\Software\Conduit Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{7D86A08B-0A8F-4BE0-B693-F05E6947E780} Key Found : HKLM\SOFTWARE\Classes\Interface\{17BF1E05-C0E8-413C-BD1F-A481EEA3B8E9} Key Found : HKLM\SOFTWARE\Classes\Interface\{21BA420E-161C-413A-B21E-4E42AE1F4226} Key Found : HKLM\SOFTWARE\Classes\Interface\{453DB0C5-F41C-4D97-8DD6-CC72ECD5F699} Key Found : HKLM\SOFTWARE\Classes\Interface\{4AFC07D0-59BB-46B8-B097-1A46E88EEF71} Key Found : HKLM\SOFTWARE\Classes\Interface\{6511CE4C-4722-40D0-AD3D-4AFA2F50978A} Key Found : HKLM\SOFTWARE\Classes\Interface\{65A16874-2ED0-460E-A547-5FE2EC3A13A7} Key Found : HKLM\SOFTWARE\Classes\Interface\{71E02280-5212-45C3-B174-4D5A35DA254F} Key Found : HKLM\SOFTWARE\Classes\Interface\{83B2FE06-BA20-4F7D-96C6-6FC3A4E877D3} Key Found : HKLM\SOFTWARE\Classes\Interface\{8AD9AD05-36BE-4E40-BA62-5422EB0D02FB} Key Found : HKLM\SOFTWARE\Classes\Interface\{9BEC9B38-BF39-4899-806E-A1C5DFEB60A2} Key Found : HKLM\SOFTWARE\Classes\Interface\{AEBF09E2-0C15-43C8-99BF-928C645D98A0} Key Found : HKLM\SOFTWARE\Classes\Interface\{B32966A2-F7C2-4362-A6CF-399EC8B44110} Key Found : HKLM\SOFTWARE\Classes\Interface\{B86D82BF-D39F-439A-A07C-43EDDC6F6EA6} Key Found : HKLM\SOFTWARE\Classes\Interface\{D8560AC2-21B5-4C1A-BDD4-BD12BC83B082} Key Found : HKLM\SOFTWARE\Classes\Interface\{DA6305B9-0869-4235-8C1D-533A65E639E5} Key Found : HKLM\SOFTWARE\Classes\Interface\{E25DA6D6-C365-46CF-ABAF-DC5893135D7A} Key Found : HKLM\SOFTWARE\Classes\Interface\{E6961C59-CFCE-4CCD-B794-BC78DB98413A} Key Found : HKLM\SOFTWARE\Classes\Interface\{F8B4EC8A-2407-4BE0-AEE2-0F430D65A90D} ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16457 [OK] Registry is clean. -\\ Mozilla Firefox v8.0.1 (en-GB) File : C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\zu7akxmu.default\prefs.js [OK] File is clean. ************************* AdwCleaner[R1].txt - [3351 octets] - [13/01/2013 08:46:46] ########## EOF - C:\AdwCleaner[R1].txt - [3405 octets] ########## Thanks Dave

Hi MC, I have run combofix as suggested, the report file is attached. This seems to have fixed windows calling for SVChost, since it didn't come up on re-boot. Do you think it's fixed now? Thanks Dave ComboFix.txt

Hi MC, Thanks for the help so far. I have downloaded & run the AntiRootKit, which has deleted the SVChost file. I ran it again to confirm that no Malware was present. However, when I start up my laptop again I get a Windows dialogue box which states that Windows cannot find the SVCHost file, so presume there's still a call coming from somewhere? I also get asked if I want to run mbar before windows loads. I have attached the log as requested. Thanks Dave system-log.txt

Thanks Mr C, Here are the contents of the reports:- RogueKiller V8.4.3 [Jan 10 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : David [Admin rights] Mode : Scan -- Date : 01/11/2013 16:53:54 ¤¤¤ Bad processes : 1 ¤¤¤ [sVCHOST] svchost.exe -- C:\Users\David\AppData\Roaming\Adobe32\svchost.exe -> KILLED [TermProc] ¤¤¤ Registry Entries : 6 ¤¤¤ [RUN][sUSP PATH] HKCU\[...]\Run : AdobeUpdate (wscript "C:\Users\David\AppData\Roaming\Adobe32\invis.vbs" "C:\Users\David\AppData\Roaming\Adobe32\bat.bat") -> FOUND [RUN][sUSP PATH] HKUS\S-1-5-21-765753904-2071999791-625039582-1001[...]\Run : AdobeUpdate (wscript "C:\Users\David\AppData\Roaming\Adobe32\invis.vbs" "C:\Users\David\AppData\Roaming\Adobe32\bat.bat") -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HTS725050A9A360 +++++ --- User --- [MBR] cf82ebbd3b7f2acb9798ceed112aeab6 [bSP] 29c49e32841e68435f2e32c67b546010 : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10423 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21348352 | Size: 100 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 21553152 | Size: 466415 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: Ricoh SD/MMC Disk Device +++++ --- User --- [MBR] b16545aceb0b1945caa97238ada759bd [bSP] 1454de1c7893cd36ec036b5994b60f6c : MBR Code unknown Partition table: 0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 247 | Size: 1945 Mo Error reading LL1 MBR! Error reading LL2 MBR! Finished : << RKreport[1]_S_01112013_02d1653.txt >> RKreport[1]_S_01112013_02d1653.txt Quarantine Reprt.txt Time : 11/01/2013 16:41:25 -------------------------- [invis.vbs.vir] -> C:\Users\David\AppData\Roaming\Adobe32\invis.vbs [invis.vbs.vir] -> C:\Users\David\AppData\Roaming\Adobe32\invis.vbs Time : 11/01/2013 16:48:30 -------------------------- [invis.vbs.vir] -> C:\Users\David\AppData\Roaming\Adobe32\invis.vbs [invis.vbs.vir] -> C:\Users\David\AppData\Roaming\Adobe32\invis.vbs Time : 11/01/2013 16:53:54 -------------------------- [invis.vbs.vir] -> C:\Users\David\AppData\Roaming\Adobe32\invis.vbs [invis.vbs.vir] -> C:\Users\David\AppData\Roaming\Adobe32\invis.vbs Thanks Dave

Hi Malwarebytes, I have the above reported in users\AppData\roaming\Adobe32. If I remove it I get a dialogue box on startup of my laptop stating the file cannot be found, presumably the registery or some other Windows 7 file is looking for it. The file seems to be running 'bfgminer 2.5.0. & is top user of my memory & is running 100% of time. Could you please advise on how to proceed & your recommendation for it's removal. Thanks in anticipation. Dave dds.txt attach.txt

Hi Malwarebytes, I have a reported Trojan Agent reported by Malwarebytes in \Users\AppData\Roaming\Adobe32\svchost.exe The file in 'processes' is running at the top slot 100% of the time. If I remove it I get an dialogue box to say the file can not be found when I re-start my laptop, presumably the registry or some other startup file is looking for it? The svchost seems to be running bfgminer 2.5.0. a bitcoin sytem? I would appreciate some advice & your recommendations to what to do to remove the problem. Files attached as requested. Thanks in anticipation. Dave attach.txt dds.txt