Jump to content

help with infection


Recommended Posts

Hello gerridawn and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

If you don't have active internet connection on the infected PC we need a USB flash drive. Then you should immunize it to protect spread of any infection in your clean computer.

http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

When you are ready, download on the clean computer these tools and run them on the infected one:

Step 1

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 2

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

In your next reply, post the following log files:

  • Junkware Removal Tool log
  • Farbar Service Scanner log

Link to post
Share on other sites

Once again, please don't attach your log files.

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Combo fix log

Tried to repair the network connection still unable to connect.

Also IE not responding after restart.

.

ComboFix 12-12-04.01 - Jim 12/06/2012 12:02:18.1.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8190.5370 [GMT -6:00]

Running from: c:\users\Jim\Desktop\ComboFix.exe

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\DFRFF10.tmp

c:\windows\SysWow64\jucheck.exe

c:\windows\SysWow64\jusched.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-11-06 to 2012-12-06 )))))))))))))))))))))))))))))))

.

.

2012-12-06 18:35 . 2012-12-06 18:35 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-12-06 18:35 . 2012-12-06 18:35 -------- d-----w- c:\users\Alex\AppData\Local\temp

2012-12-06 18:35 . 2012-12-06 18:35 -------- d-----w- c:\users\Leann\AppData\Local\temp

2012-12-06 18:35 . 2012-12-06 18:35 -------- d-----w- c:\users\Craig\AppData\Local\temp

2012-12-05 16:52 . 2012-12-05 16:52 -------- d-----w- c:\windows\ERUNT

2012-12-05 16:52 . 2012-12-05 16:52 -------- d-----w- C:\JRT

2012-11-28 23:01 . 2012-11-28 23:01 -------- d-----w- c:\users\Jim\AppData\Roaming\SUPERAntiSpyware.com

2012-11-28 23:00 . 2012-11-28 23:01 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-11-28 23:00 . 2012-11-28 23:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-11-24 04:00 . 2012-11-24 04:00 -------- d-----w- c:\users\Jim\AppData\Roaming\Malwarebytes

2012-11-24 04:00 . 2012-11-24 04:00 -------- d-----w- c:\programdata\Malwarebytes

2012-11-24 04:00 . 2012-11-24 04:00 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-11-24 04:00 . 2012-09-30 01:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-24 00:19 . 2012-11-24 00:20 -------- d-----w- c:\users\Jim\AppData\Roaming\Expert PDF 7

2012-11-23 23:04 . 2012-11-23 23:04 -------- d-----w- c:\users\Jim\AppData\Roaming\Tific

2012-11-23 15:15 . 2012-11-23 15:17 -------- d-----w- c:\program files\Symantec

2012-11-23 15:15 . 2012-12-01 06:59 -------- d-----w- c:\windows\system32\drivers\NSMx64

2012-11-23 15:15 . 2012-11-23 15:15 -------- d-----w- c:\program files (x86)\Norton Family

2012-11-18 01:52 . 2012-11-18 01:52 -------- d-----w- c:\users\Jim\AppData\Roaming\.minecraft

2012-11-18 01:47 . 2012-11-18 01:47 -------- d-----w- c:\users\Craig\AppData\Roaming\Expert PDF 7

2012-11-18 01:46 . 2012-11-18 01:46 -------- d-----w- c:\program files (x86)\Avanquest

2012-11-18 01:46 . 2012-11-18 01:46 -------- d-----w- c:\programdata\Expert PDF Jobs

2012-11-18 01:46 . 2012-11-18 01:46 -------- d-----w- c:\programdata\Expert PDF 7

2012-11-18 01:46 . 2012-11-18 01:46 -------- d-----w- c:\programdata\Avanquest

2012-11-18 01:46 . 2012-11-18 01:46 -------- d-----w- c:\users\Craig\AppData\Local\Playtopus

2012-11-18 01:45 . 2012-11-18 01:45 -------- d-----w- c:\program files (x86)\SaveValet

2012-11-18 01:45 . 2012-11-28 22:37 -------- d-----w- c:\program files (x86)\Surf Canyon

2012-11-18 01:45 . 2012-11-23 15:31 -------- d-----w- c:\users\Jim\AppData\Roaming\Genieo

2012-11-15 23:54 . 2012-09-25 16:31 91648 ----a-w- c:\windows\system32\synceng.dll

2012-11-15 23:54 . 2012-09-25 16:19 75776 ----a-w- c:\windows\SysWow64\synceng.dll

2012-11-15 23:53 . 2012-10-12 14:53 2769920 ----a-w- c:\windows\system32\win32k.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-23 15:15 . 2009-11-17 03:52 177312 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS

2012-11-16 09:01 . 2006-11-02 12:35 66395536 ----a-w- c:\windows\system32\mrt.exe

2012-09-13 13:45 . 2012-10-10 04:06 2048 ----a-w- c:\windows\system32\tzres.dll

2012-09-13 13:28 . 2012-10-10 04:06 2048 ----a-w- c:\windows\SysWow64\tzres.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{8EBA1B69-99D8-4135-BD43-729BA79D5CC4}]

2012-11-18 01:46 111104 ----a-w- c:\users\Craig\AppData\Local\Playtopus\Playtopus.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]

"HPAdvisor"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-01-12 972344]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-18 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-10-16 5628800]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]

"SunJavaUpdateSched"="c:\program files (x86)\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Event Planner Reminder 2009.lnk - c:\windows\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2010-2-10 237568]

HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

Photo Card Event Planner Reminder.lnk - c:\windows\Installer\{C885990F-A824-41A1-82FB-61E3859B4CE2}\Shortcut_Event_Pla_C885990FA82441A182FB61E3859B4CE2.exe [2010-2-10 1718]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

Themes

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-01 23:43]

.

2012-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-01 23:43]

.

2012-11-28 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Jim.job

- c:\program files (x86)\Norton Internet Security\Engine\17.9.0.12\navw32.exe [2011-10-12 22:03]

.

2012-12-06 c:\windows\Tasks\Playtopus Updater.job

- c:\users\Craig\AppData\Local\PLAYTO~1\Updater.dll [2012-11-18 01:46]

.

2012-12-06 c:\windows\Tasks\User_Feed_Synchronization-{A529B67C-1C15-4566-86BE-354EDFB718BE}.job

- c:\windows\system32\msfeedssync.exe [2012-09-22 08:30]

.

2012-12-06 c:\windows\Tasks\User_Feed_Synchronization-{A6F90E51-164F-46B8-B442-ACFDA631E81A}.job

- c:\windows\system32\msfeedssync.exe [2012-09-22 08:30]

.

.

--------- X64 Entries -----------

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.rr.com/

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://www.google.com

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\windows\system32\wpclsp.dll

TCP: DhcpNameServer = 192.168.17.1

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe

AddRemove-DefaultTab - c:\users\Jim\AppData\Roaming\DefaultTab\DefaultTab\uninstalldt.exe

AddRemove-DefaultTab Chrome - c:\program files (x86)\DefaultTab\uninstaller.exe

AddRemove-sp41119 - c:\hp\Softpaq\sp41119\sp41119.exe

AddRemove-sp41121 - c:\hp\Softpaq\sp41121\sp41121.exe

AddRemove-sp44626 - c:\hp\Softpaq\sp44626\sp44626.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]

"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\17.9.0.12\diMaster.dll\" /prefetch:1"

--

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NSM]

"ImagePath"="\"c:\program files (x86)\Norton Family\Engine\2.6.0.51\ccSvcHst.exe\" /s \"NSM\" /m \"c:\program files (x86)\Norton Family\Engine\2.6.0.51\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{E2AF211B-86DA020A-05040000}]

"ImagePath"="\??\c:\progra~2\PC-DOC~1\PCD5SRVC_x64.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

Completion time: 2012-12-06 12:40:11

ComboFix-quarantined-files.txt 2012-12-06 18:40

.

Pre-Run: 405,608,382,464 bytes free

Post-Run: 409,570,279,424 bytes free

.

- - End Of File - - DE362E99A795803C7976A97A65C935B6

Link to post
Share on other sites

Step 1

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 2

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

c:\windows\Tasks\Playtopus Updater.job

Folder::

c:\users\Craig\AppData\Local\Playtopus

Registry::

[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{8EBA1B69-99D8-4135-BD43-729BA79D5CC4}]

JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 3

  1. Download
Complete Internet Repair and run it.
Extract it on your desktop.
Double click on CIntRep.exe
Click on OK button for any security responses.
Put a checkmarks on all boxes.
Click on the GO button
Restart the computer

In your next reply, post the following log files:

  • Junkware Removal Tool log
  • ComboFix log

Link to post
Share on other sites

I am having a bit of an issue,

For some reason I cannotget the monitor to come up I keep getting input signal out of range. I assume becasue I have moved it from the home monitor to my monitor at work. So I have to put it in safe mode in order to see. (if I change the resolution settings they don't hold) Anyway, I have uninstalled Norton but am still getting the error that Norton Internet security is running.

I ran the scans anyway and here are the results.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 3.8.0 (12.04.2012:1)

OS: Windows Vista Home Premium x64

Ran by Jim on Tue 12/11/2012 at 10:21:42.90

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Tue 12/11/2012 at 10:23:51.79

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 12-12-04.01 - Jim 12/11/2012 12:46:03.3.4 - x64 MINIMAL

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8190.7179 [GMT -6:00]

Running from: c:\users\Jim\Desktop\ComboFix.exe

Command switches used :: c:\users\Jim\Desktop\CFscript.txt

AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

- REDUCED FUNCTIONALITY MODE -

.

FILE ::

"c:\windows\Tasks\Playtopus Updater.job"

.

.

((((((((((((((((((((((((( Files Created from 2012-11-11 to 2012-12-11 )))))))))))))))))))))))))))))))

.

.

2012-12-05 16:52 . 2012-12-05 16:52 -------- d-----w- c:\windows\ERUNT

2012-12-05 16:52 . 2012-12-05 16:52 -------- d-----w- C:\JRT

2012-11-28 23:01 . 2012-11-28 23:01 -------- d-----w- c:\users\Jim\AppData\Roaming\SUPERAntiSpyware.com

2012-11-28 23:00 . 2012-11-28 23:01 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-11-28 23:00 . 2012-11-28 23:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-11-24 04:00 . 2012-11-24 04:00 -------- d-----w- c:\users\Jim\AppData\Roaming\Malwarebytes

2012-11-24 04:00 . 2012-11-24 04:00 -------- d-----w- c:\programdata\Malwarebytes

2012-11-24 04:00 . 2012-11-24 04:00 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-11-24 04:00 . 2012-09-30 01:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-24 00:19 . 2012-11-24 00:20 -------- d-----w- c:\users\Jim\AppData\Roaming\Expert PDF 7

2012-11-23 23:04 . 2012-11-23 23:04 -------- d-----w- c:\users\Jim\AppData\Roaming\Tific

2012-11-18 01:52 . 2012-11-18 01:52 -------- d-----w- c:\users\Jim\AppData\Roaming\.minecraft

2012-11-18 01:47 . 2012-11-18 01:47 -------- d-----w- c:\users\Craig\AppData\Roaming\Expert PDF 7

2012-11-18 01:46 . 2012-11-18 01:46 -------- d-----w- c:\program files (x86)\Avanquest

2012-11-18 01:46 . 2012-11-18 01:46 -------- d-----w- c:\programdata\Expert PDF Jobs

2012-11-18 01:46 . 2012-11-18 01:46 -------- d-----w- c:\programdata\Expert PDF 7

2012-11-18 01:46 . 2012-11-18 01:46 -------- d-----w- c:\programdata\Avanquest

2012-11-18 01:45 . 2012-11-18 01:45 -------- d-----w- c:\program files (x86)\SaveValet

2012-11-18 01:45 . 2012-11-28 22:37 -------- d-----w- c:\program files (x86)\Surf Canyon

2012-11-18 01:45 . 2012-11-23 15:31 -------- d-----w- c:\users\Jim\AppData\Roaming\Genieo

2012-11-15 23:54 . 2012-09-25 16:31 91648 ----a-w- c:\windows\system32\synceng.dll

2012-11-15 23:54 . 2012-09-25 16:19 75776 ----a-w- c:\windows\SysWow64\synceng.dll

2012-11-15 23:53 . 2012-10-12 14:53 2769920 ----a-w- c:\windows\system32\win32k.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-16 09:01 . 2006-11-02 12:35 66395536 ----a-w- c:\windows\system32\mrt.exe

2012-09-13 13:45 . 2012-10-10 04:06 2048 ----a-w- c:\windows\system32\tzres.dll

2012-09-13 13:28 . 2012-10-10 04:06 2048 ----a-w- c:\windows\SysWow64\tzres.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{8EBA1B69-99D8-4135-BD43-729BA79D5CC4}]

c:\users\Craig\AppData\Local\Playtopus\Playtopus.dll [bU]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]

"HPAdvisor"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-01-12 972344]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-18 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-10-16 5628800]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]

"SunJavaUpdateSched"="c:\program files (x86)\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Event Planner Reminder 2009.lnk - c:\windows\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2010-2-10 237568]

HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

Photo Card Event Planner Reminder.lnk - c:\windows\Installer\{C885990F-A824-41A1-82FB-61E3859B4CE2}\Shortcut_Event_Pla_C885990FA82441A182FB61E3859B4CE2.exe [2010-2-10 1718]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - ECACHE

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

Themes

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-01 23:43]

.

2012-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-01 23:43]

.

2012-12-11 c:\windows\Tasks\User_Feed_Synchronization-{A529B67C-1C15-4566-86BE-354EDFB718BE}.job

- c:\windows\system32\msfeedssync.exe [2012-09-22 08:30]

.

2012-12-11 c:\windows\Tasks\User_Feed_Synchronization-{A6F90E51-164F-46B8-B442-ACFDA631E81A}.job

- c:\windows\system32\msfeedssync.exe [2012-09-22 08:30]

.

.

--------- X64 Entries -----------

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.rr.com/

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://www.google.com

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 10.202.1.30 10.203.1.30 10.201.1.30

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-DefaultTab - c:\users\Jim\AppData\Roaming\DefaultTab\DefaultTab\uninstalldt.exe

AddRemove-DefaultTab Chrome - c:\program files (x86)\DefaultTab\uninstaller.exe

AddRemove-sp41119 - c:\hp\Softpaq\sp41119\sp41119.exe

AddRemove-sp41121 - c:\hp\Softpaq\sp41121\sp41121.exe

AddRemove-sp44626 - c:\hp\Softpaq\sp44626\sp44626.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{E2AF211B-86DA020A-05040000}]

"ImagePath"="\??\c:\progra~2\PC-DOC~1\PCD5SRVC_x64.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

Completion time: 2012-12-11 12:50:04

ComboFix-quarantined-files.txt 2012-12-11 18:50

ComboFix2.txt 2012-12-11 17:12

.

Pre-Run: 413,273,247,744 bytes free

Post-Run: 413,224,312,832 bytes free

.

- - End Of File - - 85D62AAB28D1A5F6F3E737E448026510

Link to post
Share on other sites

Good! :)

Step 1

Follow the instructions here to clean the remnants from Norton:

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?ct=us&entsrc=redirect_pubweb&lg=en&product=home&pvid=f-home&version=1&docid=kb20080828154508EN_EndUserProfile_en_us

Step 2

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

  • 3 weeks later...

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.