Jump to content

Is this computer now safe [Trojan.0access & rootkit.0access]


gtfgf

Recommended Posts

McAffee reported an attack one of our laptops. I ran the McAffee virus scanner and it removed 2 trojans, but even after I closed it down I kept getting warning message from McAffee saying that there were virus detected in the c:/$recyclebin folder, but that nothing was required to be done, even though the warning messages kept coming. Firefox (the default browser) seems to be running fine however (i.e. no redirects/shutdowns etc).

I downloaded MB_AM and ran a quick scan. It also said there were trojans, and said it had removed them. However on restarting the laptop the McAffee warnings were still coming up, and additionally MB_AM was reporting blocking 'outgoing' messages to a variety of IP addresses.

I updated MB_AM (for some reason the version I downloaded was a week out of date) and re-ran it a few times. Initially I was having the same problem as with McAffee (it appeared to remove the Trojans but the warning messages kept appearing after restart). However it does now appear to have sorted the problem (warning messages have stopped), but I'm still a bit worried as it is a problem that keeps reoccuring I still think that there might still be something lurking on the hard drive. Can someone confirm whether I might still have an issue with this laptop, the details of the MB_AM logs and the output from the DDS program are shown below.

Thanks in advance..

<-------FIRST RUN OF MALWARE_AM-------->

Malwarebytes Anti-Malware (Trial) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.07.13

Windows 7 x86 NTFS

Internet Explorer 9.0.8112.16421

Syrus :: SYRUS-MSI [administrator]

Protection: Enabled

23/09/2012 11:54:12

mbam-log-2012-09-23 (11-54-12).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 189116

Time elapsed: 14 minute(s), 7 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 1

HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-21-533349786-3935795275-1856981824-1000\$09e7d81ee082c3ccf1679bba57bd5a4e\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\$Recycle.Bin\S-1-5-21-533349786-3935795275-1856981824-1000\$09e7d81ee082c3ccf1679bba57bd5a4e\n (Trojan.0Access) -> Delete on reboot.

(end)

<-----------------SECOND RUN------------------------>

Malwarebytes Anti-Malware (Trial) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.23.02

Windows 7 x86 NTFS

Internet Explorer 9.0.8112.16421

Syrus :: SYRUS-MSI [administrator]

Protection: Enabled

23/09/2012 12:51:15

mbam-log-2012-09-23 (12-51-15).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 341197

Time elapsed: 2 hour(s), 29 minute(s), 26 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

c:\$recycle.bin\s-1-5-21-533349786-3935795275-1856981824-1000\$09e7d81ee082c3ccf1679bba57bd5a4e\u\80000032.@ (Trojan.0Access) -> Quarantined and deleted successfully.

C:\Users\Syrus\AppData\Local\Temp\msimg32.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

<---------------------THIRD RUN---------------------------->

Malwarebytes Anti-Malware (Trial) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.23.02

Windows 7 x86 NTFS

Internet Explorer 9.0.8112.16421

Syrus :: SYRUS-MSI [administrator]

Protection: Enabled

23/09/2012 12:51:15

mbam-log-2012-09-23 (15-23-42).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 341197

Time elapsed: 2 hour(s), 29 minute(s), 26 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

c:\$recycle.bin\s-1-5-21-533349786-3935795275-1856981824-1000\$09e7d81ee082c3ccf1679bba57bd5a4e\u\80000032.@ (Trojan.0Access) -> No action taken.

C:\Users\Syrus\AppData\Local\Temp\msimg32.dll (Rootkit.0Access) -> No action taken.

(end)

<------------------FOURTH RUN------------------------->

Malwarebytes Anti-Malware (Trial) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.23.02

Windows 7 x86 NTFS

Internet Explorer 9.0.8112.16421

Syrus :: SYRUS-MSI [administrator]

Protection: Enabled

23/09/2012 15:45:59

mbam-log-2012-09-23 (15-45-59).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 190751

Time elapsed: 7 minute(s), 3 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

<----------------DDS File----------------->

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by Syrus at 17:03:27 on 2012-09-23

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3327.2374 [GMT 1:00]

.

AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\system32\atiesrxx.exe

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\atieclxx.exe

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\windows\system32\mfevtps.exe

C:\Program Files\System Control Manager\MSIService.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe

C:\windows\system32\conhost.exe

C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

C:\windows\system32\svchost.exe -k bthsvcs

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\windows\System32\svchost.exe -k secsvcs

C:\windows\system32\SearchIndexer.exe

C:\windows\system32\svchost.exe -k defragsvc

C:\windows\system32\taskhost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\System Control Manager\MGSysCtrl.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\windows\system32\wbem\unsecapp.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\windows\system32\wuauclt.exe

C:\windows\system32\taskhost.exe

C:\windows\system32\conhost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/

uDefault_Page_URL = hxxp://www.msi.com

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [ArcSoft] rundll32.exe c:\users\syrus\appdata\local\arcsoft\idjbgmfy.dll,DllGetClassObject

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{A6F539D9-1C12-4D93-8E59-8CA02D96789B} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{A6F539D9-1C12-4D93-8E59-8CA02D96789B}\2313D284F4C4C495D234F4552545 : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{A6F539D9-1C12-4D93-8E59-8CA02D96789B}\24554545542535D20534130313F5E4564777F627B6 : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{A6F539D9-1C12-4D93-8E59-8CA02D96789B}\74F62746F6E664275656D616E6 : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{A6F539D9-1C12-4D93-8E59-8CA02D96789B}\E4544574541425 : DhcpNameServer = 192.168.0.1

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\syrus\appdata\roaming\mozilla\firefox\profiles\4kz1t41i.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_278.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-10 343664]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-9-29 176128]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-23 399432]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-9-23 676936]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2009-10-22 21256]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-25 103744]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-10-22 146448]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-10-22 66896]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-10 70728]

R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2009-10-30 160768]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-9-29 6472192]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-9-29 228352]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-23 22856]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-10-10 91672]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-10-10 43288]

R3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\drivers\netr28.sys [2009-8-20 604672]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-8-24 167936]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-7 250288]

S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2009-10-30 17920]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-10 55264]

S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2008-12-8 533344]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-10 65448]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 114144]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-10-30 166912]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-12 1343400]

.

=============== Created Last 30 ================

.

2012-09-23 15:35:21 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b43d0455-ed89-464b-a6f2-b8e380d9d8b4}\offreg.dll

2012-09-23 10:52:34 -------- d-----w- c:\users\syrus\appdata\roaming\Malwarebytes

2012-09-23 10:52:06 -------- d-----w- c:\programdata\Malwarebytes

2012-09-23 10:51:56 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-23 10:51:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-09-22 23:59:10 -------- d-----w- C:\ArcSoft

2012-09-22 09:47:47 6980552 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b43d0455-ed89-464b-a6f2-b8e380d9d8b4}\mpengine.dll

2012-09-09 15:11:51 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll

.

==================== Find3M ====================

.

2012-09-20 18:27:34 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-20 18:27:34 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-07-18 17:10:29 2344448 ----a-w- c:\windows\system32\win32k.sys

2012-07-04 21:23:55 41472 ----a-w- c:\windows\system32\browcli.dll

2012-07-04 21:23:55 102912 ----a-w- c:\windows\system32\browser.dll

.

============= FINISH: 17:04:51.73 ===============

<--------------------ATTACH------------------------->

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 10/10/2010 16:47:32

System Uptime: 23/09/2012 16:30:55 (1 hours ago)

.

Motherboard: MSI | | MS-1684

Processor: AMD Athlon II Dual-Core M300 | CPU 1 | 2000/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 173 GiB total, 100.487 GiB free.

D: is FIXED (NTFS) - 115 GiB total, 109.503 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP266: 14/08/2012 21:53:01 - Windows Update

RP267: 15/08/2012 18:46:33 - Windows Update

RP268: 21/08/2012 20:57:22 - Windows Update

RP269: 28/08/2012 08:58:06 - Windows Update

RP270: 31/08/2012 19:01:30 - Windows Update

RP271: 04/09/2012 19:22:25 - Windows Update

RP272: 11/09/2012 23:49:03 - Windows Update

RP273: 11/09/2012 23:54:17 - Windows Update

RP274: 19/09/2012 00:21:08 - Windows Update

RP275: 22/09/2012 10:42:10 - Windows Update

RP276: 22/09/2012 14:22:07 - Windows Update

RP277: 23/09/2012 16:14:35 - Removed Football Manager 2006

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.1

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Application Profiles

ArcSoft Magic-i Visual Effects 2

ArcSoft Print Creations

ArcSoft Print Creations - Album Page

ArcSoft Print Creations - Brochures & Flyers

ArcSoft Print Creations - Funhouse

ArcSoft Print Creations - Funhouse II

ArcSoft Print Creations - Greeting Card

ArcSoft Print Creations - Photo Book

ArcSoft Print Creations - Photo Calendar

ArcSoft Print Creations - Photo Prints

ArcSoft Print Creations - Poster Creator

ArcSoft Print Creations - Scrapbook

ArcSoft Print Creations - Slimline Card

ArcSoft WebCam Companion 3

ATI Catalyst Install Manager

Audacity 1.3.13 (Unicode)

Bonjour

BurnRecovery

Catalyst Control Center Graphics Previews Vista

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-core-static

ccc-utility

CCC Help English

Choice Guard

Civilization III Complete Edition

Compatibility Pack for the 2007 Office system

Grand Theft Auto

iTunes

Junk Mail filter update

K-Lite Codec Pack 6.5.0 (Full)

Malwarebytes Anti-Malware version 1.65.0.1400

McAfee Agent

McAfee AntiSpyware Enterprise Module

McAfee Security Scan Plus

McAfee VirusScan Enterprise

Micro Machines 2 - Turbo Tournament

Microsoft Application Error Reporting

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Excel MUI (Dutch) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Excel MUI (French) 2007

Microsoft Office Excel MUI (German) 2007

Microsoft Office Excel MUI (Greek) 2007

Microsoft Office Home and Student 2007

Microsoft Office Live Add-in 1.3

Microsoft Office OneNote MUI (Dutch) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office OneNote MUI (French) 2007

Microsoft Office OneNote MUI (German) 2007

Microsoft Office OneNote MUI (Greek) 2007

Microsoft Office PowerPoint MUI (Dutch) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint MUI (French) 2007

Microsoft Office PowerPoint MUI (German) 2007

Microsoft Office PowerPoint MUI (Greek) 2007

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Proof (Arabic) 2007

Microsoft Office Proof (Dutch) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (German) 2007

Microsoft Office Proof (Greek) 2007

Microsoft Office Proof (Italian) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (Dutch) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing (French) 2007

Microsoft Office Proofing (German) 2007

Microsoft Office Proofing (Greek) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Shared MUI (Dutch) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared MUI (French) 2007

Microsoft Office Shared MUI (German) 2007

Microsoft Office Shared MUI (Greek) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Suite Activation Assistant

Microsoft Office Word MUI (Dutch) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Office Word MUI (French) 2007

Microsoft Office Word MUI (German) 2007

Microsoft Office Word MUI (Greek) 2007

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

Mozilla Firefox 15.0.1 (x86 en-US)

Mozilla Maintenance Service

MSI Software Install

MSVCRT

QuickTime

Realtek High Definition Audio Driver

Realtek USB 2.0 Card Reader

Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition

Shockwave

System Control Manager

Update for 2007 Microsoft Office System (KB967642)

WCS2003

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live Mail

Windows Live Messenger

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

WinRAR archiver

WMV9/VC-1 Video Playback

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

Hi

Thanks for your reply. A warning message about outgoing threat has occurred again, so looks like not all gone. I've run the roguekiller. Log posted below. Roguekiller also auto started a webpage about Rootkit zeroaccess, but it was mainly in French.

RogueKiller V8.0.5 [09/23/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User : Syrus [Admin rights]

Mode : Scan -- Date : 09/23/2012 18:22:30

¤¤¤ Bad processes : 2 ¤¤¤

[sUSP PATH][DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\Syrus\AppData\Local\ArcSoft\idjbgmfy.dll -> UNLOADED

[sUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]

¤¤¤ Registry Entries : 11 ¤¤¤

[RUN][bLACKLIST DLL] HKCU\[...]\Run : ArcSoft (rundll32.exe C:\Users\Syrus\AppData\Local\ArcSoft\idjbgmfy.dll,DllGetClassObject) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-21-533349786-3935795275-1856981824-1000[...]\Run : ArcSoft (rundll32.exe C:\Users\Syrus\AppData\Local\ArcSoft\idjbgmfy.dll,DllGetClassObject) -> FOUND

[TASK][RESIDU] ProgramDataUpdater : C:\Windows\System32\rundll32.exe -> FOUND

[TASK][RESIDU] Proxy : C:\Windows\System32\rundll32.exe -> FOUND

[TASK][RESIDU] SR : C:\Windows\System32\rundll32.exe -> FOUND

[TASK][RESIDU] IpAddressConflict1 : C:\Windows\System32\rundll32.exe -> FOUND

[TASK][RESIDU] IpAddressConflict2 : C:\Windows\System32\rundll32.exe -> FOUND

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-533349786-3935795275-1856981824-1000\$09e7d81ee082c3ccf1679bba57bd5a4e\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-533349786-3935795275-1856981824-1000\$09e7d81ee082c3ccf1679bba57bd5a4e\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD32 00BEVT-22A23T0 SATA Disk Device +++++

--- User ---

[MBR] 209bf910a3cd5c79c93d0a1c4ff4e57e

[bSP] d714743cc3d334d49a82605572cac33c : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10240 Mo

1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 20973568 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 21178368 | Size: 176942 Mo

3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 383555584 | Size: 117961 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][bLACKLIST DLL] HKCU\[...]\Run : ArcSoft (rundll32.exe C:\Users\Syrus\AppData\Local\ArcSoft\idjbgmfy.dll,DllGetClassObject) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-21-533349786-3935795275-1856981824-1000[...]\Run : ArcSoft (rundll32.exe C:\Users\Syrus\AppData\Local\ArcSoft\idjbgmfy.dll,DllGetClassObject) -> FOUND

[TASK][RESIDU] ProgramDataUpdater : C:\Windows\System32\rundll32.exe -> FOUND

[TASK][RESIDU] Proxy : C:\Windows\System32\rundll32.exe -> FOUND

[TASK][RESIDU] SR : C:\Windows\System32\rundll32.exe -> FOUND

[TASK][RESIDU] IpAddressConflict1 : C:\Windows\System32\rundll32.exe -> FOUND

[TASK][RESIDU] IpAddressConflict2 : C:\Windows\System32\rundll32.exe -> FOUND

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-533349786-3935795275-1856981824-1000\$09e7d81ee082c3ccf1679bba57bd5a4e\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-533349786-3935795275-1856981824-1000\$09e7d81ee082c3ccf1679bba57bd5a4e\L --> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~

Next click on the Processes tab and put a check next to these and uncheck the rest. (if found)

[sUSP PATH][DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\Syrus\AppData\Local\ArcSoft\idjbgmfy.dll -> UNLOADED

[sUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~

Reboot and run another scan with RogueKiller and post the new log, MrC

Link to post
Share on other sites

I've done as requested, new RK log posted. Thanks.

RogueKiller V8.0.5 [09/23/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User : Syrus [Admin rights]

Mode : Scan -- Date : 09/23/2012 18:50:58

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD32 00BEVT-22A23T0 SATA Disk Device +++++

--- User ---

[MBR] 209bf910a3cd5c79c93d0a1c4ff4e57e

[bSP] d714743cc3d334d49a82605572cac33c : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10240 Mo

1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 20973568 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 21178368 | Size: 176942 Mo

3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 383555584 | Size: 117961 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Looks Good..........

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

Hi. It found one 'medium' threat which I skipped (cure wasn't available) = Micro Star SCM ( UnsignedFile.Multi.Generic ). Two logs, first posted, second attached.

First log:

18:59:41.0614 3672 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24

18:59:41.0813 3672 ============================================================

18:59:41.0813 3672 Current date / time: 2012/09/23 18:59:41.0813

18:59:41.0813 3672 SystemInfo:

18:59:41.0813 3672

18:59:41.0813 3672 OS Version: 6.1.7600 ServicePack: 0.0

18:59:41.0813 3672 Product type: Workstation

18:59:41.0813 3672 ComputerName: SYRUS-MSI

18:59:41.0814 3672 UserName: Syrus

18:59:41.0814 3672 Windows directory: C:\windows

18:59:41.0814 3672 System windows directory: C:\windows

18:59:41.0814 3672 Processor architecture: Intel x86

18:59:41.0814 3672 Number of processors: 2

18:59:41.0814 3672 Page size: 0x1000

18:59:41.0814 3672 Boot type: Normal boot

18:59:41.0814 3672 ============================================================

18:59:43.0975 3672 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050

18:59:43.0978 3672 ============================================================

18:59:43.0978 3672 \Device\Harddisk0\DR0:

18:59:43.0978 3672 MBR partitions:

18:59:43.0978 3672 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1432800, BlocksNum 0x15997000

18:59:43.0978 3672 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x16DC9800, BlocksNum 0xE664800

18:59:43.0978 3672 ============================================================

18:59:44.0032 3672 C: <-> \Device\Harddisk0\DR0\Partition1

18:59:44.0073 3672 D: <-> \Device\Harddisk0\DR0\Partition2

18:59:44.0073 3672 ============================================================

18:59:44.0073 3672 Initialize success

18:59:44.0073 3672 ============================================================

19:02:08.0083 0636 Deinitialize success

TDSSKiller.2.8.10.0_23.09.2012_19.04.19_log.txt

Link to post
Share on other sites

Hi-

Thanks for you help. Interestingly I'm still getting the 'outgoing' error messages, but they only seem to occur when I am browsing on one particular site (MB_AM log grab attached) and for one particular IP. Could it be a problem with the particular site rather than the laptop?

2012/09/23 18:14:34 +0100 SYRUS-MSI Syrus IP-BLOCK 173.241.240.153 (Type: outgoing, Port: 50491, Process: firefox.exe)

2012/09/23 18:14:34 +0100 SYRUS-MSI Syrus IP-BLOCK 173.241.240.153 (Type: outgoing, Port: 50492, Process: firefox.exe)

2012/09/23 18:47:43 +0100 SYRUS-MSI Syrus MESSAGE Starting protection

2012/09/23 18:47:43 +0100 SYRUS-MSI Syrus MESSAGE Protection started successfully

2012/09/23 18:47:43 +0100 SYRUS-MSI Syrus MESSAGE Starting IP protection

2012/09/23 18:47:54 +0100 SYRUS-MSI Syrus MESSAGE IP Protection started successfully

2012/09/23 19:03:49 +0100 SYRUS-MSI Syrus MESSAGE Starting protection

2012/09/23 19:03:49 +0100 SYRUS-MSI Syrus MESSAGE Protection started successfully

2012/09/23 19:03:49 +0100 SYRUS-MSI Syrus MESSAGE Starting IP protection

2012/09/23 19:03:54 +0100 SYRUS-MSI Syrus MESSAGE IP Protection started successfully

2012/09/23 19:23:32 +0100 SYRUS-MSI Syrus IP-BLOCK 173.241.240.153 (Type: outgoing, Port: 49579, Process: firefox.exe)

2012/09/23 19:23:32 +0100 SYRUS-MSI Syrus IP-BLOCK 173.241.240.153 (Type: outgoing, Port: 49580, Process: firefox.exe)

2012/09/23 19:25:01 +0100 SYRUS-MSI Syrus IP-BLOCK 173.241.240.153 (Type: outgoing, Port: 50172, Process: firefox.exe)

2012/09/23 19:25:01 +0100 SYRUS-MSI Syrus IP-BLOCK 173.241.240.153 (Type: outgoing, Port: 50173, Process: firefox.exe)

Link to post
Share on other sites

Seems like MB is doing it's job.

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

Link to post
Share on other sites

Here's the log

# AdwCleaner v2.002 - Logfile created 09/23/2012 at 19:38:40

# Updated 16/09/2012 by Xplode

# Operating system : Windows 7 Home Premium (32 bits)

# User : Syrus - SYRUS-MSI

# Boot Mode : Normal

# Running from : D:\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default

File : C:\Users\Syrus\AppData\Roaming\Mozilla\Firefox\Profiles\4kz1t41i.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [661 octets] - [23/09/2012 19:38:40]

########## EOF - C:\AdwCleaner[R1].txt - [720 octets] ##########

Link to post
Share on other sites

Hi

I ran MB_AM again today and it again reports no malicious files.

The website that seems to generate the 'outgoing' errors is www.hattrick.org if that is of interest. The messages persist even after I have moved from the site, but stop the minute I 'clear recent history' on firefox, so presumably it's got something to do with something in the temp internet files or cache.

Should I run combofix? Or is the laptop OK as it is?

Thanks for your help.

Link to post
Share on other sites

Should I run combofix? Or is the laptop OK as it is?

No there's a problem with CF, after running it some people loose their connection, so I don't recommend it.

You're computer is OK.

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites

Hi, log posted.

Results of screen317's Security Check version 0.99.51

Windows 7 Service Pack 1 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

McAfee VirusScan Enterprise

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

McAfee AntiSpyware Enterprise Module

Malwarebytes Anti-Malware version 1.65.0.1400

Adobe Flash Player 11.4.402.278

Adobe Reader 9 Adobe Reader out of Date!

Mozilla Firefox (15.0.1)

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

McAfee VirusScan Enterprise engineserver.exe

McAfee VirusScan Enterprise vstskmgr.exe

McAfee VirusScan Enterprise mcshield.exe

McAfee VirusScan Enterprise mfeann.exe

McAfee VirusScan Enterprise shstat.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 52% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Adobe Reader 9 Adobe Reader out of Date! <---please update

You have out dated programs on the system which are vulnerable to malware.

Please update or delete them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.