Jump to content

My computer is infected and we can't seem to get it clean. Please help!


Recommended Posts

Hello there,

We had no problems at all until I think 24th June when the computer just shut down by itself - went to a black screen and shut off. When we started it again the beginning screen (the blue one where you put your Windows password in) had lots of colons and vertical lines on it, and then a few minutes later it shut down again. We ran a full scan which took hours, and which found Exploit:Java/CVE-2012-0507.CA so we deleted that but all did still not seem well. We kept it mainly in Safe Mode and sometimes Safe Mode with Networking after that, and on 26th June MBAM found a Trojan.Zbot. After that, though, the scans just seem to be so slow (we ran Kaspersky Anti Virus Removal Tool and it said it was going to take 18 days!) and they tend to freeze after a while, always on the same one or two files which are, I think, e-mail ones. The Kaspersky scan did find seven Trojans before it froze, though. So now we are thinking that whatever it is on our computer is interfering with our scans. We are desperate for some expert help. We are pretty much computer novices and use our PC for things that most people do - e-mails, surfing the web and buying things, but don't know anything about registry edits or anything else.

If someone could please kindly help us sort this, we would be very grateful. I have (hopefully) managed to disable the script thing, and found Notepad, and have done the two logs, pasted below:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1

Run by bodlin at 20:53:16 on 2012-07-01

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3069.1593 [GMT 1:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Spy Sweeper *Disabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\WLTRYSVC.EXE

C:\Windows\System32\bcmwltry.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\rundll32.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Windows\system32\spool\DRIVERS\W32X86\3\lxdiserv.exe

C:\Windows\system32\lxdicoms.exe

C:\Windows\system32\lxedcoms.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\STacSV.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

I:\erin.exe

C:\Users\bodlin\AppData\Local\Temp\RarSFX2\2941237.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\ehome\ehRecvr.exe

C:\Users\bodlin\AppData\Local\Temp\1310884\2941237.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Security Client\msseces.exe

c:\Program Files\Microsoft Security Client\MpCmdRun.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.129.793.0.exe

C:\Windows\system32\MpSigStub.exe

C:\Program Files\mal\mbamservice.exe

C:\Program Files\mal\mbamgui.exe

C:\Windows\System32\notepad.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0080808

uWindow Title = Internet Explorer provided by Dell

uDefault_Page_URL = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0080808

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

mRun: [<NO NAME>]

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Trusted Zone: internet

Trusted Zone: maris.com\www.redshift

Trusted Zone: mcafee.com

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://homebase.2020.net/Core/Player/2020PlayerAX_Win32.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader4.cab

DPF: {A9CF3378-D60E-40A8-927D-7EA0D5B0AA98} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader6.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{B3396F8B-7857-4C4D-BFBE-E22C68CD2923} : DhcpNameServer = 192.168.0.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 01533329;01533329;c:\windows\system32\drivers\01533329.sys [2012-7-1 133208]

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2011-3-22 29832]

R1 MpKsl22f9dff1;MpKsl22f9dff1;c:\programdata\microsoft\microsoft antimalware\definition updates\{12fa95d8-a1ed-4d8c-a7ef-bd28373c0cdd}\MpKsl22f9dff1.sys [2012-7-1 29904]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]

R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2007-4-26 99248]

R2 lxed_device;lxed_device;c:\windows\system32\lxedcoms.exe -service --> c:\windows\system32\lxedcoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\mal\mbamservice.exe [2012-6-26 654408]

R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2011-3-22 4048256]

R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-5-9 1201656]

R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-7-14 1443584]

R3 LazerUsb;Lumanate Lazer USB;c:\windows\system32\drivers\LazerUsb.sys [2007-10-16 5739520]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-26 22344]

R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-8-8 18432]

R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-8-8 19008]

R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2010-1-29 2074480]

RUnknown 2941237drv;2941237drv; [x]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate1c96930cb12cd1;Google Update Service (gupdate1c96930cb12cd1);c:\program files\google\update\GoogleUpdate.exe [2008-12-28 133104]

S2 lxedCATSCustConnectService;lxedCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxedserv.exe [2010-5-5 193192]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]

S2 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-8 257224]

S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-28 39272]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-8 30192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2008-12-28 133104]

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]

S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

.

=============== Created Last 30 ================

.

2012-07-01 18:34:53 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{dd687f68-07f0-442c-816e-d68ae5b27b49}\mpengine.dll

2012-07-01 17:25:55 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{12fa95d8-a1ed-4d8c-a7ef-bd28373c0cdd}\MpKsl22f9dff1.sys

2012-07-01 17:25:50 133208 ----a-w- c:\windows\system32\drivers\01533329.sys

2012-07-01 09:48:48 6762896 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{12fa95d8-a1ed-4d8c-a7ef-bd28373c0cdd}\mpengine.dll

2012-07-01 08:41:04 -------- d-----w- C:\TDSSKiller_Quarantine

2012-07-01 07:43:15 -------- d-----w- c:\users\bodlin\appdata\roaming\DriverCure

2012-07-01 07:43:12 -------- d-----w- c:\users\bodlin\appdata\roaming\SpeedyPC Software

2012-07-01 07:42:58 -------- d-----w- c:\program files\common files\SpeedyPC Software

2012-07-01 07:42:56 -------- d-----w- c:\programdata\SpeedyPC Software

2012-07-01 07:42:56 -------- d-----w- c:\program files\SpeedyPC Software

2012-06-28 21:00:12 -------- d-----w- c:\users\bodlin\appdata\roaming\SUPERAntiSpyware.com

2012-06-28 21:00:08 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-06-28 21:00:08 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-06-27 20:38:55 6762896 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2012-06-26 20:13:32 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-26 20:13:32 -------- d-----w- c:\program files\mal

2012-06-26 08:09:48 -------- d-----w- c:\program files\Oracle

2012-06-26 06:06:48 -------- d-----w- c:\programdata\Kaspersky Lab

2012-06-24 08:03:51 -------- d-----w- c:\users\bodlin\appdata\roaming\Malwarebytes

2012-06-24 08:03:39 -------- d-----w- c:\programdata\Malwarebytes

2012-06-21 12:37:31 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-21 12:37:09 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-21 12:37:00 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-21 12:37:00 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-15 06:26:07 -------- d-----w- c:\windows\pss

2012-06-14 13:44:11 984064 ----a-w- c:\windows\system32\crypt32.dll

2012-06-14 13:44:11 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-14 13:44:11 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-14 13:43:41 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-14 13:43:40 2045440 ----a-w- c:\windows\system32\win32k.sys

2012-06-13 10:03:28 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b59662fc-4332-4adb-aa00-f93c82e4812b}\gapaengine.dll

2012-06-12 17:25:12 -------- d-----w- c:\users\bodlin\appdata\local\{039B4B0A-9A18-447E-97F7-59AD8FA6C95F}

2012-06-12 17:24:55 -------- d-----w- c:\users\bodlin\appdata\local\{B648D53D-18BA-46DC-A760-B92AD60B1C7B}

2012-06-12 08:21:14 772504 ----a-w- c:\windows\system32\npdeployJava1.dll

.

==================== Find3M ====================

.

2012-06-13 09:49:47 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-13 09:49:47 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-12 08:20:42 472864 ----a-w- c:\windows\system32\deployJava1.dll

2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-04-03 08:16:12 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-03 08:16:11 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

.

============= FINISH: 20:56:07.68 ===============

and the second log is as follows:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume3

Install Date: 08/08/2008 13:36:23

System Uptime: 01/07/2012 18:23:04 (2 hours ago)

.

Motherboard: Dell Inc. | | 0TP406

Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | CPU | 2394/1066mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 916 GiB total, 446.006 GiB free.

D: is FIXED (NTFS) - 15 GiB total, 5 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

.

==== Installed Programs ======================

.

ABBYY FineReader 6.0 Sprint

Adobe AIR

Adobe Anchor Service CS3

Adobe Asset Services CS3

Adobe Bridge CS3

Adobe Bridge Start Meeting

Adobe Camera Raw 4.0

Adobe CMaps

Adobe Default Language CS3

Adobe Device Central CS3

Adobe Elements Studio Launcher

Adobe ExtendScript Toolkit 2

Adobe Flash Player 11 ActiveX

Adobe Help Viewer CS3

Adobe PDF Library Files

Adobe Photoshop Elements 6.0

Adobe Premiere Elements 4.0

Adobe Premiere Elements 4.0 Templates

Adobe Reader X (10.1.3)

Adobe Setup

Adobe Shockwave Player 11.5

Adobe Soundbooth CS3

Adobe Soundbooth CS3 Codecs

Adobe Soundbooth CS3 Scores

Adobe Type Support

Adobe Update Manager CS3

Adobe Version Cue CS3 Client

Adobe XMP DVA Panels CS3

Adobe XMP Panels CS3

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Babylon toolbar on IE

Bonjour

Browser Address Error Redirector

CCScore

Compatibility Pack for the 2007 Office system

D3DX10

Dell Getting Started Guide

Dell Support Center

Dell Wireless WLAN Card

Dell Xcelerator™ for Portable Devices

DIGReqEx

DirectXInstallService

Disney Princess Screen Saver

EDocs

ESSBrwr

ESSCDBK

ESScore

ESSgui

ESSini

ESSPCD

ESSPDock

ESSSONIC

ESSTOOLS

essvatgt

Family Tree Maker

Family Tree Maker 2005

fflink

Getting Ready for School

Google Chrome

Google Desktop

Google Earth

Google Toolbar for Internet Explorer

Google Update Helper

Google Updater

Hauppauge MCE XP/Vista Software Encoder (2.0.25296)

Hauppauge TV Tuner Driver

Highlight Viewer (Windows Live Toolbar)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Intel® Matrix Storage Manager

Intel® PRO Network Connections 12.1.12.4

InterActual Player

iTunes

Java Auto Updater

Java™ 6 Update 20

Java™ 6 Update 32

Java™ 6 Update 5

Java™ 6 Update 7

Java™ 7 Update 5

JavaFX 2.1.1

Junk Mail filter update

kgcbaby

kgcbase

kgchday

kgchlwn

kgcinvt

kgckids

kgcmove

kgcvday

Kidizoom® Pro & Plus

Kodak EasyShare software

Learning Ladder Preschool

LEGO Digital Designer

Lexmark 3500-4500 Series

Lexmark Fax Solutions

Lexmark S600 Series

Lexmark Toolbar

Lizardtech DjVu Control

Malwarebytes Anti-Malware version 1.61.0.1400

Map Button (Windows Live Toolbar)

Mesh Runtime

Messenger Companion

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Corporation

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Word Viewer 2003

Microsoft Search Enhancement Pack

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

MobileMe Control Panel

Mouse Suite for Desktop Computers

MSN

MSVCRT

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

My First CD-ROM - Getting Ready for School XP Update

MyFelix

Nessy Fingers - Demo Version

netbrdg

NVIDIA Drivers

OfotoXMI

OGA Notifier 2.0.0048.0

OpenOffice.org 3.2

QuickTime

RealPlayer

RealUpgrade 1.0

RedShift 6 Premium

Roxio Activation Module

Roxio CinePlayer Decoder Pack

Roxio Creator Audio

Roxio Creator Copy

Roxio Creator Data

Roxio Creator Premier

Roxio Creator Premier 10

Roxio Creator Tools

Roxio Express Labeler

Roxio Update Manager

Safari

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Segoe UI

SFR

SHASTA

skin0001

SKINXSDK

Skype Click to Call

Skype™ 5.8

Smart Menus (Windows Live Toolbar)

Sony Picture Utility

SpeedyPC Pro

Spelling Dictionaries Support For Adobe Reader 8

Spy Sweeper Core

Spy Sweeper for MSN

staticcr

SUPERAntiSpyware

Tesco Download Manager

tooltips

TouchCopy 11

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Virtual Puppy

VPRINTOL

WIDCOMM Bluetooth Software 6.0.1.4300

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live Favorites for Windows Live Toolbar

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live Toolbar Extension (Windows Live Toolbar)

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WIRELESS

XPS MiniView Gadget

.

==== Event Viewer Messages From Past Week ========

.

30/06/2012 21:34:03, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

30/06/2012 21:22:02, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.566.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

30/06/2012 21:17:33, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.566.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

30/06/2012 21:16:05, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.566.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

30/06/2012 21:16:05, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

30/06/2012 21:09:42, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

30/06/2012 21:06:24, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.566.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

30/06/2012 21:04:07, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC MpFilter NetBIOS netbt nsiproxy PSched RasAcd rdbss SASDIFSV SASKUTIL Smb spldr Tcpip tdx Wanarpv6

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

30/06/2012 21:04:07, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

30/06/2012 21:03:32, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

30/06/2012 21:03:32, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

28/06/2012 21:54:47, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MpFilter spldr Wanarpv6

28/06/2012 21:49:57, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC MpFilter NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr Tcpip tdx Wanarpv6

28/06/2012 21:46:25, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wcncsvc with arguments "" in order to run the server: {375FF000-DD27-11D9-8F9C-0002B3988E81}

28/06/2012 21:46:25, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}

28/06/2012 19:26:16, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.566.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

27/06/2012 22:05:54, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.469.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

27/06/2012 21:18:53, Error: EventLog [6008] - The previous system shutdown at 21:17:40 on 27/06/2012 was unexpected.

27/06/2012 19:40:47, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.469.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

26/06/2012 21:03:57, Error: EventLog [6008] - The previous system shutdown at 16:33:22 on 26/06/2012 was unexpected.

26/06/2012 01:42:59, Error: EventLog [6008] - The previous system shutdown at 21:38:00 on 25/06/2012 was unexpected.

24/06/2012 22:05:52, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.349.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

24/06/2012 19:30:31, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.349.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

24/06/2012 08:25:25, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.349.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

24/06/2012 08:23:53, Error: EventLog [6008] - The previous system shutdown at 08:21:28 on 24/06/2012 was unexpected.

01/07/2012 19:43:12, Error: Microsoft-Windows-WMPNSS-Service [14365] - Proximity detection failed due to unknown error '0x80004004'. The best proximity time detected was -1 milliseconds.

01/07/2012 18:23:57, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the lxedCATSCustConnectService service to connect.

01/07/2012 18:23:57, Error: Service Control Manager [7000] - The SupportSoft Sprocket Service (dellsupportcenter) service failed to start due to the following error: The system cannot find the file specified.

01/07/2012 18:23:57, Error: Service Control Manager [7000] - The SessionLauncher service failed to start due to the following error: The system cannot find the path specified.

01/07/2012 18:23:57, Error: Service Control Manager [7000] - The lxedCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

01/07/2012 17:48:03, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

01/07/2012 17:46:37, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MpFilter SASDIFSV SASKUTIL spldr Wanarpv6

01/07/2012 17:46:37, Error: Service Control Manager [7001] - The Windows Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

01/07/2012 17:46:37, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

01/07/2012 17:46:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

01/07/2012 17:46:26, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

01/07/2012 17:46:24, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

01/07/2012 17:46:23, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

01/07/2012 17:46:17, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

01/07/2012 17:46:03, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .

01/07/2012 17:46:03, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}

01/07/2012 17:45:53, Error: EventLog [6008] - The previous system shutdown at 12:05:56 on 01/07/2012 was unexpected.

01/07/2012 12:06:27, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

.

==== End Of File ===========================

I have looked a lot on the internet for ways to try and sort this out, and have ticked checkboxes and disabled all the Startup things trying to get things right. I hope I haven't made a terrible mess.

Thank you very much for taking the time to look at our post and for trying to help us. It would be great to know if you find anything.

Kind regards,

Helena

Link to post
Share on other sites

  • Staff

Hi,

Please do the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool.
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan
    • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
    • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Link to post
Share on other sites

Hello Catbyte,

Thank you for replying and helping us with our problem. I did all of this in Safe Mode with Networking - I don't know if that makes a difference?

The computer wouldn't let me save the Avast virus scanner program to the Desktop, so I just ran it anyway. I tried it twice. The first time it froze after a few minutes on Scanning C:\Users\bodlin\AppData\Local\Installer9420\Setup.exe but I noticed that when I saved the log (because after a while I just pressed Save Log as the Scan wasn't moving) it didn't mention that one. I didn't notice the time on the first scan I did, but on the second scan I ran, it got stuck again on that same file, and the time was 19:50:23:736. I took a note of that as it might be useful?

The first log of the first scan is as follows:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-07-03 19:02:30

-----------------------------

19:02:30.419 OS Version: Windows 6.0.6002 Service Pack 2

19:02:30.419 Number of processors: 4 586 0xF0B

19:02:30.419 ComputerName: BODLIN-PC UserName: bodlin

19:02:48.031 Initialize success

19:04:54.344 AVAST engine defs: 12070300

19:05:19.055 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

19:05:19.055 Disk 0 Vendor: Intel___ 1.0. Size: 953875MB BusType: 8

19:05:19.070 Disk 0 MBR read successfully

19:05:19.070 Disk 0 MBR scan

19:05:19.086 Disk 0 Windows VISTA default MBR code

19:05:19.086 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 70 MB offset 63

19:05:19.102 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 145408

19:05:19.117 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 938443 MB offset 31602688

19:05:19.117 Disk 0 scanning sectors +1953533952

19:05:19.195 Disk 0 scanning C:\Windows\system32\drivers

19:05:30.583 Service scanning

19:05:48.726 Modules scanning

19:05:51.409 Disk 0 trace - called modules:

19:05:51.425 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll

19:05:51.425 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86545ac8]

19:05:51.425 3 CLASSPNP.SYS[8379f8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x86546028]

19:05:54.779 AVAST engine scan C:\Windows

19:06:00.863 AVAST engine scan C:\Windows\system32

19:09:32.726 AVAST engine scan C:\Windows\system32\drivers

19:10:12.912 AVAST engine scan C:\Users\bodlin

19:36:21.632 Disk 0 MBR has been saved successfully to "C:\Users\bodlin\Desktop\MBR.dat"

19:36:21.632 The log file has been saved successfully to "C:\Users\bodlin\Desktop\aswMBR.txt"

I've added the MBR.zip for you (I am unsure if that is the MBR from the first or second scan as there was only one on the Desktop)

The second scan log is as follows:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-07-03 19:39:06

-----------------------------

19:39:06.556 OS Version: Windows 6.0.6002 Service Pack 2

19:39:06.556 Number of processors: 4 586 0xF0B

19:39:06.556 ComputerName: BODLIN-PC UserName: bodlin

19:39:09.504 Initialize success

19:39:13.716 AVAST engine defs: 12070300

19:39:32.467 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

19:39:32.483 Disk 0 Vendor: Intel___ 1.0. Size: 953875MB BusType: 8

19:39:32.514 Disk 0 MBR read successfully

19:39:32.514 Disk 0 MBR scan

19:39:32.530 Disk 0 Windows VISTA default MBR code

19:39:32.545 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 70 MB offset 63

19:39:32.561 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 145408

19:39:32.576 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 938443 MB offset 31602688

19:39:32.608 Disk 0 scanning sectors +1953533952

19:39:32.717 Disk 0 scanning C:\Windows\system32\drivers

19:39:49.471 Service scanning

19:40:06.538 Modules scanning

19:40:13.464 Disk 0 trace - called modules:

19:40:13.480 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll

19:40:13.480 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86545ac8]

19:40:13.480 3 CLASSPNP.SYS[8379f8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x86546028]

19:40:16.397 AVAST engine scan C:\Windows

19:41:39.342 AVAST engine scan C:\Windows\system32

19:47:42.557 AVAST engine scan C:\Windows\system32\drivers

19:49:26.656 AVAST engine scan C:\Users\bodlin

20:21:19.325 Disk 0 MBR has been saved successfully to "C:\Users\bodlin\Desktop\MBR.dat"

20:21:19.356 The log file has been saved successfully to "C:\Users\bodlin\Desktop\aswMBR2.txt"

Can I ask please, have you noticed anything when you saw our logs in our initial post and this one? Did you see anything there that indicated malware?

MBR.zip

Many thanks,

Helena

Link to post
Share on other sites

  • Staff

Hi,

Yes there are signs that this machine is infected, please run the following:

Refer to the ComboFix User's Guide

  1. Download ComboFix from one of these locations:
    Link
    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on ComboFix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Hi CatByte

Did as you asked. The ComboFix took so long I left it running and went to bed as it was almost 1:00am. Here is it's log:

ComboFix 12-07-02.01 - bodlin 04/07/2012 0:16.1.4 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3069.1993 [GMT 1:00]

Running from: c:\users\bodlin\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Spy Sweeper *Disabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\SPL1114.tmp

c:\programdata\SPL3B51.tmp

c:\programdata\SPLA0D2.tmp

c:\programdata\SPLA39E.tmp

c:\programdata\SPLBF29.tmp

c:\users\bodlin\AppData\Local\assembly\tmp

c:\users\bodlin\GoToAssistDownloadHelper.exe

c:\users\bodlin\xobglu32.dll

.

.

((((((((((((((((((((((((( Files Created from 2012-06-04 to 2012-07-04 )))))))))))))))))))))))))))))))

.

.

2012-07-04 00:52 . 2012-07-04 00:53 -------- d-----w- c:\users\bodlin\AppData\Local\temp

2012-07-04 00:52 . 2012-07-04 00:52 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-07-04 00:52 . 2012-07-04 00:52 -------- d-----w- c:\users\Mcx1\AppData\Local\temp

2012-07-04 00:52 . 2012-07-04 00:52 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-03 23:22 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4FDA559A-B430-4C98-9F77-F788DC91A043}\mpengine.dll

2012-07-01 18:34 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-07-01 08:41 . 2012-07-01 08:41 -------- d-----w- C:\TDSSKiller_Quarantine

2012-07-01 07:43 . 2012-07-01 07:43 -------- d-----w- c:\users\bodlin\AppData\Roaming\DriverCure

2012-07-01 07:43 . 2012-07-01 07:43 -------- d-----w- c:\users\bodlin\AppData\Roaming\SpeedyPC Software

2012-07-01 07:42 . 2012-07-01 07:42 -------- d-----w- c:\program files\Common Files\SpeedyPC Software

2012-07-01 07:42 . 2012-07-01 07:42 -------- d-----w- c:\programdata\SpeedyPC Software

2012-07-01 07:42 . 2012-07-01 07:42 -------- d-----w- c:\program files\SpeedyPC Software

2012-06-28 21:00 . 2012-06-28 21:00 -------- d-----w- c:\users\bodlin\AppData\Roaming\SUPERAntiSpyware.com

2012-06-28 21:00 . 2012-06-28 21:00 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-06-28 21:00 . 2012-06-28 21:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-06-26 20:13 . 2012-06-27 19:50 -------- d-----w- c:\program files\mal

2012-06-26 20:13 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-26 08:09 . 2012-06-26 08:09 -------- d-----w- c:\program files\Oracle

2012-06-26 06:06 . 2012-06-26 06:06 -------- d-----w- c:\programdata\Kaspersky Lab

2012-06-24 08:03 . 2012-06-24 08:03 -------- d-----w- c:\users\bodlin\AppData\Roaming\Malwarebytes

2012-06-24 08:03 . 2012-06-24 08:03 -------- d-----w- c:\programdata\Malwarebytes

2012-06-21 12:37 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-21 12:37 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-21 12:37 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-21 12:37 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-21 12:37 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-21 12:37 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-21 12:37 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-21 12:37 . 2012-06-02 14:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-21 12:37 . 2012-06-02 14:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-14 13:44 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll

2012-06-14 13:44 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-14 13:44 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-14 13:43 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-14 13:43 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys

2012-06-13 10:03 . 2012-02-10 19:37 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B59662FC-4332-4ADB-AA00-F93C82E4812B}\gapaengine.dll

2012-06-12 08:21 . 2012-05-04 18:29 772504 ----a-w- c:\windows\system32\npdeployJava1.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-13 09:49 . 2012-04-08 19:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-13 09:49 . 2011-06-17 06:22 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-12 08:20 . 2010-06-01 16:59 472864 ----a-w- c:\windows\system32\deployJava1.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk

backup=c:\windows\pss\Bluetooth.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^bodlin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]

path=c:\users\bodlin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^bodlin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]

path=c:\users\bodlin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk

backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnk.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^bodlin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^_uninst_.lnk]

path=c:\users\bodlin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk

backup=c:\windows\pss\_uninst_.lnk.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^bodlin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^_uninst_01533329.lnk]

path=c:\users\bodlin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_01533329.lnk

backup=c:\windows\pss\_uninst_01533329.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-09-21 23:28 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]

2012-02-20 20:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bluetooth HCI Monitor]

2006-12-07 23:50 9728 ----a-w- c:\windows\System32\HCIMNTR.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]

2007-12-06 10:15 1548288 ----a-w- c:\windows\System32\WLTRAY.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2006-11-02 09:45 8704 ----a-w- c:\windows\System32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]

2008-02-29 04:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

2010-01-18 09:51 139944 ----a-w- c:\program files\Lexmark S600 Series\ezprint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]

2007-05-07 18:10 312240 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2010-06-15 16:57 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]

2011-09-16 17:06 161336 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

2007-10-03 14:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2012-03-27 04:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdiamon]

2007-03-05 12:40 20480 ----a-w- c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdimon.exe]

2007-05-07 18:07 435120 ----a-w- c:\program files\Lexmark 3500-4500 Series\lxdimon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxedmon.exe]

2010-01-18 09:51 770728 ----a-w- c:\program files\Lexmark S600 Series\lxedmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2012-04-04 14:56 462408 ----a-w- c:\program files\mal\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

c:\program filesmicrosoft money\System\Money Express.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]

2012-03-26 16:08 931200 ----a-w- c:\program files\Microsoft Security Client\msseces.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyFelix]

2011-08-21 09:08 8668520 ----a-w- c:\program files\MyFelix\MyFelix.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2008-05-23 07:37 13531680 ----a-w- c:\windows\System32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2008-05-23 07:38 92704 ----a-w- c:\windows\System32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]

2006-11-08 14:01 49152 ----a-w- c:\windows\System32\ico.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2011-10-24 13:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2008-05-14 09:31 244208 ----a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

2007-09-12 08:40 405504 ----a-w- c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2012-02-29 07:55 17148552 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

2011-04-05 14:55 6156336 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2012-06-26 17:33 3906432 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2008-08-08 11:57 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-03-17 16:00 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX6000]

2010-01-29 00:04 764784 ----a-w- c:\windows\vVX6000.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-04 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 09:49]

.

2012-06-23 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-08 17:06]

.

2012-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-28 19:50]

.

2012-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-28 19:50]

.

2012-06-17 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]

.

2012-07-01 c:\windows\Tasks\SpeedyPC Pro.job

- c:\program files\SpeedyPC Software\SpeedyPC\SpeedyPC.exe [2012-01-30 22:17]

.

2012-07-01 c:\windows\Tasks\SpeedyPC Registration3.job

- c:\program files\Common Files\SpeedyPC Software\UUS3\UUS3.dll [2012-01-30 22:17]

.

2012-07-01 c:\windows\Tasks\SpeedyPC Update Version3.job

- c:\program files\Common Files\SpeedyPC Software\UUS3\SpeedyPC_Update3.exe [2012-01-30 22:17]

.

2012-07-04 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]

.

2012-06-15 c:\windows\Tasks\wrSpySweeper_LAD90687C159D4A61870B02FA027F5F4F.job

- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-15 14:55]

.

2012-06-15 c:\windows\Tasks\wrSpySweeper_LAD90687C159D4A61870B02FA027F5F4F.job

- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-15 14:55]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0080808

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s

IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Trusted Zone: internet

Trusted Zone: maris.com\www.redshift

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 192.168.0.1

DPF: {A9CF3378-D60E-40A8-927D-7EA0D5B0AA98} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader6.cab

.

Supplementary scan did not complete!

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe

MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-04 01:53

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7b,50,88,08,28,f7,aa,4d,be,1a,2d,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7b,50,88,08,28,f7,aa,4d,be,1a,2d,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2012-07-04 01:55:41

ComboFix-quarantined-files.txt 2011-06-06 11:15

ComboFix2.txt 2011-06-06 11:15

.

Pre-Run: 478,537,891,840 bytes free

Post-Run: 481,490,759,680 bytes free

.

- - End Of File - - 72572C198976AC49A7859AB2864ED364

Kind regards,

Helena

Link to post
Share on other sites

  • Staff

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Link to post
Share on other sites

Hi Catbyte

Did as you asked, the Malwarebytes quick scan didn't find anything. I'll post the log below:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.07.04.05

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

bodlin :: BODLIN-PC [administrator]

Protection: Disabled

04/07/2012 18:19:27

mbam-log-2012-07-04 (18-19-27).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 254973

Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

The ESET scan froze at 45%, on the file:

C:\Users\bodlin\AppData\Local\Microsoft\MSN\db30\iangarland1-msn-com_JMF.sdf

That tends to be one of the files that the other scans have always got stuck at that I mentioned in my very first post, although I'm not sure I've ever seen the JMF.sdf before. Log as below:

C:\Program Files\BabylonToolbar\BabylonToolbar\1.4.30.0\BabylonToolbarApp.dll a variant of Win32/Toolbar.Babylon application

C:\Program Files\BabylonToolbar\BabylonToolbar\1.4.30.0\BabylonToolbarsrv.exe probably a variant of Win32/Toolbar.Babylon application

C:\Users\bodlin\AppData\Local\Babylon\Setup\MyBabylonTB.exe a variant of Win32/Toolbar.Babylon application

Hope to hear your thoughts on this soon, and thank you for all the help you've given so far; it is much appreciated.

Kind regards,

Helena

Link to post
Share on other sites

  • Staff

Hi,

that seems to be a common problem with files in those folders, look at the solution in this post to rename the extension of those files

http://answers.msn.com/thread.aspx?postid=c623d43d-6747-4842-aff4-c64b72168287#c623d43d-6747-4842-aff4-c64b72168287

then I would uninstall the Babylon toolbar, it's something you don't need

let me know if that helps and you are now able to complete the ESET scan

Link to post
Share on other sites

Hi Catbyte

I renamed the .sdf and JMF.sdf files as per your link, and added .old at the end of them. Also uninstalled the Babylon toolbar. Re ran the ESET scan. It again froze on 45% and the C:\Users\bodlin\AppData\Local\Microsoft\MSN\db30\iangarland1-msn-com_JMF.sdf.old

Plus, before it froze, it found another Babylon file even though I'd uninstalled it. Log as follows:

C:\Users\bodlin\AppData\Local\Babylon\Setup\MyBabylonTB.exe a variant of Win32/Toolbar.Babylon application

Do you think I should just delete those .sdf files? I have no idea what they are or what .sdf means.

Kind regards,

Helena

Link to post
Share on other sites

  • Staff

these are what the files are:

from Microsoft:

MSN (Local Machine Mail Storage File) by Microsoft Corporation.

If you have the account abc@msn.com this file will usually be named ABC-MSN-COM.SDF and is typically located in C:\DOCUMENTS AND SETTINGS\\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\MSN\DB

On your operating system, they are here:

C:\Users\bodlin\AppData\Local\Microsoft\MSN\db30\iangarland1-msn-com_JMF.sdf

so it looks like they are related to your mail storage for a mail account at .msn

The \db folder & content properties are read-only & hidden, so you will have

to change Windows Explorer (Tools - Folder Options) to display hidden files/folders before it will let you display it.

take a look in the folder and see what it contains, I suspect it is local machine storage of mail, which can probably be deleted if you don't need them.

alternately > go into the msn mail account and delete anything you don't need anymore

there may be an issue with synchronization with this account? (I'm not absolutely positive as I don't use msn.com I'll need to do more research on it, let me know what you discover.)

Link to post
Share on other sites

Hi Catbyte

Sorry it's taken me so long to reply to you. Been a bit of a frustrating day. I managed to get all the hidden files unhidden, and got inside the db30 folder, and couldn't actually find out what was in the .sdf files as it said it didn't know what program it would need to open them. They were very large and I decided to delete them anyway and then ran the ESET scan again. Again, froze at 45% on another bodlin\appdata\microsoft\MSN\bodlin-msn-com.f91. I can't open those types of files because everytime I try, it says it doesn't know what program it needs to open an .f91 file. All of the files in that db30 folder have a different alphanumeric ending and so of course I can't open any and so have just deleted some of them anyway - not all of them because I don't know what they are. I think it said you needed Microsoft Shell Commor to open them?

So tried a different way, and went on to my hotmail folder and deleted a lot - like thirteen pages worth. Admittedly, I still have over one hundred pages of e-mails left. Deleting e-mails isn't a strong point!

Tried yet another ESET scan and it yet again froze at 45% on another bodlin-msn-com.abc file. When I had the window open with the db30 contents in it, though, and I was trying on the top line (sorry I am not very articulate in explaining things) to find iangarland1-msn-com, I pressed Enter and it changed momentarily to a PC World Transfer file, which is where all our stuff from our previous PC was transferred over to this one when it was new, but I am sure that one of the previous viruses we found was hid there. Not sure if that is relevant.

So anyway, have kept the log from the final ESET scan attempt, which of course froze at 45%. Please find below:

C:\Users\bodlin\AppData\Local\Babylon\Setup\MyBabylonTB.exe a variant of Win32/Toolbar.Babylon application

Thank you for your continued help.

Kind regards,

Helena

Link to post
Share on other sites

  • Staff

This file can be deleted as you have removed the toolbar, please do the following:

Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\Users\bodlin\AppData\Local\Babylon\Setup\MyBabylonTB.exe"

As far as those MSN files go, corrupted DB30 folder seems quite common

I don't want to recommend you delete that folder though as I don't have experience with that program having never used it myself

you might want to start a new topic in their forum

http://answers.msn.com/

to ask them specifically about this issue.

other than that, is the machine running ok?

Link to post
Share on other sites

Hi CatByte

I have copied and pasted the command you gave me into the Run box, so hopefully the Babylon is now deleted. The mail files that I deleted and were in the Recycle Bin, I have restored. I will post a topic about the corrupted db30 file on the MSN forum as you suggested. The PC does seem to be working okay. It's not turning off as it did before. I haven't used it much, to be honest, as it's only been on these past few days to follow the instructions you've been giving me, and not much else. Do you think it is safe to use normally now and the infections are all gone?

Kind regards,

Helena

Link to post
Share on other sites

  • Staff

Hi,

Please do the following:

Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp

the logs appear to be clean, so go ahead and use the computer normally, let me know if there are any outstanding issues, if not, then we can clean up our tools

Link to post
Share on other sites

  • Staff

You probably don't need JavaFX so yes, uninstall it, it's designed for Developers

http://docs.oracle.com/javafx/2/overview/jfxpub-overview.htm

I'll give you to tool clean up routine now, let me know if anything else crops up:

You can delete the DDS and aswMBR logs and programs from your desktop.

NEXT

Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Combofix_uninstall_image.jpg

If there are any logs/tools remaining on your desktop > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

    [*]Download TFC to your desktop

    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean

    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

    [*]WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an addon available for both Firefox and IE

    [*]Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

    [*]ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

    [*]In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:

    PC Safety and Security--What Do I Need?.

Thank you for your patience, and performing all of the procedures requested.

Link to post
Share on other sites

Hi CatByte

I've uninstalled the Java FX and also the Combofix and other DDS/MBR files. I've run the TFC and restarted the PC. Done the security settings like you said and also downloaded the WOT. I shall do the Keepass tomorrow as it's almost midnight and it's been a long week! We will use the PC over the weekend, change all our passwords and read the links you suggested.

Thank you so much for all your help, you have really been a lifesaver. You have been really patient and I have done stuff on this PC that I never thought possible! Fingers crossed that all is well - will let you know if there are any problems. Will let you know on Monday if all has been well. Hope to get some replies for the corrupted db30 files on the Microsoft forum.

It is a great job that you do; must be like learning another language!

Very kind regards,

Helena

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.