I have several virus's, dds wouldn't launch, here's RSIT, thanks!

[vidiviciveni]

Hi - I have a Metropolitan Police Virus , a Security Shield virus and a very annoying audio advert virus. My Windows Defender & Firewall wont open. I have run Malwarebytes (Pro) but the virus's keep returning in the syshost.exe

I tried dds but it wouldn't run as it said my C:\windows\system32\cdm.exe wasn't there. So I have included a Check Results attachment and RSIT log and info attachment.

Many thanks in anticipation of your help... There goes that damn music again..... grrrrrrr!

CheckResults.txt

log.txt

info.txt

[Maniac]

Hello vidiviciveni and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

Step 1

Please uninstall the following applications:

BabylonObjectInstaller

Claro LTD toolbar

Dealio Toolbar v6.2

Yontoo 1.10.02

Step 2

Please download AdwCleaner from here and save it on your Desktop.

1. Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
   
2. Now click on the Search tab.
   
3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Step 3

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 4

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

In your next reply, post the following log files:

• AdwCleaner
  
• Malwarebytes' Anti-Malware log
  
• aswMBR log

[vidiviciveni]

Hi - Many thanks for your help - I successfully completed steps 1, 2 & 3 but after downloading aswMBR to desktop, when I tried to run it, it wouldn't.

I double clicked it, which opened the User Account control screen asking for 'An unidentified programme wants access to your computer'.

When I clicked to Allow aswMBR.exe connection to the computer nothing happened. I also tried Run as Administrator but same result.

Below are

• AdwCleaner
  
• Malwarebytes' Anti-Malware log
  

Thank you again...

# AdwCleaner v2.001 - Logfile created 09/13/2012 at 16:15:26

# Updated 09/09/2012 by Xplode

# Operating system : Windows Vista Home Basic Service Pack 2 (32 bits)

# User : CAROL - CAROLS-PC

# Boot Mode : Normal

# Running from : C:\Users\CAROL\Downloads\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml

File Found : C:\user.js

Folder Found : C:\Program Files\Common Files\spigot

Folder Found : C:\ProgramData\Anti-phishing Domain Advisor

Folder Found : C:\ProgramData\Babylon

Folder Found : C:\ProgramData\boost_interprocess

Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Finder

Folder Found : C:\ProgramData\Tarma Installer

Folder Found : C:\Users\CAROL\AppData\Local\Ilivid Player

Folder Found : C:\Users\CAROL\AppData\LocalLow\boost_interprocess

Folder Found : C:\Users\CAROL\AppData\LocalLow\imeshbandmltbpi

Folder Found : C:\Users\CAROL\AppData\LocalLow\mediabarim

Folder Found : C:\Users\CAROL\AppData\Roaming\Babylon

Folder Found : C:\Users\CAROL\AppData\Roaming\Media Finder

Folder Found : C:\Users\CAROL\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com

Folder Found : C:\Users\party poker AC\AppData\LocalLow\Search Settings

***** [Registry] *****

Data Found : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~1\IMESHA~1\MediaBar\Datamngr\datamngr.dll C:\PROGRA~1\IMESHA~1\MediaBar\Datamngr\IEBHO.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

Key Found : HKCU\Software\BrowserCompanion

Key Found : HKCU\Software\ilivid

Key Found : HKCU\Software\MediaFinder

Key Found : HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{83AA2913-C123-4146-85BD-AD8F93971D39}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ilivid

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\iMesh 1 MediaBar

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Key Found : HKCU\Software\Softonic

Key Found : HKLM\Software\Babylon

Key Found : HKLM\Software\BabylonToolbar

Key Found : HKLM\SOFTWARE\Classes\AppID\{1FC41815-FA4C-4F8B-B143-2C045C8EA2FC}

Key Found : HKLM\SOFTWARE\Classes\AppID\{20EDC024-43C5-423E-B7F5-FD93523E0D9F}

Key Found : HKLM\SOFTWARE\Classes\AppID\{21493C1F-D071-496A-9C27-450578888291}

Key Found : HKLM\SOFTWARE\Classes\AppID\{403A885F-CB00-40C1-BDC1-EB09053194F7}

Key Found : HKLM\SOFTWARE\Classes\AppID\{55C1727F-5535-4C2A-9601-8C2458608B48}

Key Found : HKLM\SOFTWARE\Classes\AppID\{A7DDCBDE-5C86-415c-8A37-763AE183E7E4}

Key Found : HKLM\SOFTWARE\Classes\AppID\{ED6535E7-F778-48A5-A060-549D30024511}

Key Found : HKLM\SOFTWARE\Classes\AppID\DiscoveryHelper.DLL

Key Found : HKLM\SOFTWARE\Classes\AppID\GIFAnimator.DLL

Key Found : HKLM\SOFTWARE\Classes\AppID\IMTrProgress.DLL

Key Found : HKLM\SOFTWARE\Classes\AppID\IMWeb.DLL

Key Found : HKLM\SOFTWARE\Classes\AppID\tdataprotocol.DLL

Key Found : HKLM\SOFTWARE\Classes\AppID\wit4ie.DLL

Key Found : HKLM\SOFTWARE\Classes\AppID\WMHelper.DLL

Key Found : HKLM\SOFTWARE\Classes\CLSID\{2656B92B-0207-4afb-BEBF-F5FD231ECD39}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{27BF8F8D-58B8-D41C-F913-B7EEB57EF6F6}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{34CB0620-E343-4772-BBA8-D3074BC47516}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{3BF72F68-72D8-461D-A884-329D936C5581}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{412CD209-DDA4-4275-8C79-55F1C93FBD47}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{59570C1F-B692-48c9-91B4-7809E6945287}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{63A0F7FA-2C95-4d7e-AF25-EFCC303D20A1}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{6559E502-6EE1-46b8-A83C-F3A45BDA23EE}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{78E9D883-93CD-4072-BEF3-38EE581E2839}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{83AC1413-FCE4-4A46-9DD5-4F31F306E71F}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{A2858A72-758F-4486-B6A1-7F1DCC0924FA}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{B6F8DA9F-2696-419e-A8A3-19BE41EF51BD}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{C63CA8A4-AB4E-49e5-A6C0-33FC86D80205}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{C6A7847E-8931-4a9a-B4EF-72A91E3CCF4D}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{DD0F1D24-E250-4e93-966C-65615720AEFB}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{EC1277BB-1C71-4c0d-BA6D-BFEA16E773A6}

Key Found : HKLM\SOFTWARE\Classes\DiscoveryHelper.iMesh6Discovery

Key Found : HKLM\SOFTWARE\Classes\DiscoveryHelper.iMesh6Discovery.1

Key Found : HKLM\SOFTWARE\Classes\imweb.imwebcontrol

Key Found : HKLM\SOFTWARE\Classes\Interface\{5E8CD073-21DF-4117-9BBD-D03C45D36CAE}

Key Found : HKLM\SOFTWARE\Classes\Interface\{95B92D92-8B7D-4A19-A3F1-43113B4DBCAF}

Key Found : HKLM\SOFTWARE\Classes\Interface\{B37B4BA6-334E-72C1-B57E-6AFE8F8A5AF3}

Key Found : HKLM\SOFTWARE\Classes\Interface\{B77AD4AC-C1C2-B293-7737-71E13A11FFEA}

Key Found : HKLM\SOFTWARE\Classes\Interface\{CA1CE38C-F04C-471F-B9F3-083C58165C10}

Key Found : HKLM\SOFTWARE\Classes\Interface\{E773F2CF-5E6E-FF2B-81A1-AC581A26B2B2}

Key Found : HKLM\SOFTWARE\Classes\MF

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{252C2315-CCE0-4446-8DA7-C00292A690BA}

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{403A885F-CB00-40C1-BDC1-EB09053194F7}

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{55C1727F-5535-4C2A-9601-8C2458608B48}

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{96F7FABC-5789-EFA4-B6ED-1272F4C1D27B}

Key Found : HKLM\SOFTWARE\Classes\wit4ie.WitBHO

Key Found : HKLM\SOFTWARE\Classes\wit4ie.WitBHO.2

Key Found : HKLM\Software\Freeze.com

Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel

Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai

Key Found : HKLM\Software\ilivid

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28387537-E3F9-4ED7-860C-11E69AF4A8A0}

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{872F3C0B-4462-424C-BB9F-74C6899B9F92}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B6F8DA9F-2696-419e-A8A3-19BE41EF51BD}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-phishing Domain Advisor

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ilivid

Key Found : HKLM\Software\Tarma Installer

Key Found : HKLM\Software\Viewpoint

Key Found : HKU\S-1-5-21-1445800729-3374758021-1386323499-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

Key Found : HKU\S-1-5-21-1445800729-3374758021-1386323499-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}

Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]

Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Anti-phishing Domain Advisor]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://isearch.claro-search.com/?affID=115131&tt=3412_3&babsrc=HP_iclro&mntrId=5aac690200000000000000234daba003

*************************

AdwCleaner[R1].txt - [8667 octets] - [13/09/2012 16:15:26]

########## EOF - C:\AdwCleaner[R1].txt - [8727 octets] ##########

************************************************************************************************************************************************

Malwarebytes Anti-Malware (PRO) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.13.07

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

CAROL :: CAROLS-PC [administrator]

Protection: Disabled

13/09/2012 17:17:28

mbam-log-2012-09-13 (17-17-28).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 212062

Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Trojan.LameShield) -> Quarantined and deleted successfully.

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|6F63A5DB0043E549C158EA8C2F3B707C (Trojan.LameShield) -> Data: C:\ProgramData\6F63A5DB0043E549C158EA8C2F3B707C\6F63A5DB0043E549C158EA8C2F3B707C.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 2

HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-18\$9b82c2852086004be0b367d93f24386a\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.

HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-21-1445800729-3374758021-1386323499-1000\$9b82c2852086004be0b367d93f24386a\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\ProgramData\6F63A5DB0043E549C158EA8C2F3B707C\6F63A5DB0043E549C158EA8C2F3B707C.exe (Trojan.LameShield) -> Quarantined and deleted successfully.

C:\$Recycle.Bin\S-1-5-18\$9b82c2852086004be0b367d93f24386a\n (Trojan.0Access) -> Delete on reboot.

C:\$Recycle.Bin\S-1-5-21-1445800729-3374758021-1386323499-1000\$9b82c2852086004be0b367d93f24386a\n (Trojan.0Access) -> Delete on reboot.

(end)

[Maniac]

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please perform all of these actions in Normal mode.

Step 1

1. Please re-run AdwCleaner
   
2. Click on Delete button.
   
3. Confirm each time with OK.
   
4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Step 2

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
• Put a checkmark beside loaded modules.
  
  
• A reboot will be needed to apply the changes. Do it.
  
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  
• Then click on Change parameters in TDSSKiller.
  
• Check all boxes then click OK.
  
  
• Click the Start Scan button.
  
  
• The scan should take no longer than 2 minutes.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

Step 3

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

• AdwCleaner log
  
• TDSSKiller log
  
• Malwarebytes' Anti-Malware log

[vidiviciveni]

Hi Maniac -

Thank you for your last instructions and information. This is the only computer we have so I can't immediately disconnect from internet. Also I needed it connected to download tsskiller etc.

I aim to get this computer running so I can retrieve the documents saved there onto usb and then will I will do a reformat and reinstall of the OS.

I will try to get to a known clean computer and change all passwords where applicable very soon, and contact financial institutions to apprise them of my situation.

Last evening things worsened I'm afraid....

I got a pop-up to load an Adobe upgrade, which I tried to ignore and exit from in case it was infected. It kept popping up, I kept exiting. Then I got a message box....

System Error Hard Disc Failure Detected

Windows lost access to the system partition during I/O process. his may also lead to a potential loss of data it is highly recommended to run complete HDD scan to prevent lost of files. applications and documentsstored on your computer.

Scan & Repair (recommended)

Scan later

I decided to do neither option in case this was not a genuine message...... I exited the message

Then another message came on...

User Account Control

An unidentified programme wants to to access your computer

chipset_driver_update.exe

Cancel

Allow

Again I decided to do neither option in case this was not a genuine message...... I exited the message

I am now unablw to access the Carol partition side of the PC as it is corrupt.

I went into safe mode and began to run Malwarebytes, after a few seconds I got the Specialist Crime Dictorate Police Control e-crime Unit screen.... Safe mode has been attacked!!

Luckily (?) I am stillable to access the party poker partition, which is still working, but infected with the audio adverts, and I am emailing from there.

I ran the adwCleaner, the log is below.

I downloaded tsskiller but it would not launch.

I have updated Malwarebytes and run the scan, log below.

Many thanks for you patience and advice...

# AdwCleaner v2.001 - Logfile created 09/14/2012 at 07:48:35

# Updated 09/09/2012 by Xplode

# Operating system : Windows Vista Home Basic Service Pack 2 (32 bits)

# User : party poker AC - CAROLS-PC

# Boot Mode : Normal

# Running from : C:\Users\party poker AC\Downloads\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml

File Deleted : C:\user.js

Folder Deleted : C:\ProgramData\Anti-phishing Domain Advisor

Folder Deleted : C:\ProgramData\Babylon

Folder Deleted : C:\ProgramData\boost_interprocess

Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Finder

Folder Deleted : C:\ProgramData\Tarma Installer

Folder Deleted : C:\Users\CAROL\AppData\Local\Ilivid Player

Folder Deleted : C:\Users\CAROL\AppData\LocalLow\boost_interprocess

Folder Deleted : C:\Users\CAROL\AppData\LocalLow\imeshbandmltbpi

Folder Deleted : C:\Users\CAROL\AppData\LocalLow\mediabarim

Folder Deleted : C:\Users\CAROL\AppData\Roaming\Babylon

Folder Deleted : C:\Users\CAROL\AppData\Roaming\Media Finder

Folder Deleted : C:\Users\CAROL\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com

Folder Deleted : C:\Users\party poker AC\AppData\LocalLow\Search Settings

***** [Registry] *****

Data Deleted : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~1\IMESHA~1\MediaBar\Datamngr\datamngr.dll C:\PROGRA~1\IMESHA~1\MediaBar\Datamngr\IEBHO.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{83AA2913-C123-4146-85BD-AD8F93971D39}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ilivid

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}

Key Deleted : HKLM\Software\Babylon

Key Deleted : HKLM\Software\BabylonToolbar

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FC41815-FA4C-4F8B-B143-2C045C8EA2FC}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{20EDC024-43C5-423E-B7F5-FD93523E0D9F}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{21493C1F-D071-496A-9C27-450578888291}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{403A885F-CB00-40C1-BDC1-EB09053194F7}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{55C1727F-5535-4C2A-9601-8C2458608B48}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{A7DDCBDE-5C86-415c-8A37-763AE183E7E4}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{ED6535E7-F778-48A5-A060-549D30024511}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\DiscoveryHelper.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\GIFAnimator.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\IMTrProgress.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\IMWeb.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\tdataprotocol.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\wit4ie.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\WMHelper.DLL

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2656B92B-0207-4afb-BEBF-F5FD231ECD39}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{27BF8F8D-58B8-D41C-F913-B7EEB57EF6F6}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{34CB0620-E343-4772-BBA8-D3074BC47516}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3BF72F68-72D8-461D-A884-329D936C5581}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{412CD209-DDA4-4275-8C79-55F1C93FBD47}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{59570C1F-B692-48c9-91B4-7809E6945287}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{63A0F7FA-2C95-4d7e-AF25-EFCC303D20A1}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6559E502-6EE1-46b8-A83C-F3A45BDA23EE}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{78E9D883-93CD-4072-BEF3-38EE581E2839}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{83AC1413-FCE4-4A46-9DD5-4F31F306E71F}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A2858A72-758F-4486-B6A1-7F1DCC0924FA}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B6F8DA9F-2696-419e-A8A3-19BE41EF51BD}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C63CA8A4-AB4E-49e5-A6C0-33FC86D80205}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C6A7847E-8931-4a9a-B4EF-72A91E3CCF4D}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DD0F1D24-E250-4e93-966C-65615720AEFB}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EC1277BB-1C71-4c0d-BA6D-BFEA16E773A6}

Key Deleted : HKLM\SOFTWARE\Classes\DiscoveryHelper.iMesh6Discovery

Key Deleted : HKLM\SOFTWARE\Classes\DiscoveryHelper.iMesh6Discovery.1

Key Deleted : HKLM\SOFTWARE\Classes\imweb.imwebcontrol

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5E8CD073-21DF-4117-9BBD-D03C45D36CAE}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{95B92D92-8B7D-4A19-A3F1-43113B4DBCAF}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B37B4BA6-334E-72C1-B57E-6AFE8F8A5AF3}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B77AD4AC-C1C2-B293-7737-71E13A11FFEA}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CA1CE38C-F04C-471F-B9F3-083C58165C10}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E773F2CF-5E6E-FF2B-81A1-AC581A26B2B2}

Key Deleted : HKLM\SOFTWARE\Classes\MF

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{252C2315-CCE0-4446-8DA7-C00292A690BA}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{403A885F-CB00-40C1-BDC1-EB09053194F7}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{55C1727F-5535-4C2A-9601-8C2458608B48}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{96F7FABC-5789-EFA4-B6ED-1272F4C1D27B}

Key Deleted : HKLM\SOFTWARE\Classes\wit4ie.WitBHO

Key Deleted : HKLM\SOFTWARE\Classes\wit4ie.WitBHO.2

Key Deleted : HKLM\Software\Freeze.com

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai

Key Deleted : HKLM\Software\ilivid

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28387537-E3F9-4ED7-860C-11E69AF4A8A0}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{872F3C0B-4462-424C-BB9F-74C6899B9F92}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B6F8DA9F-2696-419e-A8A3-19BE41EF51BD}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-phishing Domain Advisor

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ilivid

Key Deleted : HKLM\Software\Tarma Installer

Key Deleted : HKLM\Software\Viewpoint

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Anti-phishing Domain Advisor]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

*************************

AdwCleaner[R1].txt - [8796 octets] - [13/09/2012 16:15:26]

AdwCleaner[s1].txt - [7761 octets] - [14/09/2012 07:48:35]

########## EOF - C:\AdwCleaner[s1].txt - [7821 octets] ##########

Malwarebytes Anti-Malware (PRO) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.14.01

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

party poker AC :: CAROLS-PC [administrator]

Protection: Disabled

14/09/2012 08:12:52

mbam-log-2012-09-14 (08-12-52).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 213459

Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 1

HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-21-1445800729-3374758021-1386323499-1004\$9b82c2852086004be0b367d93f24386a\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 6

C:\ProgramData\uQPiuYoYUryntvk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\$Recycle.Bin\S-1-5-18\$9b82c2852086004be0b367d93f24386a\n (Trojan.0Access) -> Quarantined and deleted successfully.

C:\$Recycle.Bin\S-1-5-21-1445800729-3374758021-1386323499-1000\$9b82c2852086004be0b367d93f24386a\n (Trojan.0Access) -> Quarantined and deleted successfully.

C:\Users\CAROL\AppData\Local\Temp\5c5afa54.tmp (Trojan.Phex.THAGen9) -> Quarantined and deleted successfully.

C:\Users\CAROL\AppData\Local\Temp\Y4LlezGNWxPBSm.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\CAROL\kumopytjfhd.exe (Trojan.Phex.THAGen9) -> Quarantined and deleted successfully.

(end)

[vidiviciveni]

UPDATE - Now have use of a safe computer. Will monitor from here in future.

Thank you.

[Maniac]

Do you still need my help?

[vidiviciveni]

Hi - Yes please. i was just advising that I am corresponding through another computer so as to keep the other off line.

Thank you...

[Maniac]

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select English as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select English as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[vidiviciveni]

Hi Maniac

- I downloaded Farbar onto my 'good' computer & put Farbar on a flashdrive.

- Plugged the flashdrive into the infected PC

- Restarted the computer

- As soon as the BIOS loaded beain tapping the F8 key until Advanced Boot Options appeared.

- Used the arrow keys to select the Repair your computer menu item, I hit ENTER.

The screen cleared and I get a green/black striped bar going across the screen (about 6 cm long) above the words Microsoft Corporation

This stayed 'loading' for 20 minutes. I shut down and repeated the process 3-4 times but the same happened each time.

I was not taken to the steps you mentioned, shown below.

• Select English as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

I do not have an installation disk, sorry. Can you suggest a work around?

Many thanks again.

[Maniac]

Please perform thi action and then try again with FRST.

http://windows.microsoft.com/vi-VN/windows-vista/Check-your-hard-disk-for-errors

[vidiviciveni]

I did both the Automatic fix file system errors and Scan for and attempt recovery of bad sectors. There were no problems/errors reported. But when I did 'repair your computer', the same problem as before occurred.

[Maniac]

Note: Please do not run this tool without special supervision and instruction of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[vidiviciveni]

Hi - Maniac

I am in the middle of running combo fix as you suggested. It is stuck processing on the line Output folder : C:\32788R22FWJFW , the green bar is at 90% and has been frozen/stuck like this for over 3 hours now. What should I do?

Thank you

[vidiviciveni]

Update - It's still frozen/stuck and has been for 11 hours now.

[TeMerc]

User now in support, closing this ticket, thanks Maniac!