Jump to content

Live Security Platinum -- IE Won't Open Now Even in Safe/Zero Access Trojan


Recommended Posts

I had a great experience a couple of years ago with your company and have MBAM on my computer. Unfortunately I picked up Live Security Platinum and now, even in safe mode with networking, I can't get IE to open. Therefore I am unable to start the cleanup process your site suggests.

Any thoughts on what I might do here. Running Windows Vista.

Subsequent to my original post I was able to get mbam-chameleon.exe to execute using the command line in safe mode. Chameleon launched and indicated that it was able to update mbam (Done!) and kill known malicious processes (Done!) and then mbam launched. The only malicious software detected were three pum.disabledsecurity items.

Edited by Maurice Naggar
Link to post
Share on other sites

Hello johnh.

Kindly advise if you still need help.

If yes, then .....Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here

or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

Please Copy & Paste contents of the following logs in your next reply:

DDS.txt

Attach.txt

Plus copy & paste the contents of the last MBAM scan log.

p.s. You should not make a reply to your own original help-post until after an authorized helper makes a reply.

Link to post
Share on other sites

Here are copies of the three items you mentioned. Please let me know if you think I need to do anything else.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by johnheiderscheit at 8:02:13 on 2012-08-12

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1157 [GMT -5:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\svchost.exe -k hpdevmgmt

C:\Windows\runservice.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe

C:\Windows\system32\TODDSrv.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\svchost.exe -k HPService

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Windows\system32\wbem\wmiprvse.exe

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://yahoo.com/

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [igfxTray] "c:\windows\system32\igfxtray.exe"

mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"

mRun: [Persistence] "c:\windows\system32\igfxpers.exe"

mRun: [RtHDVCpl] "RtHDVCpl.exe"

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"

mRun: [synTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"

mRun: [NDSTray.exe] NDSTray.exe

mRun: [hpqSRMon]

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [csrfui] "c:\windows\system32\rundll32.exe" "c:\users\johnheiderscheit\appdata\roaming\csrfui.dll",List_AsTuple

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: intuit.com\ttlc

Trusted Zone: loweslink.com\enroll

Trusted Zone: loweslink.com\secure

Trusted Zone: loweslink.com\secure2

Trusted Zone: loweslink.com\tplogin

Trusted Zone: rhapsody.com\rhap-app-4-0

Trusted Zone: rhapsody.com\rhapreg

Trusted Zone: turbotax.com

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

TCP: DhcpNameServer = 97.64.183.164 97.64.209.37

TCP: Interfaces\{0441260C-897F-4DCB-82D7-345D0A7AF92A} : DhcpNameServer = 97.64.183.164 97.64.209.37

Notify: igfxcui - igfxdev.dll

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]

R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-1-11 20384]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]

R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-9-8 2560]

R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-9-30 46392]

R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-9-30 7168]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-1-11 954368]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-8-12 26224]

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]

S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]

S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-9-30 9216]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-08-12 10:58:41 26224 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-08-12 02:08:25 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-08-12 02:05:11 -------- d-----w- c:\programdata\6F638C2DEC3A3F601032747E2F3B707C

2012-08-12 02:05:01 473600 ----a-w- c:\users\johnheiderscheit\appdata\roaming\csrfui.dll

2012-08-11 13:13:02 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4d969f66-9f68-48be-ac45-7eacd5839bcb}\mpengine.dll

2012-08-10 13:12:42 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

.

==================== Find3M ====================

.

2012-08-12 12:58:14 1441 --sha-w- c:\windows\system32\mmf.sys

2012-07-03 18:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-21 19:58:16 60304 ----a-w- c:\users\johnheiderscheit\g2mdlhlpx.exe

2012-06-19 21:19:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-19 21:19:09 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-13 13:40:21 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-06-05 16:47:28 1401856 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 16:47:27 1248768 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 15:26:04 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 20:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 20:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-02 00:04:25 278528 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 00:03:42 204288 ----a-w- c:\windows\system32\ncrypt.dll

.

============= FINISH: 8:02:53.88 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Basic

Boot Device: \Device\HarddiskVolume2

Install Date: 1/11/2009 7:11:42 PM

System Uptime: 8/12/2012 7:57:39 AM (1 hours ago)

.

Motherboard: TOSHIBA | | Portable PC

Processor: Genuine Intel® CPU 585 @ 2.16GHz | CPU | 2161/667mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 140 GiB total, 83.881 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}

Description: Photosmart C7200 series

Device ID: ROOT\MULTIFUNCTION\0000

Manufacturer: HP

Name: Photosmart C7200 series

PNP Device ID: ROOT\MULTIFUNCTION\0000

Service:

.

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}

Description: Officejet Pro 8500 A909a

Device ID: ROOT\MULTIFUNCTION\0001

Manufacturer: HP

Name: Officejet Pro 8500 A909a

PNP Device ID: ROOT\MULTIFUNCTION\0001

Service:

.

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}

Description: Photosmart C7200 series

Device ID: ROOT\MULTIFUNCTION\0002

Manufacturer: HP

Name: Photosmart C7200 series

PNP Device ID: ROOT\MULTIFUNCTION\0002

Service:

.

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}

Description: Officejet J6400 series

Device ID: ROOT\MULTIFUNCTION\0003

Manufacturer: HP

Name: Officejet J6400 series

PNP Device ID: ROOT\MULTIFUNCTION\0003

Service:

.

==== System Restore Points ===================

.

RP1422: 8/11/2012 12:48:41 AM - Scheduled Checkpoint

RP1423: 8/11/2012 8:12:24 AM - Windows Update

RP1424: 8/12/2012 12:54:54 AM - Scheduled Checkpoint

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

32 Bit HP CIO Components Installer

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader X (10.1.3)

Adobe Shockwave Player 11.6

Atheros Driver Installation Program

Atheros Wi-Fi Protected Setup Library

BufferChm

C4580

C4580_Help

Cards_Calendar_OrderGift_DoMorePlugout

CD/DVD Drive Acoustic Silencer

Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

Destination Component

DeviceDiscovery

DeviceManagementQFolder

DocProc

DocProcQFolder

DVD MovieFactory for TOSHIBA

eSupportQFolder

Europa Universalis III

EzBacktest 1.5.3

Front Office Football 2007

Front Office Football 2007 Demo

GPBaseService

GPBaseService2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Imaging Device Functions 11.0

HP Photosmart C4500 All-In-One Driver Software 11.0 Rel .4

HP Photosmart Essential 2.5

HP Photosmart Essential 3.0

HP Smart Web Printing

HP Solution Center 13.0

HP Update

HPPhotoSmartPhotobookWebPack1

HPProductAssistant

In Nomine 3.2

Intel® Graphics Media Accelerator Driver

Intel® Matrix Storage Manager

Java Auto Updater

Java 6 Update 31

Malwarebytes Anti-Malware version 1.62.0.1300

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Suite Activation Assistant

Microsoft Office Word MUI (English) 2007

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft XML Parser

MSVCSetup

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 and SOAP Toolkit 3.0

Napster

Napster Burn Engine

Network

OCR Software by I.R.I.S. 11.0

OGA Notifier 2.0.0048.0

OptionsOracle

Out of the Park 8

PanoStandAlone

PS_AIO_04_C4580_ProductContext

PS_AIO_04_C4580_Software

PS_AIO_04_C4580_Software_Min

PSSWCORE

Realtek 8169 8168 8101E 8102E Ethernet Driver

Realtek High Definition Audio Driver

Realtek USB 2.0 Card Reader

Rhapsody

Scan

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition

Security Update for Windows Media Encoder (KB2447961)

Security Update for Windows Media Encoder (KB954156)

Security Update for Windows Media Encoder (KB979332)

SmartWebPrinting

SolutionCenter

Spelling Dictionaries Support For Adobe Reader 9

Star Trek -- Starfleet Academy

Status

StreetSmart Edge

SUPERAntiSpyware

swMSM

Synaptics Pointing Device Driver

Toolbox

TOSHIBA Assist

TOSHIBA ConfigFree

TOSHIBA Desktop Links

TOSHIBA Disc Creator

TOSHIBA DVD PLAYER

TOSHIBA Extended Tiles for Windows Mobility Center

TOSHIBA Hardware Setup

TOSHIBA Recovery Disc Creator

Toshiba Registration

TOSHIBA Service Station

TOSHIBA Software Modem

TOSHIBA Speech System Applications

TOSHIBA Speech System SR Engine(U.S.) Version1.0

TOSHIBA Speech System TTS Engine(U.S.) Version1.0

TOSHIBA Supervisor Password

TrayApp

TurboTax 2009

TurboTax 2009 wiaiper

TurboTax 2009 wiliper

TurboTax 2009 WinPerFedFormset

TurboTax 2009 WinPerReleaseEngine

TurboTax 2009 WinPerTaxSupport

TurboTax 2009 wrapper

TurboTax 2010

TurboTax 2010 wiaiper

TurboTax 2010 WinPerFedFormset

TurboTax 2010 WinPerReleaseEngine

TurboTax 2010 WinPerTaxSupport

TurboTax 2010 wrapper

TurboTax ItsDeductible 2006

UnloadSupport

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition

VideoToolkit01

WebReg

WexTech AnswerWorks

Windows Live ID Sign-in Assistant

Windows Media Encoder 9 Series

.

==== Event Viewer Messages From Past Week ========

.

8/12/2012 8:01:46 AM, Error: Microsoft-Windows-WMPNSS-Service [14325] - Service 'WMPNetworkSvc' did not start correctly because QueryService encountered error '0x80070424'. In Windows Media Player, turn off media sharing, and then turn it back on.

8/12/2012 7:59:41 AM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.

8/12/2012 7:59:40 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

8/12/2012 7:59:40 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

8/12/2012 7:59:40 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC jswpslwf MpFilter NetBIOS netbt nsiproxy PSched RasAcd rdbss SASDIFSV SASKUTIL Smb spldr tdx Wanarpv6

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

8/12/2012 6:59:07 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MpFilter SASDIFSV SASKUTIL spldr Wanarpv6

8/12/2012 6:58:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

8/12/2012 6:58:18 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

8/12/2012 6:58:11 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

8/12/2012 6:58:03 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 21

8/12/2012 6:55:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1115" attempting to start the service hpqcxs08 with arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

8/12/2012 6:55:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1069" attempting to start the service HPSLPSVC with arguments "" in order to run the server: {10DA4F3C-CC99-4190-BE4D-58330754E882}

8/12/2012 6:54:37 AM, Error: EventLog [6008] - The previous system shutdown at 6:52:47 AM on 8/12/2012 was unexpected.

8/12/2012 6:48:23 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

8/12/2012 6:48:23 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

8/12/2012 6:42:20 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10003] - WLAN Extensibility Module has stopped unexpectedly. Module Path: C:\Windows\system32\athihvs.dll

8/12/2012 6:41:11 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.

8/12/2012 6:41:11 AM, Error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

8/12/2012 6:41:01 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.

8/12/2012 6:41:01 AM, Error: Service Control Manager [7000] - The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The Volume Shadow Copy service terminated unexpectedly. It has done this 1 time(s).

8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The Ulead Burning Helper service terminated unexpectedly. It has done this 1 time(s).

8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The TOSHIBA Optical Disc Drive Service service terminated unexpectedly. It has done this 1 time(s).

8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The TOSHIBA Navi Support Service service terminated unexpectedly. It has done this 1 time(s).

8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The TMachInfo service terminated unexpectedly. It has done this 1 time(s).

8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The LicCtrl Service service terminated unexpectedly. It has done this 1 time(s).

8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The Intel® Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).

8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The ConfigFree Service service terminated unexpectedly. It has done this 1 time(s).

8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).

8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).

8/12/2012 6:41:00 AM, Error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

8/12/2012 6:41:00 AM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

8/12/2012 6:38:24 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume SQ004890V03.

8/12/2012 6:11:54 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

8/12/2012 5:54:54 AM, Error: EventLog [6008] - The previous system shutdown at 5:53:21 AM on 8/12/2012 was unexpected.

8/12/2012 5:49:34 AM, Error: EventLog [6008] - The previous system shutdown at 5:47:38 AM on 8/12/2012 was unexpected.

8/12/2012 4:54:17 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.

8/12/2012 4:54:17 AM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

8/12/2012 4:54:16 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Intuit Update Service service to connect.

8/12/2012 4:54:16 AM, Error: Service Control Manager [7000] - The Intuit Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

8/12/2012 4:54:15 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.

8/12/2012 4:52:25 AM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

8/12/2012 3:07:29 AM, Error: EventLog [6008] - The previous system shutdown at 2:58:34 AM on 8/12/2012 was unexpected.

8/12/2012 1:55:09 AM, Error: Service Control Manager [7034] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 3 time(s).

8/12/2012 1:54:49 AM, Error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).

8/11/2012 9:33:05 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.

8/11/2012 9:29:19 PM, Error: EventLog [6008] - The previous system shutdown at 9:27:28 PM on 8/11/2012 was unexpected.

8/11/2012 9:23:51 PM, Error: EventLog [6008] - The previous system shutdown at 9:21:51 PM on 8/11/2012 was unexpected.

8/11/2012 9:13:14 PM, Error: EventLog [6008] - The previous system shutdown at 9:10:57 PM on 8/11/2012 was unexpected.

8/11/2012 9:08:05 PM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: A required privilege is not held by the client.

8/11/2012 9:07:35 PM, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

8/11/2012 9:04:34 PM, Error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.

8/11/2012 11:03:28 PM, Error: EventLog [6008] - The previous system shutdown at 9:40:33 PM on 8/11/2012 was unexpected.

.

==== End Of File ===========================

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.12.03

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

johnheiderscheit :: JOHNHEIDERSC-PC [administrator]

8/12/2012 7:38:09 AM

mbam-log-2012-08-12 (07-38-09).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 226043

Time elapsed: 9 minute(s), 6 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 2

C:\Windows\System32\getmxext.dll (Trojan.Steppa) -> Delete on reboot.

C:\Users\johnheiderscheit\AppData\Roaming\nhuti.dll (Trojan.Midhos) -> Delete on reboot.

Registry Keys Detected: 2

HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

Registry Values Detected: 2

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|nhuti (Trojan.Midhos) -> Data: rundll32.exe "C:\Users\johnheiderscheit\AppData\Roaming\nhuti.dll",BindContext -> Quarantined and deleted successfully.

HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\johnheiderscheit\AppData\Local\{26b48154-0abb-b0d4-76a8-de7301767732}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 3

HKLM\SOFTWARE\Microsoft\Security Center|ANTIVIRUSDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|FIREWALLDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|UPDATESDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 1

C:\Users\johnheiderscheit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

Files Detected: 6

C:\Windows\System32\getmxext.dll (Trojan.Steppa) -> Delete on reboot.

C:\Users\johnheiderscheit\AppData\Roaming\nhuti.dll (Trojan.Midhos) -> Delete on reboot.

C:\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\n (RootKit.0Access) -> Quarantined and deleted successfully.

C:\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Users\johnheiderscheit\Desktop\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

C:\Users\johnheiderscheit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites

You're system is infected with ZeroAccess, a BackDoor Trojan.

Your best and safest option is to wipe/reformat/ and install Windows & your applications from scratch.

If you have a full backup (mirror-image backup) on offline media (CD/DVD/external drive) from before the infection, you can use that to restore the system.

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.

While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

I would recommend that you do a full reformat and reinstall of Windows rather than clean the system.

I suggest that you backup important files and reinstall everything from scratch. There are so many changes that could have been done if that backdoor was used.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft.com/technet/community/columns/secmgmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com/article2/0,1895,1945808,00.asp

Let me know of your decison.

Link to post
Share on other sites

Okay, thanks for the info. I guess I will use this computer for off line stuff going forward. (As you probably can tell from the fact that I am running Vista its pretty old.) I have changed all my passwords using a "clean" computer.

If you would help me making sure the previously infected computer is "clean" that would be great. Right now it seems to be running okay.

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member Johnheiders only. If you are a casual viewer, do NOT try this on your system!

If you are not and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT by doing a Right-Click on it & select Run As Admisnistrator

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Step 3

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop cf-icon.jpg and select "Run as Administrator".

  • A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.

Notes:

[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh !

Reply & attach the C:\Combofix.txt log and tell me, How is the system now ? :excl:

Re-enable your antivirus program.

Link to post
Share on other sites

Okay ran combofix, which seemed to do fine. I got the "illegal operation attempted . . ." message and rebooted per your instructions.

Prior to rebooting, combofix created a text file of the results.

Now that I have rebooted the computer is running normally but I have searched high and low and I cannot find the combofix.txt file. Any suggestions on where it could be? I looked at c:\combofix.txt and also used the file search feature of vista with no luck.

Thanks for your help.

Link to post
Share on other sites

I attached the text files.

ComboFix 12-08-10.02 - johnheiderscheit 08/12/2012 11:09:12.2.1 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1165 [GMT -5:00]

Running from: c:\users\johnheiderscheit\Downloads\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\34594552

c:\users\johnheiderscheit\AppData\Roaming\csrfui.dll

c:\users\johnheiderscheit\Documents\~WRL0003.tmp

c:\users\johnheiderscheit\g2mdlhlpx.exe

c:\windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\@

c:\windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\00000001.@

c:\windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\80000000.@

c:\windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\800000cb.@

c:\windows\system32\pt

c:\windows\system32\pt\toscdspd.cpl.mui

.

Infected copy of c:\windows\system32\services.exe was found and disinfected

Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy1_!Windows!System32!services.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-07-12 to 2012-08-12 )))))))))))))))))))))))))))))))

.

.

2012-08-12 16:26 . 2012-08-12 16:31 -------- d-----w- c:\users\johnheiderscheit\AppData\Local\temp

2012-08-12 16:26 . 2012-08-12 16:26 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-08-12 16:26 . 2012-08-12 16:26 -------- d-----w- c:\users\Guest\AppData\Local\temp

2012-08-12 16:26 . 2012-08-12 16:26 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-12 15:52 . 2012-08-12 15:53 -------- d-----w- c:\program files\ERUNT

2012-08-12 10:58 . 2012-08-12 10:58 26224 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-08-12 02:08 . 2012-08-12 02:08 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-08-12 02:05 . 2012-08-12 12:21 -------- d-----w- c:\programdata\6F638C2DEC3A3F601032747E2F3B707C

2012-08-11 13:13 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4D969F66-9F68-48BE-AC45-7EACD5839BCB}\mpengine.dll

2012-08-10 13:12 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-03 18:46 . 2011-06-13 21:14 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-19 21:19 . 2012-05-15 01:21 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-19 21:19 . 2011-06-02 13:11 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-13 13:40 . 2012-07-13 10:52 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-06-05 16:47 . 2012-07-13 00:02 1401856 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 16:47 . 2012-07-13 00:02 1248768 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 15:26 . 2012-07-13 00:02 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 22:19 . 2012-06-22 13:27 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-22 13:27 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-22 13:27 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-22 13:27 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-22 13:27 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:12 . 2012-06-22 13:27 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12 . 2012-06-22 13:27 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 20:19 . 2012-06-22 13:26 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 20:12 . 2012-06-22 13:26 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 08:33 . 2012-07-13 10:39 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 08:25 . 2012-07-13 10:39 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 08:25 . 2012-07-13 10:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 08:20 . 2012-07-13 10:39 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 08:16 . 2012-07-13 10:40 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-02 00:04 . 2012-07-13 00:02 278528 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 00:03 . 2012-07-13 00:02 204288 ----a-w- c:\windows\system32\ncrypt.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]

"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]

"NDSTray.exe"="NDSTray.exe" [bU]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]

.

c:\users\johnheiderscheit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]

2010-01-19 17:48 323280 ----a-w- c:\program files\Napster\napster.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2010-07-19 17:50 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Trusted Zone: intuit.com\ttlc

Trusted Zone: loweslink.com\enroll

Trusted Zone: loweslink.com\secure

Trusted Zone: loweslink.com\secure2

Trusted Zone: loweslink.com\tplogin

Trusted Zone: rhapsody.com\rhap-app-4-0

Trusted Zone: rhapsody.com\rhapreg

Trusted Zone: turbotax.com

TCP: DhcpNameServer = 97.64.183.164 97.64.209.37

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-hpqSRMon - (no file)

HKLM-Run-csrfui - c:\users\johnheiderscheit\AppData\Roaming\csrfui.dll

SafeBoot-MsMpSvc

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-12 11:32

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1517136145-1328366619-2469452859-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:f7,71,1a,f6,20,73,ea,a5,37,c3,46,fc,85,ad,ce,15,24,ad,8d,15,a3,07,8b,

d5,39,d3,5f,cf,f4,0c,33,b6,6d,e7,4d,86,cd,1c,95,fd,7d,e0,99,64,31,20,14,45,\

"??"=hex:b2,f5,80,ec,4b,7b,dc,0a,6d,4b,4f,90,bd,8e,3f,45

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WLANExt.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\windows\runservice.exe

c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe

c:\windows\system32\TODDSrv.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\RtHDVCpl.exe

c:\program files\Toshiba\ConfigFree\NDSTray.exe

c:\windows\System32\rundll32.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

.

**************************************************************************

.

Completion time: 2012-08-12 11:37:55 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-12 16:37

.

Pre-Run: 89,452,507,136 bytes free

Post-Run: 89,793,986,560 bytes free

.

- - End Of File - - C79804F91FC93150DB78537082FF2EC1

2012-08-12 16:36:36 . 2012-08-12 16:36:36 542 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-MsMpSvc.reg.dat

2012-08-12 16:36:21 . 2012-08-12 16:36:21 207 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-csrfui.reg.dat

2012-08-12 16:36:21 . 2012-08-12 16:36:21 95 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-hpqSRMon.reg.dat

2012-08-12 16:20:58 . 2012-08-12 16:20:58 4,707 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2012-08-12 16:04:29 . 2012-08-12 16:09:12 62 ----a-w- C:\Qoobox\Quarantine\catchme.log

2012-08-12 15:52:27 . 2012-08-12 15:52:27 20,480 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\800000cb.@.vir

2012-08-12 02:05:02 . 2012-08-12 02:05:02 13,312 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\80000000.@.vir

2012-08-12 02:05:01 . 2012-08-12 02:05:02 473,600 ----a-w- C:\Qoobox\Quarantine\C\Users\johnheiderscheit\AppData\Roaming\csrfui.dll.vir

2012-08-12 02:04:47 . 2012-08-12 02:04:47 1,712 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\00000001.@.vir

2012-06-21 19:58:14 . 2012-06-21 19:58:16 60,304 ----a-w- C:\Qoobox\Quarantine\C\Users\johnheiderscheit\g2mdlhlpx.exe.vir

2012-01-11 13:50:20 . 2011-11-18 20:23:34 2,048 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\@.vir

2011-05-19 16:17:31 . 2011-05-19 16:17:31 336 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\34594552.vir

2010-04-29 14:20:48 . 2010-05-20 17:54:34 14,611 ----a-w- C:\Qoobox\Quarantine\C\Users\johnheiderscheit\Documents\~WRL0003.tmp.vir

2009-09-17 13:36:57 . 2009-04-11 06:27:59 279,552 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir

2008-09-30 19:01:47 . 2008-04-02 19:59:52 3,584 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\pt\toscdspd.cpl.mui.vir

Link to post
Share on other sites

If you did not purchase S*perantispyware, then Uninstall it.

Next, Turn off (disable) your antivirus program so that it does not interfere.

MBAM update & new Full scan

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Full Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When done, Copy and Paste the MBAM scan log into a reply.

Stinger

Download and Save McAfee Stinger to your Desktop

http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Close all browsers before starting. Disable your antivirus program and anti-malware,if any.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

On Windows 7 & Vista systems, Right Click stinger-icon.gif and select Run as Administrator.

On XP, double-click to start it.

The GUI interface will look like this

stinger2.png

The C drive is the default for scanning.

Press the Preferences button. In the top right-block "On virus detection", click Rename

In the bottom block "Heuristic network check for suspicious files" select High

Click the Scan Now button.

When done, use the File menu and select Save report to file

Stinger.txt is the log report and will be saved to your Desktop. I will need a copy of that log.

RE-Enable your anti-virus program.

Stinger is a standalone utility used to detect and remove specific malware. It is not a full scan for all types of malware or viruses.

It is not intended as virus protection.

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Results of screen317's Security Check version 0.99.43

Windows Vista Service Pack 2 x86 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Microsoft Security Essentials

(On Access scanning disabled!)

Error obtaining update status for antivirus!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.62.0.1300

Java 6 Update 31

Java version out of Date!

Adobe Reader 9 Adobe Reader out of Date!

Adobe Reader X (10.1.3)

````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials msseces.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1 %

````````````````````End of Log``````````````````````

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.12.05

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

johnheiderscheit :: JOHNHEIDERSC-PC [administrator]

8/12/2012 4:05:25 PM

mbam-log-2012-08-12 (16-05-25).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 477132

Time elapsed: 2 hour(s), 28 minute(s), 38 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

McAfee® Labs Stinger Version 10.2.0.735 built on Aug 10 2012

Copyright © 2012 McAfee, Inc. All Rights Reserved.

Virus data file v1000.0000 created on Aug 10 2012.

Ready to scan for 4827 viruses, trojans and variants.

Scan initiated on Sun Aug 12 19:13:31 2012

Rootkit scan result : Clean

No files scanned

Scan initiated on Sun Aug 12 19:15:48 2012

Rootkit scan result : Clean

Master Boot Record(s):....1

Possibly Infected:.............0

Boot Sector(s):.................1

Possibly Infected: ............0

Number of clean files: 19583

Link to post
Share on other sites

The MBAM & Stinger results are good. But we are not at all done. There's a bunch more to do.

You forgot to do SecurityCheck tool & report.

Step 1

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step 2

Download Dr.Web CureIt to the desktop.

  • Turn OFF your antivirus program.
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Re-Enable your antivirus program when all done.

Step 3

Using IE (only!) to http://support.microsoft.com/kb/923737

[ignore any DOES NOT APPLY warning as well as the APPLIES TO section],

run the Fix It and then reboot.

Tip: For optimal results, enable the Delete personal settings option.

Step 4

Download >> Farbar's Service Scanner utility << and Save to your Desktop.

If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Admisnitrator.

If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Copy & Paste contents of FSS.txt into your reply.

Post those logs for review. And do not go away. There is yet more to follow.

Edited by Maurice Naggar
added IE reset and FSS report
Link to post
Share on other sites

thanks so much for your help!

I am in hour five of a "quick scan" on cureit. Looks like it could be 15-20 hrs to complete. Based on that I doubt it is worth doing a full scan in the sense that this computer is old and the HD isn't the greatest. I also worry about the fun if I run the computer for days on end without shutting down.

I will check back in tomorrow and see if the so-called "quick scan" completed.

Link to post
Share on other sites

Let the scan finish. I would find it hard to believe it would be anywhere near 15 hours. No, do not do a full scan.

Post the log result when it finishes.

As to shutting down, you should logoff when the pc is all done for the day.

Edited by Maurice Naggar
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.