Trojan vundo + windows update fails

[colville2002]

Hi Maurice

I have the same problem as alazuria. I have run the Farbar service scanner and I have pasted my results below. Could you assist me please?

Thanks in advance

Chris

Farbar Service Scanner Version: 06-08-2012

Ran by Chris (administrator) on 17-08-2012 at 18:58:38

Running from "C:\Users\Chris\Downloads"

Microsoft® Windows Vista™ Business Service Pack 2 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

mpsdrv Service is not running. Checking service configuration:

The start type of mpsdrv service is OK.

The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

wscsvc Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Windows Update:

============

BITS Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.

Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.

Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

[Maurice Naggar]

Hello Chris.

Have you done a Quick scan with MBAM? if not, do so, and copy/paste the scan log.

Have you done a scan with your antivirus? if not, do so.

Also, Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here

or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

• When done, DDS will open two (2) logs:
• DDS.txt
• Attach.txt
• Save both reports to your desktop.

Please Copy & Paste contents of the following logs in your next reply:

DDS.txt

Attach.txt

[colville2002]

Hi Maurice

I have done several scans recently with anti-virus including a boot scan. I also downloaded MBAM last night and completed the first scan, log pasted below:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.17.07

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Chris :: CHRIS-PC [administrator]

17/08/2012 19:40:25

mbam-log-2012-08-17 (19-40-25).txt

Scan type: Full scan (C:\|D:\|E:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 447797

Time elapsed: 1 hour(s), 21 minute(s), 45 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 14

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF6-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4D1EC4CA-4B92-4324-B8F8-C9A6ED06A8AE} (Adware.Hotbar) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4E674574-3F0B-491d-8AE3-F90B43A34FD6} (Adware.Hotbar) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 2

HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\Chris\AppData\Local\{7e3f675c-ac3e-3854-93e0-1e1c76a89cf2}\n. -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Mozilla\Firefox\extensions|HBLite@HBLite.com (Adware.HotBar) -> Data: C:\Program Files\HBLite\bin\11.0.181.0\firefox\extensions -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 3

C:\ProgramData\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.

C:\Users\Sarah\AppData\Roaming\HBLite (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\ProgramData\HBLiteSA (Adware.Hotbar) -> Quarantined and deleted successfully.

Files Detected: 5

C:\ProgramData\HBLiteSA\HBLiteSA.dat (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\ProgramData\HBLiteSA\HBLiteSAAbout.mht (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\ProgramData\HBLiteSA\HBLiteSAau.dat (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\ProgramData\HBLiteSA\HBLiteSAEULA.mht (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\ProgramData\HBLiteSA\HBLiteSA_kyf.dat (Adware.Hotbar) -> Quarantined and deleted successfully.

(end)

Here is the DDX.txt entry

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29

Run by Chris at 7:35:38 on 2012-08-18

Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.3325.1263 [GMT 1:00]

.

AV: Lavasoft Ad-Aware *Enabled/Outdated* {445B48C3-0FA4-6B16-8F07-6506F305D800}

SP: Lavasoft Ad-Aware *Enabled/Outdated* {FF3AA927-299E-6498-B5B7-5E74888292BD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\RtHDVCpl.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\System32\ico.exe

C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe

C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Windows\System32\Pmxmiced.exe

C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\System32\mobsync.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [PopUpStopperFreeEdition] "c:\program files\panicware\pop-up stopper free edition\PSFree.exe"

uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [PMX Daemon] ICO.EXE

mRun: [<NO NAME>]

mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"

mRun: [sBRegRebootCleaner] "c:\program files\ad-aware antivirus\SBRC.exe"

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\camera~1.lnk - c:\program files\pixela\everio mediabrowser\MBCameraMonitor.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{4DEAB261-BD51-4106-9AE0-7BBF20F090AA} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{FFC5CEE9-AF1C-4A49-90A8-3AD1CC9937D8} : DhcpNameServer = 192.168.0.1

AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\hzrtk7gr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.quidco.com/

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HBLiteSA.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll

.

============= SERVICES / DRIVERS ===============

.

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-29 65848]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-8-15 721000]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-8-15 353688]

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-3-4 390528]

R1 RapportCerberus_42020;RapportCerberus_42020;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-10 228376]

R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-7-29 71480]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-8-15 21256]

R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-8-15 57656]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-8-15 44808]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-7-29 976728]

R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2008-9-4 27648]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-8-18 40776]

R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-9-4 18432]

R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-9-4 19008]

R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-6-5 21520]

RUnknown SbFw;SbFw; [x]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 250056]

S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-2-16 80824]

S3 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-7-29 166840]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

SUnknown SBFWIMCLMP;SBFWIMCLMP; [x]

SUnknown sbhips;sbhips; [x]

.

=============== Created Last 30 ================

.

2012-08-18 06:34:07 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-08-17 18:38:44 -------- d-----w- c:\users\chris\appdata\roaming\Malwarebytes

2012-08-17 18:38:30 -------- d-----w- c:\programdata\Malwarebytes

2012-08-17 18:38:29 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-17 18:38:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-08-17 18:37:03 -------- d-----w- c:\programdata\GFI Software

2012-08-17 18:37:01 0 ----a-w- c:\users\chris\appdata\roaming\adaware-installer-reboot-required.tmp

2012-08-17 18:03:33 -------- d-----w- c:\users\chris\appdata\local\{BFA6B914-8A10-44AB-95A0-E00182D7CEFA}

2012-08-17 18:03:12 -------- d-----w- c:\users\chris\appdata\local\{7B0AC7FB-3037-4741-9B7D-882A0AF6C5FF}

2012-08-17 17:04:40 -------- d-----w- c:\users\chris\appdata\local\{64DEB3FD-B4E1-4AF9-B8E6-F305B56C0EFC}

2012-08-16 19:49:11 -------- d-----w- c:\users\chris\appdata\local\{B80D618D-CB42-4E9C-BC75-6446CDC49C86}

2012-08-16 19:48:40 -------- d-----w- c:\users\chris\appdata\local\{C8774CA7-17D9-4FB3-8171-16C362A9AF17}

2012-08-15 20:02:57 -------- d-----w- c:\users\chris\appdata\local\ElevatedDiagnostics

2012-08-15 18:16:37 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-08-15 18:16:36 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-08-15 18:16:04 41224 ----a-w- c:\windows\avastSS.scr

2012-08-15 18:15:13 -------- d-----w- c:\programdata\AVAST Software

2012-08-15 18:15:13 -------- d-----w- c:\program files\AVAST Software

2012-08-15 18:04:39 -------- d-----w- c:\users\chris\appdata\local\{4CDAB404-4576-48B5-B763-B69E239882A8}

2012-08-15 18:04:08 -------- d-----w- c:\users\chris\appdata\local\{A094F955-4D0F-41A1-907B-B0B542F4EA8F}

2012-08-14 16:41:01 -------- d-----w- c:\users\chris\appdata\local\{A578FDCF-573A-41A8-9458-C376369FBC08}

2012-08-14 16:40:40 -------- d-----w- c:\users\chris\appdata\local\{790EB9FB-2A5B-41E3-9501-F1D50A687F5A}

2012-08-14 14:07:37 -------- d-----w- c:\programdata\wuesqqetieloigk

2012-08-08 16:05:27 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-08-08 15:26:26 -------- d-----w- c:\users\chris\appdata\local\{7CEF977A-2263-488E-AB18-8314EDAED664}

2012-08-04 19:35:41 -------- d-----w- c:\users\chris\appdata\local\{295FE528-3EC1-4068-92B8-7351A52798D7}

2012-08-04 19:35:30 -------- d-----w- c:\users\chris\appdata\local\{2E34AFD2-F920-4549-A22F-CD344B67C684}

2012-08-04 19:35:15 -------- d-----w- c:\users\chris\appdata\local\{4B3A1173-A7AD-4E94-BB75-9A982B9F76FD}

2012-08-04 19:34:59 -------- d-----w- c:\users\chris\appdata\local\{F3B53CBF-DFA5-460A-A43D-A28A8CBF4479}

2012-08-01 13:14:18 -------- d-----w- c:\users\chris\appdata\local\{34F997CF-0B16-450F-BA21-2E08DEC0586F}

2012-08-01 13:14:01 -------- d-----w- c:\users\chris\appdata\local\{A77C9176-DF88-4DFB-825B-D163E8D839B4}

2012-07-31 12:22:47 -------- d-----w- c:\users\chris\appdata\local\{64173501-2943-43D6-9B08-5EAD3FB6FC89}

2012-07-31 12:22:34 -------- d-----w- c:\users\chris\appdata\local\{D421B6EA-5AD6-40B0-A32B-1E964C5533B3}

2012-07-29 19:52:38 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2012-07-29 14:07:33 -------- d-----w- c:\users\chris\appdata\local\{0469512F-3505-4D52-AC7E-B6CE0418CAA4}

2012-07-29 14:07:20 -------- d-----w- c:\users\chris\appdata\local\{38411B84-08DB-4227-852A-28094C0B3AB6}

2012-07-29 13:57:05 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f278138b-34a5-434f-a22b-412bbe032b20}\mpengine.dll

2012-07-29 13:36:12 -------- d-----w- c:\users\chris\appdata\local\adaware

2012-07-29 13:34:43 -------- d-----w- c:\users\chris\appdata\local\{7D90ADCD-3A51-4940-9DA8-0E84700787C7}

2012-07-29 13:34:31 -------- d-----w- c:\users\chris\appdata\local\{E4F200BE-F64A-4084-9243-4F3ABBA682C6}

2012-07-29 10:54:35 -------- d-----w- c:\users\chris\appdata\local\{5662E123-DDF2-4320-BA66-7DEBCE66F236}

2012-07-28 10:15:47 -------- d-----w- c:\users\chris\appdata\local\{68489B4A-7F66-4765-967F-6087CCF7683A}

2012-07-28 10:15:32 -------- d-----w- c:\users\chris\appdata\local\{448B5667-92FA-4B2F-80B7-49719A92C083}

2012-07-28 10:11:40 -------- d-----w- c:\users\chris\appdata\local\{EEAF33B6-4F77-4581-9A46-85EF6213EF0F}

2012-07-28 10:03:47 -------- d-----w- c:\users\chris\appdata\local\{5A337DAC-DE78-4C46-AC18-AEB3032FD006}

2012-07-28 10:03:10 -------- d-----w- c:\users\chris\appdata\local\{A4AF4E09-DF11-48FC-8BA0-42FC49921F00}

2012-07-26 18:42:03 -------- d-----w- c:\users\chris\appdata\local\{EC05E461-797D-482F-95FE-530ECFAA9137}

2012-07-26 18:41:42 -------- d-----w- c:\users\chris\appdata\local\{1B61EF18-02DE-47DE-A414-9B9D4B071F9A}

2012-07-19 17:08:40 -------- d-----w- c:\users\chris\appdata\local\{F9E25D80-2294-4537-8D3A-B763BD3A4E3F}

2012-07-19 17:08:29 -------- d-----w- c:\users\chris\appdata\local\{9B038002-ED21-484A-9DF9-C99F4377A308}

.

==================== Find3M ====================

.

2012-08-15 19:10:11 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-15 19:10:11 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-25 15:04:24 1394248 ----a-w- c:\windows\system32\msxml4.dll

2012-06-13 13:40:21 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-06-05 16:47:28 1401856 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 16:47:27 1248768 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 15:26:04 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 14:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 14:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-02 00:04:25 278528 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 00:03:42 204288 ----a-w- c:\windows\system32\ncrypt.dll

2012-05-31 11:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe

2009-03-28 12:44:38 200846 ----a-w- c:\program files\RuntimeSetup.exe

.

============= FINISH: 7:36:42.26 ===============

And here is the attach.txt entry

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Business

Boot Device: \Device\HarddiskVolume3

Install Date: 04/09/2008 21:24:55

System Uptime: 17/08/2012 18:00:00 (13 hours ago)

.

Motherboard: Dell Inc. | | 0J584C

Processor: Intel® Core2 Quad CPU Q9450 @ 2.66GHz | Socket 775 | 2664/333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 288 GiB total, 180.113 GiB free.

D: is FIXED (NTFS) - 298 GiB total, 297.618 GiB free.

E: is FIXED (NTFS) - 10 GiB total, 6.223 GiB free.

F: is CDROM ()

H: is Removable

I: is Removable

J: is Removable

K: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1177: 15/07/2012 17:38:25 - Scheduled Checkpoint

RP1179: 16/07/2012 19:54:19 - Installed Rapport

RP1180: 18/07/2012 - Scheduled Checkpoint

RP1181: 19/07/2012 19:44:10 - Scheduled Checkpoint

RP1182: 21/07/2012 - Scheduled Checkpoint

RP1183: 22/07/2012 - Scheduled Checkpoint

RP1184: 27/07/2012 04:28:19 - Scheduled Checkpoint

RP1185: 28/07/2012 - Scheduled Checkpoint

RP1186: 28/07/2012 21:45:41 - Scheduled Checkpoint

RP1187: 29/07/2012 14:55:55 - Windows Update

RP1188: 31/07/2012 14:40:15 - Scheduled Checkpoint

RP1189: 04/08/2012 17:39:24 - Scheduled Checkpoint

RP1191: 10/08/2012 08:50:06 - Installed Rapport

RP1192: 11/08/2012 - Scheduled Checkpoint

RP1193: 12/08/2012 - Scheduled Checkpoint

RP1194: 15/08/2012 19:14:47 - avast! Free Antivirus Setup

RP1195: 16/08/2012 20:27:23 - Scheduled Checkpoint

RP1196: 17/08/2012 19:35:28 - Removed Ad-Aware Antivirus.

.

==== Installed Programs ======================

.

Ad-Aware Browsing Protection

Ad-Aware Security Toolbar

Adobe AIR

Adobe Digital Editions

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 8.3.1

Apple Application Support

Apple Mobile Device Support

Apple Software Update

AutoUpdate

avast! Free Antivirus

Bonjour

Browser Address Error Redirector

calibre

Canon iP1600

Compatibility Pack for the 2007 Office system

D3DX10

Dell Getting Started Guide

Dell Support Center (Support Software)

Digital Photo Navigator 1.5

DivX Codec

DivX Converter

DivX Player

DivX Web Player

EDocs

Everio MediaBrowser

Football Manager 2011

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Deskjet 1050 J410 series Basic Device Software

HP Deskjet 1050 J410 series Help

HP Deskjet 1050 J410 series Product Improvement Study

HP Update

HTC BMP USB Driver

HTC Driver Installer

HTC Sync

iTunes

Java Auto Updater

Java 6 Update 29

Java 6 Update 5

Java 6 Update 7

Junk Mail filter update

Malwarebytes Anti-Malware version 1.62.0.1300

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Office Word Viewer 2003

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

Mouse Suite for Desktop Computers

Mozilla Firefox 8.0.1 (x86 en-GB)

MSVCRT

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP3 Parser

MSXML 4.0 SP3 Parser (KB2721691)

MSXML 4.0 SP3 Parser (KB973685)

NEF Codec

Nikon Message Center 2

Nikon Movie Editor

NVIDIA Display Control Panel

NVIDIA Drivers

OGA Notifier 2.0.0048.0

OpenOffice.org 3.2

Picture Control Utility

Pop-Up Stopper Free Edition

PowerDVD

PRS-500 USB driver

PVSonyDll

QuickTime

Rapport

Reader Library by Sony

RealPlayer

Realtek Ethernet Network Card Diagnostic tool for Windows Vista

Realtek High Definition Audio Driver

Roxio Activation Module

Roxio Creator Audio

Roxio Creator BDAV Plugin

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE

Roxio Creator Tools

Roxio Express Labeler 3

Roxio Update Manager

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Segoe UI

Sonic CinePlayer Decoder Pack

Steam

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

ViewNX 2

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

Windows Driver Package - Sony Corporation (PRSUSB) USB (08/08/2006 1.0.03.08080)

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Photo Common

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Windows Media Player Firefox Plugin

WinRAR archiver

.

==== Event Viewer Messages From Past Week ========

.

17/08/2012 18:49:22, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} to the user Chris-PC\Chris SID (S-1-5-21-2280280257-780584134-1401825308-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

17/08/2012 18:02:02, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd

17/08/2012 18:02:02, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

17/08/2012 18:01:14, Error: EventLog [6008] - The previous system shutdown at 20:56:35 on 16/08/2012 was unexpected.

16/08/2012 20:04:50, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0022151C2BEC. The following error occurred: The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

14/08/2012 18:38:51, Error: EventLog [6008] - The previous system shutdown at 17:49:19 on 14/08/2012 was unexpected.

14/08/2012 17:35:31, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

14/08/2012 17:35:30, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

14/08/2012 17:35:30, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

14/08/2012 17:35:20, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC Lbd NetBIOS netbt nsiproxy PSched RapportKELL RasAcd rdbss SbFw Smb spldr tdx Wanarpv6

14/08/2012 17:35:20, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

14/08/2012 17:35:20, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

14/08/2012 17:35:20, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.

14/08/2012 17:35:20, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

14/08/2012 17:35:20, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

14/08/2012 17:35:20, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

14/08/2012 17:35:20, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

14/08/2012 17:35:20, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.

14/08/2012 17:35:20, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

14/08/2012 17:35:20, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

14/08/2012 17:35:20, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

14/08/2012 17:35:20, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

14/08/2012 17:34:53, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

14/08/2012 17:34:53, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

14/08/2012 17:34:50, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

14/08/2012 17:34:42, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

14/08/2012 15:06:42, Error: Service Control Manager [7000] - The Windows Font Cache Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

14/08/2012 15:06:41, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Font Cache Service service to connect.

.

==== End Of File ===========================

Thanks again for your help

Chris

[Maurice Naggar]

Chris,

I have moved your posts to the malware-removal forum. Your system has had a trojan infection.

Your system was not able to do Windows Updates because of the effects of the malware. Often, malwares, as part of their devious damage, will disable Windows update services to prevent possible detection.

Backdoor trojan warning:ZeroAccess / Sirefef

This system had some serious backdoor trojans. ZeroAccess / Sirefef & Vundo

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.

While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Let me know what you decide.

If you do wish to proceed with removal, then do the following.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT by doing a Right-Click on it & select Run As Administrator

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Show all files:

• Click the Start button, and then click Computer.
  
• On the Organize menu, click Folder and Search Options.
  
• Click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders.
  
• Click Apply > OK.

Step 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Double-Click on TDSSKiller.exe to run the application, then on Start Scan.
  If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start TDSSKILLER.exe.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
  Skip and click on Continue
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[Maurice Naggar]

Chris,

Are you still with me here ? Did you see my last reply?

[colville2002]

Maurice

Apologies I meant to respond on Sunday. I decided to reformat the computer and finally caught up with all of the Windows Updates last night. I take it the reformat should have removed the Trojan but should I run any of the scans again? I have downloaded Avast anti virus and I'm about to download Malwarebytes again.

Thanks

Chris

[Maurice Naggar]

Saddened to hear about the reformat; but alas, a clean new install is always the safest.

I'd suggest you make sure a) Avast is all up to date, then, b) do a full scan with Avast.

If it finds, nothing then you'll be good to do.

Cheers.