Jump to content

Search the Community

Showing results for tags 'office'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 18 results

  1. Outlook exploits are getting blocked on my laptop, but not on my desktop, yet the settings are identical. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 11/9/20 Protection Event Time: 9:56 PM Log File: 519eec37-2300-11eb-8984-086266b3709d.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1104 Update Package Version: 1.0.32680 License: Premium -System Information- OS: Windows 10 (Build 19041.610) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Malware.Exploit.Agent.Generic, C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT, Blocked, 0, 392684, 0.0.0, , -Exploit Data- Affected Application: Microsoft Outlook Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT URL: (end)
  2. Greetings, Greetings, Previously, I used Cracked Microsoft products, and I used the KMS tool to activate and it was later revealed that this tool causes system crashes, and now I have purchased a serial number for Microsoft products and deleted old Cracked copies, but now when activating the official version of office I am having trouble with the serial number where an error message appears That The product is not licensed and I tried with more than one serial number, but then the same problem showed me that this error message is due to the KMS files located inside the installation path of Office products. I have restarted my computer in an attempt to delete KMS files, but to no avail. When I install the official Microsoft Office version, the KMS files reappear inside the installation path and this causes problems with activation. Now I want to get rid of this KMS and have all its extensions rooted. What is the correct way to do that.
  3. Below you can find the requested files attatched and some other files that go with a brief explanation of the situation: I just bought a MSI notebook two days ago. Today I must admit, I was trying to download and crack MS Office using the Office Toolkit program. As soon as I opened the toolkit and selected activate, my laptop turned off and then I got the BSOD with a "critical error" message. My notebook rebooted automatically but is running noticeabily slower since the incident a couple of hours ago. I bought the Bit Defender antivirus along with the notebook so I performed a scan but found nothing. Nevertheless, as minutes went by I received 2 notifications of intends of infections by trojans. I have uninstalled the Office exe file I downloaded along with the Toolkit, deleted all the files I could in Temp. I have also noticed that when I enter the security section in the control panel I can read that it says: "Bit Defender firewall is not active" and "Bit Defender antivirus is not active". I pressed "activate" in both of those options but didn't get a response. However, hen I open the Bit Defender it says that my notebook is protected, so that's weird. You can also find attached other images with the following additional info related to them: I read in the Bit Defender : "El archivo C:\Users\Andrei\AppData\Local\Temp\518e6ef9-9cb6-45ed-9f86-1431c5f4cc8d.tmp está infectado con Trojan.Generic.19932993. El virus ha sido bloqueado con éxito y su PC ya está a salvo" and "El archivo C:\Users\Andrei\Downloads\Sin confirmar 74621.crdownload está infectado con Gen:Variant.Ursu.40791. El virus ha sido bloqueado con éxito y su PC ya está a salvo. Both mean that those files have been infected with a Trojan but the virus has been successfully blocked and the PC is supposedly "safe"...... Also, I found that the BD blocked 13 apps, all labelled as Malware. The last image is the BSDO I got. MWB scan log.txt Addition.txt FRST.txt
  4. Hello! I just bought a MSI notebook two days ago. Today I must admit, I was trying to download and crack MS Office using the Office Toolkit program. As soon as I opened the toolkit and selected activate, my laptop turned off and then I got the BSOD with a "critical error" message. My notebook rebooted automatically but is running noticeabily slower since the incident a couple of hours ago. I bought the Bit Defender antivirus along with the notebook so I performed a scan but found nothing. Nevertheless, as minutes went by I received 2 notifications of intends of infections by trojans. I have uninstalled the Office exe file I downloaded along with the Toolkit, deleted all the files I could in Temp. I have also noticed that when I enter the security section in the control panel I can read that it says: "Bit Defender firewall is not active" and "Bit Defender antivirus is not active". I pressed "activate" in both of those options but didn't get a response. When I open the Bit Defender it states that my notebook is protected, so that's weird. Please help me fix this issue!!!
  5. Hi guys, So we have an interesting problem we are trying to figure out how to fix. We have a few users that run an external script in Microsoft Word and the only way to allow this script with anti-exploit running is to unshield Word in anti-exploit. I’d hate to have to disable the Microsoft word shield altogether. here's the alert: "2016-11-16T16:09:26.690-05:00";"userA1111";"2056";"C:\ProgramData\Oracle\Java\javapath\javaw.exe";"9424";"WINWORD.EXE";"3";"701";"207";"";"";"";"";"";"";"C:\windows\SYSTEM32\cmd.exe \C FOR %a In (C:\Users\userA1111\AppData\Local\Oracle\BIPublisher\TemplateBuilderforWord\tmp\tmp\201479330564782out.pdf) DO START %~sa";"";"";"";"" any help with this is most appreciated. thanks -Robbie
  6. Hello, Just noticed one of our clients with mbam 2.012 is not able to use Outlook. They are on an Office 365 plan and mbam is blocking office.outlook265.com. Currently it is only affecting a few systems. Thanks, shucky
  7. I have been using Grammarly, and spelling and grammar checker in Windows 10, Office products, and email. It works fine. However, lately, Anti-exploit is shutting down my Microsoft Word stating that Grammarly is malware. I need help with this false positive. Thanks. Error: Application: Microsoft Office Word Protection Lawyer: Application Behaviour Protection Protection Technique: Exploit payload process blocked File/Process blocked: C:\Users\Dad's Work\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.57.exe C:\Users\Dad's Work\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.57.exe \detectmode Attacking URL: N/A
  8. I just upgraded MalwareBytes to v3.06 on Windows 10. I think I might have been on v2 before because the interface is different now and I believe the upgrade mentioned something about the "new version 3". Anyway, since then, half of my Office 2013 applications won't run. They start and show in the process list (CTRL-ALT-DEL) but don't show on the screen, no splash page, don't show in task list (Windows-TAB). Word, Excel, and Powerpoint are the ones that do this. Outlook, Access, and Publisher seem to work fine. At first I though something happened to my Office so I reinstalled it, same thing. Then I uninstalled and reinstalled it, same thing. Then I uninstalled and completely wiped all traces on disk and registry and reinstalled, same thing. I started stopping running processes and after killing MalwareBytes, they all loaded fine. I rebooted and killed MalwareBytes before killing anything else and it worked fine. Also, once I start Word or Excel, if I try to start MalwareBytes back up, I get an Unable to start dialog with the message "Unable to connect the Service". Suggestions? Thanks!
  9. We are experiencing the same issue as documented here below: https://forums.malwarebytes.org/index.php?/topic/178193-solved-error-0xc0000018-when-starting-apps/ The fix suggested is to remove MBAE and install version 1.08.1.1189. I don't want to downgrade my client... We are currently running version 1.08.2.1045. This problem is intermittent and after several (sometimes 7 or 8) reboots, the problem goes away temporarily. Please advise on how to correct this (on 175 remote laptops) without downgrading the client. At this point the only option I have is to disable the MBAE service, but I don't want to remove protection completely.
  10. After installing Malwarebytes Anti-Ransomeware I ran into the issue that I could no longer Save files in Word 2013. Everytime I try it gives me this error "The save failed due to out of memory or disk space". I initially tried the methods only with registry tweaks, and unticking Missing References (but there were none), so then I started looking at recently installed software, and I just installed this program today. Once i turned off active protection the issue went away.... I hope it will be fixed in the next release.
  11. Last night I turned on my computer, and was unable to launch Outlook. Word also refused to open. When clicking on the shortcuts in the start menu, Windows gave me the "outlook.exe" could not be found, and gave me the option to browse for it. I started to think somehow Office had been removed, but found no evidence of that in the EventViewer. Eventually I came to the Anti-Ransomware window, looked in Quarantine, and found 3 registry keys that it had locked up. After restoring them, and rebooting, all is good and Office works again. Requested ZIP files are attached. Malwarebytes Anti-Ransomware.zip MBAMService logs.zip
  12. Hi, I foolishly opened the Microsoft Office Toolkit exe despite my computer telling me it contained viruses. Suffice it to say i wasn't thinking. I've followed most of the instructions on a previous post about the MS office toolkit virus and think I've removed the worst of it from my computer. Wanted to get a professional opinion though as I still had some adware, malware, etc after I'd followed all of the steps. Wanted to make sure I'd gotten it all. Thanks FRST.txt Addition.txt
  13. Hi, I've recently installed the microsoft office to my laptop, it comes with the Mircrosoft Toolkit 2.4.3. After when I am done setting up the softwares, I experienced multiple times of running programs not responding, internet pop-ups and having trouble logging into school's site. How can I go about removing the malwares and rectify the situation whereas keeping my mircrosoft offices?
  14. When I try to access OneNote, I get the following error "something went wrong we can not do what you asked, try again error 0xE0000797". I keep trying but nothing. Has anyone experienced this problem?
  15. . Free Window-Eyes reading software offered for Microsoft Office 2010 and 2013 users John Callaham Microsoft is offering a new way for visually impaired users of its Office software a better way to interact with its tools, thanks to a newly revealed agreement with GW Micro. The two companies announced today that the Window-Eyes screen reading software from GW Micro will now be offered for free for owners of Microsoft Office 2010 and 2013, along with paid subscribers to Office 365. Financial terms of this deal were not disclosed. The WindowEyesForOffice.com website has more details on this free software offer, which will enable visually impaired users to access Word, Excel, PowerPoint, OneNote and Outlook via computer speech or Braille in over 15 languages. In a press release, GW Micro believes offering better access to software like Window Eyes will become more important in the years to come "as the number of people with age-related macular degeneration and other retinal degenerative diseases increases." In its own press release, Microsoft stated, "Whether people want to use Office at home, school or work they now have more flexibility and an improved opportunity to take advantage of our latest software innovations." Microsoft Speech Platform will be the default synthesizer for Window Eyes but additional voices can be purchased if the robotic tone of the default is not to the user's liking. TagsMicrosoftOfficeOffice 2010Office 2013Window-eyesGw software
  16. Hello, since two days I face an issue when trying to open Excel within my Standard User account - after almost 2 years without problems. There is no difference in double clicking an .xlsx file in Windows Explorer, choosing Excel pinned to the Start Menu, clicking on Start>>All Programs>>Microsoft Office>>Microsoft Excel 2010, or picking the Application file in C:\Program files (x86)\Microsoft Office\Office14. When doing so, I receive the message "Windows cannot access the specified device, path, or file. You ay not have the appropriate permissions to access the item." All other Office programs don't show this behavior. After changing the account from Standard User to Administrator everything seemed to work fine, but when turning back being logged on as Standard User the message returns. I'm running Windows 7 Ultimate 64bit. Does this sound like a malware infection? Your help is very much appreciated. Cheers, t.
  17. Merged 3 post (Reposted from PC Help - Thank you mods for pointing me to the correct forum) This is going to be a mouthfull, so a million thank-you's before hand. I'm working on a shared computer my office. I come in after several days off to find that the computer has a fake antivirus program. I don't know who downloaded it or from where. I run Malwarebytes Antimalware and Superantispyware as my protection programs. I was unable to update due to the fake antivurus, so I restarted in safe mode and ran some scans there. I ran a scan for both Malwarebytes and Superantispyware and this is what I found (Note to readers: The logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs). Superantispyware Log: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/29/2012 at 03:14 PM Application Version : 5.0.1148 Core Rules Database Version : 8601 Trace Rules Database Version: 6413 Scan type : Complete Scan Total Scan Time : 00:25:36 Operating System Information Windows 7 Professional 32-bit (Build 6.01.7600) UAC Off - Administrator Memory items scanned : 342 Memory threats detected : 0 Registry items scanned : 42788 Registry threats detected : 1 File items scanned : 31213 File threats detected : 17 Adware.Tracking Cookie C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@advertising[2].txt [ Cookie:brent@advertising.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@atdmt[1].txt [ Cookie:brent@atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@pointroll[2].txt [ Cookie:brent@pointroll.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@ru4[2].txt [ Cookie:brent@ru4.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@adbrite[2].txt [ Cookie:brent@adbrite.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@c.atdmt[2].txt [ Cookie:brent@c.atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@lucidmedia[1].txt [ Cookie:brent@lucidmedia.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@yieldmanager[1].txt [ Cookie:brent@yieldmanager.net/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@serving-sys[2].txt [ Cookie:brent@serving-sys.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@kanoodle[2].txt [ Cookie:brent@kanoodle.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@legolas-media[2].txt [ Cookie:brent@legolas-media.com/ ] ds.serving-sys.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] socialstreamingplayer.crystalmedianetworks.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\SYSTEM@S3.TRAFFICNO[2].TXT [ /S3.TRAFFICNO ] Trojan.Agent/Gen-FakeAlert[Local] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\$RECYCLE.BIN\S-1-5-21-1557514261-2431698323-2000263041-1000\$RM1A0AX.LNK [b7E8586B000083BB67CF2E1FA6014588] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\USERS\USER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SMART FORTRESS 2012\SMART FORTRESS 2012.LNK Malwarebytes Log: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.29.07 Windows 7 x86 NTFS (Safe Mode) Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 5/29/2012 3:28:07 PM mbam-log-2012-05-29 (15-54-52).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 364709 Time elapsed: 26 minute(s), 31 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 2 HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Bad: (C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> No action taken. HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%systemroot%\system32\wbem\wbemess.dll) -> No action taken. Folders Detected: 0 (No malicious items detected) Files Detected: 4 C:\Users\User\AppData\Local\uzsqvv.exe (Trojan.Agent) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\00000001.@ (Trojan.Small) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\80000000.@ (Trojan.Sirefef) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\800000cb.@ (Rootkit.0Access) -> No action taken. (end) After doing this in safemode, I restarted the copmuter, updaded both programs to the current versions, and restarted again in safemode and scanned again. Only Malwarebytes found infected files this time. Scan log follows (Note to readers: Again, the logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs). Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.15.06 Windows 7 x86 NTFS (Safe Mode) Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 5/29/2012 2:49:26 PM mbam-log-2012-05-29 (15-16-54).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 361863 Time elapsed: 26 minute(s), 42 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Fortress 2012 (Trojan.LameShield) -> No action taken. Registry Values Detected: 3 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ipcofmon (IPH.Trojan.Agent.CPN) -> Data: rundll32 "C:\Users\User\AppData\Local\Temp\audiicpl.dll",CreateProcessNotify -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MdRandomGeneratorCtrl (Trojan.Agent.SZ) -> Data: "C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe" /w -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B7E8586B000083BB67CF2E1FA6014588 (Trojan.LameShield) -> Data: C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe -> No action taken. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 6 C:\Users\User\AppData\Local\Temp\audiicpl.dll (IPH.Trojan.Agent.CPN) -> No action taken. C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe (Trojan.Agent.SZ) -> No action taken. C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe (Trojan.LameShield) -> No action taken. C:\Users\User\AppData\Local\Temp\~!#6BC0.tmp (Trojan.Agent.SZ) -> No action taken. C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken. (end) I restarted in safe mode, scanned a third time and found nothing. I wasn't convinced it was gone, however, and decided ot try one more scan. I restarted regularly this time and scanned a third time to try and catch anything that might only be visible to the program after a normal startup. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.02.05 Windows 7 x86 NTFS Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 6/2/2012 10:24:55 AM mbam-log-2012-06-02 (10-24-55).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 369234 Time elapsed: 32 minute(s), 52 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 1 C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|qeupd (Trojan.Agent) -> Data: rundll32.exe "C:\Users\User\AppData\Local\Temp\qeupd.dll",SteamAPI_GetSteamInstallPath -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot. (end) I scanned several times after, both in safe mode as well as after a normal startup, and found nothing. I kept an eye on the machine for several days, updating and scanning whenever I could. Today is about 5 days later, I even scanned this morning and didn't find any problems. This is where things get. . . wierd. . . I noticed while trying to work that a Microsoft Word file wouldn't open. There was no error message, the mouse would show the Windows loading wheel for about one full second and then. . . Nothing. Even after a restart, no joy. I tried Excel and PowerPoint as well. Same thing. Then I tried to open a new, blank document. Same thing. At this point, I'm confused so I go into program files and find. . .nothing (See attached "Office Clip 1-3"). By now, I'm sure it has something to do with the virus. So I downlaod and Install HijackThis and run the scan, copy the log into two different online analyzers. Both of these didn't come up with anything that could be dnagerous (to my limited knowledge and experience). The log follows. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:57:47 AM, on 6/5/2012 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskhost.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\WordWeb\wweb32.exe C:\Windows\System32\rundll32.exe C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup O4 - HKCU\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup (User '?') O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize (User '?') O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE O23 - Service: ArcGIS License Manager - Acresso Software Inc. - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe -- End of file - 5523 bytes I know that some viruses begin with a startup file, so here is also a log of my startup files copied out of CCleaner. Yes HKCU:Run nemsv rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize Yes HKCU:Run WordWeb "C:\Program Files\WordWeb\wweb32.exe" -startup Yes HKLM:Run Adobe ARM "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" Yes HKLM:Run Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Yes HKLM:Run HotKeysCmds C:\Windows\system32\hkcmd.exe Yes HKLM:Run IgfxTray C:\Windows\system32\igfxtray.exe Yes HKLM:Run IntelliPoint "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" Yes HKLM:Run itype "C:\Program Files\Microsoft IntelliType Pro\itype.exe" Yes HKLM:Run Malwarebytes Anti-Malware (reboot) "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript Yes HKLM:Run Persistence C:\Windows\system32\igfxpers.exe Yes HKLM:Run RtHDVCpl C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s Yes HKLM:Run Sophos AutoUpdate Monitor C:\Program Files\Sophos\AutoUpdate\almon.exe Yes HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe" So, this is the gist of it. I have no clue what to do here, I don't even know what's wrong. I would just relaod MS Office, but I have a code key without a disk (for activating computers preloaded with MS Office) and I think you guys can help me better than having to jump through hoops to have Microsoft send me a CD with office on it. If I'm missing any information that is relevant, please let me know and I'll update as soon as possible. UPDATE: I scanned again this morning, two more hits. Scrrencap attached with removal log. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.06.04 Windows 7 x86 NTFS Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 6/6/2012 7:49:59 AM mbam-log-2012-06-06 (07-49-59).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 370594 Time elapsed: 32 minute(s), 57 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 2 C:\Users\User\AppData\Local\Temp\tempfiles.exe (Trojan.Agent.H) -> Quarantined and deleted successfully. C:\Users\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\41dd9ccd-7ef6735c (Trojan.Agent.H) -> Quarantined and deleted successfully. (end) Forgot to attach to above.
  18. This is going to be a mouthfull, so a million thank-you's before hand. I'm working on a shared computer my office. I come in after several days off to find that the computer has a fake antivirus program. I don't know who downloaded it or from where. I run Malwarebytes Antimalware and Superantispyware as my protection programs. I was unable to update due to the fake antivurus, so I restarted in safe mode and ran some scans there. I ran a scan for both Malwarebytes and Superantispyware and this is what I found (Note to readers: The logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs). Superantispyware Log: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/29/2012 at 03:14 PM Application Version : 5.0.1148 Core Rules Database Version : 8601 Trace Rules Database Version: 6413 Scan type : Complete Scan Total Scan Time : 00:25:36 Operating System Information Windows 7 Professional 32-bit (Build 6.01.7600) UAC Off - Administrator Memory items scanned : 342 Memory threats detected : 0 Registry items scanned : 42788 Registry threats detected : 1 File items scanned : 31213 File threats detected : 17 Adware.Tracking Cookie C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@advertising[2].txt [ Cookie:brent@advertising.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@atdmt[1].txt [ Cookie:brent@atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@pointroll[2].txt [ Cookie:brent@pointroll.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@ru4[2].txt [ Cookie:brent@ru4.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@adbrite[2].txt [ Cookie:brent@adbrite.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@c.atdmt[2].txt [ Cookie:brent@c.atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@lucidmedia[1].txt [ Cookie:brent@lucidmedia.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@yieldmanager[1].txt [ Cookie:brent@yieldmanager.net/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@serving-sys[2].txt [ Cookie:brent@serving-sys.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@kanoodle[2].txt [ Cookie:brent@kanoodle.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@legolas-media[2].txt [ Cookie:brent@legolas-media.com/ ] ds.serving-sys.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] socialstreamingplayer.crystalmedianetworks.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\SYSTEM@S3.TRAFFICNO[2].TXT [ /S3.TRAFFICNO ] Trojan.Agent/Gen-FakeAlert[Local] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\$RECYCLE.BIN\S-1-5-21-1557514261-2431698323-2000263041-1000\$RM1A0AX.LNK [b7E8586B000083BB67CF2E1FA6014588] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\USERS\USER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SMART FORTRESS 2012\SMART FORTRESS 2012.LNK Malwarebytes Log: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.29.07 Windows 7 x86 NTFS (Safe Mode) Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 5/29/2012 3:28:07 PM mbam-log-2012-05-29 (15-54-52).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 364709 Time elapsed: 26 minute(s), 31 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 2 HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Bad: (C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> No action taken. HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%systemroot%\system32\wbem\wbemess.dll) -> No action taken. Folders Detected: 0 (No malicious items detected) Files Detected: 4 C:\Users\User\AppData\Local\uzsqvv.exe (Trojan.Agent) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\00000001.@ (Trojan.Small) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\80000000.@ (Trojan.Sirefef) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\800000cb.@ (Rootkit.0Access) -> No action taken. (end) After doing this in safemode, I restarted the copmuter, updaded both programs to the current versions, and restarted again in safemode and scanned again. Only Malwarebytes found infected files this time. Scan log follows (Note to readers: Again, the logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs). Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.15.06 Windows 7 x86 NTFS (Safe Mode) Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 5/29/2012 2:49:26 PM mbam-log-2012-05-29 (15-16-54).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 361863 Time elapsed: 26 minute(s), 42 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Fortress 2012 (Trojan.LameShield) -> No action taken. Registry Values Detected: 3 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ipcofmon (IPH.Trojan.Agent.CPN) -> Data: rundll32 "C:\Users\User\AppData\Local\Temp\audiicpl.dll",CreateProcessNotify -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MdRandomGeneratorCtrl (Trojan.Agent.SZ) -> Data: "C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe" /w -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B7E8586B000083BB67CF2E1FA6014588 (Trojan.LameShield) -> Data: C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe -> No action taken. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 6 C:\Users\User\AppData\Local\Temp\audiicpl.dll (IPH.Trojan.Agent.CPN) -> No action taken. C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe (Trojan.Agent.SZ) -> No action taken. C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe (Trojan.LameShield) -> No action taken. C:\Users\User\AppData\Local\Temp\~!#6BC0.tmp (Trojan.Agent.SZ) -> No action taken. C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken. (end) I restarted in safe mode, scanned a third time and found nothing. I wasn't convinced it was gone, however, and decided ot try one more scan. I restarted regularly this time and scanned a third time to try and catch anything that might only be visible to the program after a normal startup. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.02.05 Windows 7 x86 NTFS Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 6/2/2012 10:24:55 AM mbam-log-2012-06-02 (10-24-55).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 369234 Time elapsed: 32 minute(s), 52 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 1 C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|qeupd (Trojan.Agent) -> Data: rundll32.exe "C:\Users\User\AppData\Local\Temp\qeupd.dll",SteamAPI_GetSteamInstallPath -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot. (end) I scanned several times after, both in safe mode as well as after a normal startup, and found nothing. I kept an eye on the machine for several days, updating and scanning whenever I could. Today is about 5 days later, I even scanned this morning and didn't find any problems. This is where things get. . . wierd. . . I noticed while trying to work that a Microsoft Word file wouldn't open. There was no error message, the mouse would show the Windows loading wheel for about one full second and then. . . Nothing. Even after a restart, no joy. I tried Excel and PowerPoint as well. Same thing. Then I tried to open a new, blank document. Same thing. At this point, I'm confused so I go into program files and find. . .nothing (See attached "Office Clip 1-3"). By now, I'm sure it has something to do with the virus. So I downlaod and Install HijackThis and run the scan, copy the log into two different online analyzers. Both of these didn't come up with anything that could be dnagerous (to my limited knowledge and experience). The log follows. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:57:47 AM, on 6/5/2012 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskhost.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\WordWeb\wweb32.exe C:\Windows\System32\rundll32.exe C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup O4 - HKCU\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup (User '?') O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize (User '?') O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE O23 - Service: ArcGIS License Manager - Acresso Software Inc. - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe -- End of file - 5523 bytes I know that some viruses begin with a startup file, so here is also a log of my startup files copied out of CCleaner. Yes HKCU:Run nemsv rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize Yes HKCU:Run WordWeb "C:\Program Files\WordWeb\wweb32.exe" -startup Yes HKLM:Run Adobe ARM "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" Yes HKLM:Run Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Yes HKLM:Run HotKeysCmds C:\Windows\system32\hkcmd.exe Yes HKLM:Run IgfxTray C:\Windows\system32\igfxtray.exe Yes HKLM:Run IntelliPoint "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" Yes HKLM:Run itype "C:\Program Files\Microsoft IntelliType Pro\itype.exe" Yes HKLM:Run Malwarebytes Anti-Malware (reboot) "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript Yes HKLM:Run Persistence C:\Windows\system32\igfxpers.exe Yes HKLM:Run RtHDVCpl C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s Yes HKLM:Run Sophos AutoUpdate Monitor C:\Program Files\Sophos\AutoUpdate\almon.exe Yes HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe" So, this is the gist of it. I have no clue what to do here, I don't even know what's wrong. I would just relaod MS Office, but I have a code key without a disk (for activating computers preloaded with MS Office) and I think you guys can help me better than having to jump through hoops to have Microsoft send me a CD with office on it. If I'm missing any information that is relevant, please let me know and I'll update as soon as possible.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.