Infected PC playing music in background

[photoman1963]

Hi guys,

My colleague's laptop appears to be infected. I don't know what he's done, but I've noticed several toolbars appearing on it. He told me that he upgraded to IE9 and now it's playing music constantly! When I checked Task Manager, there were still several instances of IE running, even though it was closed. I know I've seen this before and there was a rootkit involved, so thought I'd seek expert help!

The computer has IE9, which seems to function normally, and Chrome. Chrome redirects to searchnu.com/406 but IE opens in Google as normal.

I removed some toolbars via Control Panel, and iLivid. I've run Malwarebytes AntiMalware and it found and removed several items (ShoppingReport2, QuestScan, MyWebSearch, ShopperReports, Hotbar.MS, Seekmo, FreezeFrog, Adware.Agent, Malware.Trace). I then ran HijackThis, and via their diagnosis online, several items were flagged (including iLivid components), which I haven't yet removed.

Following is the DDS log, as requested.

Thanks in advance for any assistance - it is greatly appreciated!

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by photoman1963 at 12:41:33 on 2012-03-28

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2942.1793 [GMT 1:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\Dwm.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe

C:\Windows\system32\TODDSrv.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe

C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Toshiba\Power Saver\TPwrMain.exe

C:\Program Files\Toshiba\SmoothView\SmoothView.exe

C:\Program Files\Toshiba\FlashCards\TCrdMain.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Windows\System32\spool\drivers\w32x86\3\E_FATI9YE.EXE

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Windows\ehome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/

uWindow Title = Windows Internet Explorer provided by MSN and Bing

mStart Page = hxxp://search.foxtab.com/?s=0&chnl=irn&cd=2XzutCtN2Y1L1QzutDtDtByE0DtBtA0E0AzyyDzztN0C0Czu0G0BtN0D0TzutBtDtCtCtDtBtCzy&cr=609103732

mDefault_Page_URL = hxxp://www.google.co.uk

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

mURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

uRun: [AdobeBridge]

uRun: [EPSON Stylus Photo R2400] c:\windows\system32\spool\drivers\w32x86\3\e_fati9sa.exe /fu "c:\windows\temp\E_S233E.tmp" /EF "HKCU"

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [rappkill] "

uRun: [EPSON Stylus Photo R2400 (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fati9sa.exe /fu "c:\windows\temp\E_S9932.tmp" /EF "HKCU"

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

uRun: [DriverFinder] c:\program files\driverfinder\DriverFinder.exe

uRun: [EPSON Stylus Photo R800] c:\windows\system32\spool\drivers\w32x86\3\e_fati9ye.exe /fu "c:\windows\temp\E_S2A2E.tmp" /EF "HKCU"

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [NDSTray.exe] NDSTray.exe

mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe

mRun: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRunOnce: [removeSearchqudatamngr] cmd.exe /c RD /S /Q "c:\program files\Windows iLivid Toolbar"

mRunOnce: [removeSearchqutoolbar] cmd.exe /c RD /S /Q "c:\program files\windows ilivid toolbar\datamngr\ToolBar"

StartupFolder: c:\users\photom~1\appdata\local\windows\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe

StartupFolder: c:\users\photom~1\appdata\local\windows\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: EnableLinkedConnections = 1 (0x1)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4

IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20090702113641

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://www.normandie-webcam.com/plugins/vatdec10051/VatDec.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} - hxxp://www.normandie-webcam.com/plugins/h263ctrl20013/h263ctrl.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 193.36.79.100 193.36.79.101

TCP: Interfaces\{5F18AA0C-F466-4084-9A75-7D1CFE3EF090} : DhcpNameServer = 193.36.79.100 193.36.79.101

TCP: Interfaces\{D08DF794-B153-4E18-943A-2695593D16BE} : DhcpNameServer = 192.168.1.254

.

============= SERVICES / DRIVERS ===============

.

R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-4-24 20352]

R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]

R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]

R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-3-4 187904]

R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-1-15 48472]

R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-26 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-26 135664]

S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-5-1 103040]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-4-24 937984]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-03-28 10:58:03 -------- d-----w- c:\users\photoman1963\appdata\roaming\Malwarebytes

2012-03-28 10:56:11 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-28 10:56:11 -------- d-----w- c:\programdata\Malwarebytes

2012-03-28 10:56:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-03-27 14:10:28 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{bdfeca49-48f9-455d-99e9-9b0f7be208cd}\mpengine.dll

2012-03-16 14:02:54 -------- d-----w- C:\MTV_OUTPUT

2012-03-14 03:02:49 2044416 ----a-w- c:\windows\system32\win32k.sys

2012-03-14 03:02:46 683008 ----a-w- c:\windows\system32\d2d1.dll

2012-03-14 03:02:46 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-03-14 03:02:46 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2012-03-14 03:02:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2012-03-14 03:02:46 1068544 ----a-w- c:\windows\system32\DWrite.dll

2012-03-14 03:02:44 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

2012-03-13 22:04:18 613376 ----a-w- c:\windows\system32\rdpencom.dll

2012-03-13 22:04:18 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

==================== Find3M ====================

.

2012-02-23 09:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe

.

============= FINISH: 12:42:15.07 ===============

[Larusso]

Hy

my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  
• Perform everything in the correct order. Sometimes one step requires the previous one.
  
• If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  
• Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  
• Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Please post the most recent Malwarebytes Logfile

Launch Malwarebytes --> Logs --> click on the last Logfile. A notepad Window will appear. Copy/Paste its content here in your topic.

Please download Gmer from here and save it to your Desktop.

• Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
    
  • IAT/EAT
    
  • Drives/Partition other than Systemdrive (typically C:\)
    
  • Show All (don't miss this one)

  [*] Then click the Scan button & wait for it to finish.

  [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

  [*]Save it where you can easily find it, such as your desktop

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[photoman1963]

Hi Daniel,

Thanks for your reply. Here is the log file:

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.28.02

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

photoman1963 :: PORTLANDSTUDIOS [administrator]

28/03/2012 11:59:33

mbam-log-2012-03-28 (11-59-33).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 196127

Time elapsed: 8 minute(s), 16 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 20

HKCR\Typelib\{B035BA6B-57CD-4F72-B545-65BE465FCAF6} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

HKCR\Typelib\{D44FD6F0-9746-484E-B5C4-C66688393872} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

HKCR\Interface\{0EB3F101-224A-4B2B-9E5B-DF720857529C} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4B8C28A7-A9BC-45F8-990D-21499EED643C} (Adware.QuestScan) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\ShoppingReport2.HbAx (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKCR\ShoppingReport2.HbAx.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKCR\ShoppingReport2.HbInfoBand (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKCR\ShoppingReport2.HbInfoBand.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKCR\ShoppingReport2.IEButton (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKCR\ShoppingReport2.IEButton.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKCR\ShoppingReport2.IEButtonA (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKCR\ShoppingReport2.IEButtonA.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKCR\ShoppingReport2.RprtCtrl (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKCR\ShoppingReport2.RprtCtrl.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKCU\Software\MossySkySA (Adware.HotBar.MS) -> Quarantined and deleted successfully.

HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MossySkySA (Adware.HotBar.MS) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\QUESTSCAN (Adware.QuestScan) -> Quarantined and deleted successfully.

Registry Values Detected: 1

HKLM\SOFTWARE\QuestScan|DllPath (Adware.QuestScan) -> Data: C:\Program Files\QuestScan\questscan.dll -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 8

C:\Program Files\FunWebProducts (PUP.MyWebSearch) -> No action taken.

C:\ProgramData\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.

C:\ProgramData\FREEzeFrogSA (Adware.FreezeFrog) -> Quarantined and deleted successfully.

C:\Program Files\FREEzeFrog\bin\2.0.15.0 (Adware.FreezeFrog) -> Quarantined and deleted successfully.

C:\Users\photoman1963\Local Settings\Application Data\MossySkySA (Adware.HotBar.MS) -> Quarantined and deleted successfully.

C:\Users\photoman1963\Local Settings\Application Data\MossySkySA\bin (Adware.HotBar.MS) -> Quarantined and deleted successfully.

C:\Users\photoman1963\Local Settings\Application Data\MossySkySA\bin\2.0.18.0 (Adware.HotBar.MS) -> Quarantined and deleted successfully.

C:\Users\photoman1963\Local Settings\Application Data\MossySkySA\data (Adware.HotBar.MS) -> Quarantined and deleted successfully.

Files Detected: 12

C:\Users\photoman1963\Downloads\AviConverterSetup.exe (Adware.Agent) -> Quarantined and deleted successfully.

C:\Users\photoman1963\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

C:\Users\photoman1963\Templates\memory.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\ProgramData\FREEzeFrogSA\FREEzeFrogSA.dat (Adware.FreezeFrog) -> Quarantined and deleted successfully.

C:\Program Files\FREEzeFrog\bin\2.0.15.0\copyright.txt (Adware.FreezeFrog) -> Quarantined and deleted successfully.

C:\Program Files\FREEzeFrog\bin\2.0.15.0\FREEzeFrogSACB.exe (Adware.FreezeFrog) -> Quarantined and deleted successfully.

C:\Program Files\FREEzeFrog\bin\2.0.15.0\FREEzeFrogSAHook.dll (Adware.FreezeFrog) -> Quarantined and deleted successfully.

C:\Users\photoman1963\Local Settings\Application Data\MossySkySA\bin\2.0.18.0\copyright.txt (Adware.HotBar.MS) -> Quarantined and deleted successfully.

C:\Users\photoman1963\Local Settings\Application Data\MossySkySA\bin\2.0.18.0\MossySkySACB.exe (Adware.HotBar.MS) -> Quarantined and deleted successfully.

C:\Users\photoman1963\Local Settings\Application Data\MossySkySA\bin\2.0.18.0\MossySkySAHook.dll (Adware.HotBar.MS) -> Quarantined and deleted successfully.

C:\Users\photoman1963\Local Settings\Application Data\MossySkySA\bin\2.0.18.0\MossySkyUninstaller.exe (Adware.HotBar.MS) -> Quarantined and deleted successfully.

C:\Users\photoman1963\Local Settings\Application Data\MossySkySA\data\MossySkySA.dat (Adware.HotBar.MS) -> Quarantined and deleted successfully.

(end)

You didn't say whether you wanted the GMER log file, although I assume you would! I have attached it. I did not close GMER yet, just in case.

Thank you for your assistance. I look forward to your reply.

ark.txt

[Larusso]

Good work.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic How to disable your security applications

====================================================

Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

*Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.

[photoman1963]

Hi,

Thanks again for your help! I have attached the log file as requested.

ComboFix.txt

[Larusso]

You are welcome

Could you tell me something about this kind of Software(?) --> Rapkiller2

It created an hidden AutoStart entry.

How is your system behaving now ?

[photoman1963]

Thanks for your reply.

I am unfamiliar with RapKiller2 / rappkill / kill.exe. I cannot find any mention of it in the registry by searching for rapkill, rappkill or kill.exe in regedit - unless f!taskkill.exe is related. Likewise, I cannot find the kill.exe file on the system.

The system is running OK, but I notice that if I search in the address bar of Chrome or Internet Explorer, it directs me to uk.search-results.com instead of Google. I have now deleted these search engines and it defaults to Google again. There is no music playing any more!

[Larusso]

Glad to hear the music is gone.

Let me check if one of our tools is able to find that file so I can have a look over it.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  kill.exe
  :folderfind
  RAPkiller2
  :regfind
  rappkill
  

  
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

[photoman1963]

Here is the result:

SystemLook 30.07.11 by jpshortstuff

Log created at 18:50 on 03/04/2012 by photoman1963

Administrator - Elevation successful

========== filefind ==========

Searching for "kill.exe"

No files found.

========== folderfind ==========

Searching for "RAPkiller2"

No folders found.

========== regfind ==========

Searching for "rappkill"

No data found.

-= EOF =-

[Larusso]

Odd,

Lets give Combofix a second run to see if it still find it.

Disable your AntiVirus and AntiSpyware applications.

Double click on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.

[photoman1963]

Thanks again!

Here is the log

ComboFix.txt

[Larusso]

Well done

Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Start
• Wait for the scan to finish
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name.
  
• Push the Back button.
  
• Push Finish

Please post this logfile in your next reply

[photoman1963]

<p>Hi,</p>

<p> </p>

<p>It found 2 items.  The log file is as follows:</p>

<p> </p>

<p> </p>

<div>C:\Program Files\FoxTabAVIConverter\AviConverter.exe<span class="Apple-tab-span" style="white-space:pre"> </span>a variant of Win32/InstallCore.A application</div>

<div>C:\Qoobox\Quarantine\C\Users\photoman1963\AppData\Local\Windows Server\hlp.dat.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Bamital.DT trojan</div>

<div> </div>

[photoman1963]

Sorry, I don't know what happened there! Let me try uploading the text file.

eset.txt

[Larusso]

Nothing to worry about.

Please launch DDS

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

  [*]Save both reports to your desktop and post both in your next reply

[photoman1963]

I've attached the files - Attach.txt zipped up, as per the DDS instructions.

Thanks again for your help - it's greatly appreciated!

DDS.txt

Attach.zip

[Larusso]

you are welcome

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

There is a newer version of Adobe Acrobat Reader available.

• Please go to this link Adobe Acrobat Reader Download Link
  
• Untick Free McAfee® Security Scan Plus if you do not wish to include this in the installation.
  
• Click Download
  
• On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  
• Click the Continue button
  
• Click Run, and click Run again
  
• Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Enviroment 6 Update 31 and save it to your desktop.
  
• Scroll down to where it says Java SE 6 Update 31
  
• Click the red Download JRE button on the right.
  
• Read the License Agreement then select Accept License Agreement
  
• Click on the link to download Windows x86 Offline and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u31-windows-i586 to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
  
• Next, click on the Delete Files button
  
• There are three options in the window to clear the cache - Make sure all are checked
  
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

Unless you have any open issues, you are good to go. Please follow these last few steps.

Please press the + R Key and Copy/Paste the following single-line command into the Run box and click OK

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Empty your Recycle Bin if it does not do so automatically.

Now that you appear to be free from malware lets help you stay that way!

It is vital that you keep your system up to date

• Please enable Automatic Updates to keep your system up to date.
  
• Windows Updates
  
  • Win XP: Start --> Control Panel and double- click on Automatic Updates.
    
  • Vista / 7: Start --> Control Panel --> System and Security --> Windows Updates

  [*] Software Updates

  Your installed Software also can have vulnerabilities that malware can use to infect your system.

  To keep your installed Software up to date I recommend File Hippo.

Anti Virus Software

• Make sure to have one Anti Virus programme installed and update it on a regular basis. It is useless with out of date definitions.

Additional Protection

• Malwarebytes Anti Malware
  The freeware Version is an on demand scanner which will check your system for malware. Update it once a week and run a Quick Scan. You can also buy a licence which offers more features.
  
• WinPatrol
  WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Safer Browsing

• Web of Trust ( WOT )
  This software helps you to stay away from sites that have malicious purposes.
  
• SpywareBlaster
  This software helps prevent the installation of ActiveX-based spyware
  
• MVPS Hosts file
  This Hosts File will restrict known ad sites from serving you unsolicited advertisements.

Use an alternate browser

Other browsers tend to be more secure than IE as they do not make use of active x objects. Active x objects can be used by spyware as an infection point on your computer.

• Opera
  
• Firefox

Note: If you use Firefox you may want to have a look on this Add Ons.

• AdblockPlus ( Blocks advertisments )
  
• NoScript ( Blocks Java, Flash and JavaScript )

Computer Maintenance

Clean out your temp files on a regular basis -I recommend TFC ( Temp File Cleaner ).

Thinking while surfing

There is no software which will protect your system from yourself.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preventing infection, and how to stay safe whilst browsing the internet.

• Staying Safe on the Internet ( by Glaswegian )
  
• Making Internet Explorer Safer.
  
• Think Prevention!

If you have any questions kindly ask.

Please respond to this thread one more time so we can mark this thread as resolved.

[photoman1963]

Thank you so much for all your help! The antivirus seems to have been uninstalled somehow, so I'll replace that.

I'll let my colleague know you helped when he returns from holiday, and maybe I will be able to persuade him to give you a donation

Thanks again!

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!