Jump to content

Virus infected and keeps coming back?


Recommended Posts

Hi all,

New to this virus killing so please go gentle on me!

The second PC I'm using keeps getting virus' where it redirects the IE to porn sites, etc. when searching for basics like BBC. It also pops up various sites and put odd forign sounds through the speakers!

I've followed your instructions have have the below 3 logs.

mbam-log-2012-12-06 (23-18-18)

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.06.12

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Powell :: POWELL_PC [administrator]

06/12/2012 23:18:18

mbam-log-2012-12-06 (23-18-18).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 207336

Time elapsed: 3 minute(s), 59 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK

Internet Explorer: 9.0.8112.16448

Run by Powell at 23:30:00 on 2012-12-06

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.2036.1177 [GMT 0:00]

.

AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\Explorer.EXE

C:\Program Files\test\SASCORE.EXE

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/

uWindow Title = Internet Explorer provided by Dell

uSearch Bar = hxxp://www.btopenworld.com/searchpane

uDefault_Page_URL = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=4080105

mDefault_Page_URL = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=4080105

BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} -

BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} -

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [sUPERAntiSpyware] c:\program files\test\SUPERAntiSpyware.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Windows Mobile Device Center] c:\windows\windowsmobile\wmdc.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [ROC_ROC_JULY_P1] "c:\program files\avg secure search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRunOnce: [GrpConv] grpconv -o

mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\programdata\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: NameServer = 194.168.4.100 194.168.8.100

TCP: Interfaces\{E0E19315-2928-478F-AA59-5A4739D96A59} : DHCPNameServer = 194.168.4.100 194.168.8.100

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Notify: igfxcui - igfxdev.dll

SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\test\SASSEH.DLL

LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg

.

============= SERVICES / DRIVERS ===============

.

R2 !SASCORE;SAS Core Service;c:\program files\test\SASCore.exe [2012-7-11 116608]

S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-3 27496]

S1 SASDIFSV;SASDIFSV;c:\program files\test\sasdifsv.sys [2011-7-22 12880]

S1 SASKUTIL;SASKUTIL;c:\program files\test\SASKUTIL.SYS [2011-7-12 67664]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-8-16 21504]

S2 W32Sch;Windows Scheduler;c:\windows\msiserv.exe [2012-9-10 254888]

S3 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\toolbarupdater.exe --> c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\ToolbarUpdater.exe [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-12-06 22:45:16 -------- d-sh--w- C:\$RECYCLE.BIN

2012-12-06 22:43:05 -------- d-s---w- C:\ComboFix

2012-12-06 22:29:59 -------- d-----w- c:\users\powell\appdata\local\Google

2012-12-04 00:14:56 -------- d-----w- c:\users\powell\appdata\local\Adobe

2012-12-03 23:33:01 -------- d-----w- c:\users\powell\appdata\roaming\SUPERAntiSpyware.com

2012-12-03 23:32:37 -------- d-----w- c:\program files\test

2012-12-03 22:25:43 -------- d-----w- c:\program files\PC Tools

2012-12-03 22:24:03 202280 ----a-w- c:\windows\system32\drivers\PCTSD.sys

2012-12-03 22:24:03 -------- d-----w- c:\program files\common files\PC Tools

2012-12-03 22:23:12 -------- d-----w- c:\users\powell\appdata\roaming\TestApp

2012-12-03 22:23:12 -------- d-----w- c:\programdata\PC Tools

2012-12-02 14:09:23 477168 ----a-w- c:\windows\system32\npdeployJava1.dll

.

==================== Find3M ====================

.

2012-12-02 14:08:59 473072 ----a-w- c:\windows\system32\deployJava1.dll

2012-12-02 14:04:21 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-02 14:04:21 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-09-29 19:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-10 11:23:59 254888 ----a-w- c:\windows\msiserv.exe

.

============= FINISH: 23:32:43.06 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft® Windows Vista™ Home Basic

Boot Device: \Device\HarddiskVolume3

Install Date: 05/01/2008 14:55:20

System Uptime: 06/12/2012 22:53:11 (1 hours ago)

.

Motherboard: Dell Inc. | | 0RY007

Processor: Intel® Core2 Duo CPU E4500 @ 2.20GHz | Socket 775 | 2194/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 139 GiB total, 60.287 GiB free.

D: is FIXED (NTFS) - 10 GiB total, 4.253 GiB free.

E: is CDROM ()

F: is CDROM ()

G: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

ABBYY FineReader 6.0 Sprint

Adobe Flash Player 11 ActiveX

Adobe Reader 8.1.3

Boots F2CD Picture Suite

Camera RAW Plug-In for EPSON Creativity Suite

Compatibility Pack for the 2007 Office system

Conexant D850 PCI V.92 Modem

Digital Line Detect

EPSON Attach To Email

EPSON Easy Photo Print

EPSON File Manager

EPSON Scan

EPSON Scan Assistant

EPSON Stylus SX200_SX400_TX200_TX400 Manual

EPSON Stylus SX400 Series Printer Uninstall

Google Chrome

Google Update Helper

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Intel® PRO Network Connections 12.1.11.0

Java Auto Updater

Java 6 Update 37

Java SE Runtime Environment 6

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office File Validation Add-In

Microsoft Office Professional Edition 2003

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Modem Diagnostic Tool

MSVCRT

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NetWaiting

OGA Notifier 2.0.0048.0

PowerDVD

Realtek High Definition Audio Driver

Roxio Creator Audio

Roxio Creator BDAV Plugin

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE

Roxio Creator Tools

Roxio Express Labeler

Roxio MyDVD DE

Roxio Update Manager

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Skype Toolbars

Skype™ 5.2

Sonic Activation Module

SUPERAntiSpyware

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

User's Guides

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Live Upload Tool

Windows Live Writer

Windows Mobile Device Center

Windows Mobile Device Center Driver Update

.

==== End Of File ===========================

Please help as it's driving me mad!

Link to post
Share on other sites

  • Staff

Please run the following:

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

Link to post
Share on other sites

Completed the above and all seems to be working great now thanks.

Below are the 2 logs as requested....

System Log was so big i have to attached it.

MBAR log after 1st scan....

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.12.06.13

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Powell :: POWELL_PC [administrator]

07/12/2012 01:01:19

mbar-log-2012-12-07 (01-01-19).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 25849

Time elapsed: 14 minute(s), 23 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 11

C:\Windows\system32\drivers\ab8ab7175eb8cab.sys (Rootkit.Necurs) -> Delete on reboot. [d3e15255e29cd10993c399aea29f7d53]

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_3_312496128_infected.mbam (Rootkit.Alureon.E.VBR) -> Delete on reboot. [31ba07904227693b2884b069e702d5d2]

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Rootkit.Alureon.E.VBR) -> Delete on reboot. [dc25ad1ba05c99b57384557812ee9d21]

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_312480000_user.mbam (Forged physical sector) -> Delete on reboot. [52f75630ce5c4a808d16e59bcde58c7e]

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_312497113_user.mbam (Forged physical sector) -> Delete on reboot. [c47c94f4418255cc89d93b07aa7a82da]

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_312499983_user.mbam (Forged physical sector) -> Delete on reboot. [711f33ebad49260aefcfc22b92fab5a9]

c:\windows\syshost.exe (Trojan.Downloader) -> Delete on reboot. [aa511abf035af93df01a40a2b949f907]

c:\users\powell\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot. [33c823b6b5a8dd59e3210b3e996a2ad6]

c:\windows\serviceprofiles\localservice\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot. [ba41a831d885c17574900a3f4fb4de22]

c:\windows\serviceprofiles\networkservice\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot. [6e8d5e7b86d7c175d133aa9f57ac6e92]

c:\windows\temp\syshost.exe (Spyware.Agent) -> Delete on reboot. [f90219c095c871c560a42c1d44bf35cb]

(end)

MBAR log after 2nd scan....

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.12.07.04

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Powell :: POWELL_PC [administrator]

07/12/2012 11:47:45

mbar-log-2012-12-07 (11-47-45).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 25876

Time elapsed: 29 minute(s), 36 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

This there anythnig else I need to do now?

What software would you recommend running on a PC full time to prevent re-infection?

system-log.txt

Link to post
Share on other sites

  • Staff

we have a little more work to do to make certain there are no leftovers and I will make some recommendations at the end, so stick with me. please run the following:

Refer to the ComboFix User's Guide

  1. Download ComboFix from the following location:
    Link
    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on ComboFix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Here you go.....

ComboFix 12-12-04.01 - Powell 07/12/2012 18:09:34.1.2 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.2036.884 [GMT 0:00]

Running from: c:\users\Powell\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Powell\AppData\Local\Temp\12071249-00000110-bhxooivlce\tmp84F8.tmp

c:\users\Powell\AppData\Roaming\Efzy

c:\users\Powell\AppData\Roaming\Efzy\uhuqo.ruy

c:\users\Powell\AppData\Roaming\Microsoft\Windows\.data

c:\users\Powell\AppData\Roaming\Obifem

c:\users\Powell\AppData\Roaming\Obifem\yppum.cao

c:\windows\Installer\{ff89b466-57b4-627d-bc2f-2671b90096a1}\@

c:\windows\Installer\{ff89b466-57b4-627d-bc2f-2671b90096a1}\L\00000004.@

c:\windows\Installer\{ff89b466-57b4-627d-bc2f-2671b90096a1}\L\1afb2d56

c:\windows\Installer\{ff89b466-57b4-627d-bc2f-2671b90096a1}\L\201d3dde

c:\windows\Installer\{ff89b466-57b4-627d-bc2f-2671b90096a1}\U\00000004.@

c:\windows\Installer\{ff89b466-57b4-627d-bc2f-2671b90096a1}\U\000000cb.@

c:\windows\wininit.ini

.

.

((((((((((((((((((((((((( Files Created from 2012-11-07 to 2012-12-07 )))))))))))))))))))))))))))))))

.

.

2012-12-07 18:16 . 2012-12-07 18:16 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-12-07 13:05 . 2012-12-07 13:05 -------- d-----w- c:\windows\en

2012-12-07 13:04 . 2010-09-23 00:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys

2012-12-07 13:04 . 2012-12-07 13:04 -------- dc----w- c:\windows\system32\DRVSTORE

2012-12-07 13:04 . 2012-12-07 13:04 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2012-12-07 13:02 . 2012-12-07 13:02 -------- d-----w- c:\program files\MSN Toolbar

2012-12-07 13:01 . 2012-12-07 13:02 -------- d-----w- c:\program files\Bing Bar Installer

2012-12-07 13:01 . 2009-09-04 17:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2012-12-07 13:01 . 2009-09-04 17:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

2012-12-07 13:01 . 2009-09-04 17:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2012-12-07 13:01 . 2006-11-29 13:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2012-12-07 13:00 . 2012-12-07 13:01 -------- d-----w- c:\program files\Microsoft Silverlight

2012-12-07 12:52 . 2012-12-07 12:52 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\c74478321cdd47925\InstallManager_WLE_WLE.exe

2012-12-07 12:52 . 2012-12-07 12:52 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\ac8da9d21cdd4791a\MeshBetaRemover.exe

2012-12-07 12:51 . 2012-12-07 12:51 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\913c22121cdd47912\DSETUP.dll

2012-12-07 12:51 . 2012-12-07 12:51 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\913c22121cdd47912\DXSETUP.exe

2012-12-07 12:51 . 2012-12-07 12:51 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\913c22121cdd47912\dsetup32.dll

2012-12-07 12:51 . 2012-12-07 12:51 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\8ffac8721cdd47911\DSETUP.dll

2012-12-07 12:51 . 2012-12-07 12:51 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\8ffac8721cdd47911\DXSETUP.exe

2012-12-07 12:51 . 2012-12-07 12:51 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\8ffac8721cdd47911\dsetup32.dll

2012-12-07 12:50 . 2012-12-07 12:50 6260088 ----a-w- c:\program files\Common Files\Windows Live\.cache\679412121cdd47905\Silverlight.4.0.exe

2012-12-07 12:00 . 2012-11-19 01:04 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F8A52066-080A-4FB5-B98A-BAFFF1F9019E}\mpengine.dll

2012-12-07 11:55 . 2012-12-07 11:55 -------- d-----w- c:\program files\Common Files\Skype

2012-12-07 11:41 . 2012-08-24 15:53 172544 ----a-w- c:\windows\system32\wintrust.dll

2012-12-07 11:41 . 2012-09-13 13:28 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-07 11:41 . 2012-06-02 00:02 985088 ----a-w- c:\windows\system32\crypt32.dll

2012-12-07 11:41 . 2012-06-02 00:02 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-12-07 11:41 . 2012-06-02 00:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-12-07 11:40 . 2012-10-12 14:29 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-12-07 11:34 . 2012-08-29 11:27 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-12-07 11:34 . 2012-08-29 11:27 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-12-07 11:11 . 2012-12-07 11:11 -------- d-----w- c:\users\Powell\AppData\Local\PowerDVD DX

2012-12-06 22:29 . 2012-12-06 22:29 -------- d-----w- c:\users\Powell\AppData\Local\Google

2012-12-04 00:14 . 2012-12-04 00:15 -------- d-----w- c:\users\Powell\AppData\Local\Adobe

2012-12-03 23:32 . 2012-12-07 11:13 -------- d-----w- c:\program files\test

2012-12-03 22:25 . 2012-12-03 22:25 -------- d-----w- c:\program files\PC Tools

2012-12-03 22:24 . 2012-12-03 23:04 -------- d-----w- c:\program files\Common Files\PC Tools

2012-12-03 22:24 . 2012-11-01 15:35 202280 ----a-w- c:\windows\system32\drivers\PCTSD.sys

2012-12-03 22:23 . 2012-12-03 23:03 -------- d-----w- c:\programdata\PC Tools

2012-12-03 22:23 . 2012-12-03 22:23 -------- d-----w- c:\users\Powell\AppData\Roaming\TestApp

2012-12-02 14:09 . 2012-12-02 14:08 477168 ----a-w- c:\windows\system32\npdeployJava1.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-07 13:02 . 2010-06-24 11:33 19696 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2012-12-02 14:08 . 2011-03-04 16:59 473072 ----a-w- c:\windows\system32\deployJava1.dll

2012-12-02 14:04 . 2012-06-11 23:13 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-02 14:04 . 2012-06-11 23:13 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-09-29 19:54 . 2011-03-04 11:52 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-10 11:23 . 2012-09-10 11:23 254888 ----a-w- c:\windows\msiserv.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 4452352]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-25 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-25 154136]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-25 129560]

"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2006-11-05 11:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2012-07-13 13:33 17419952 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2502074296-1060862760-2130226744-1000]

"EnableNotifications"=dword:00000001

"EnableNotificationsRef"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

bthsvcs REG_MULTI_SZ BthServ

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-07 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-11 14:04]

.

2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-11 11:32]

.

2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-11 11:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 194.168.4.100 194.168.8.100

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\AVG Secure Search\12.2.5.32\AVG Secure Search_toolbar.dll

Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\AVG Secure Search\12.2.5.32\AVG Secure Search_toolbar.dll

HKLM-Run-ROC_ROC_JULY_P1 - c:\program files\AVG Secure Search\ROC_ROC_JULY_P1.exe

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\test\SASSEH.DLL

MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe

MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

MSConfigStartUp-tgwuc - c:\users\Powell\tgwuc.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-12-07 18:21

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\windows\servicing\TrustedInstaller.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\msiserv.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\DRIVERS\xaudio.exe

c:\windows\RtHDVCpl.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\\?\c:\windows\system32\wbem\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2012-12-07 18:24:44 - machine was rebooted

ComboFix-quarantined-files.txt 2012-12-07 18:24

.

Pre-Run: 74,774,810,624 bytes free

Post-Run: 75,650,760,704 bytes free

.

- - End Of File - - F0729F5880430FD296928ECE8DFD490C

Link to post
Share on other sites

  • Staff

Please run the following:

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT

Download AdwCleaner from here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

NEXT

Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

NEXT

Please advise if there are any outstanding issues

Link to post
Share on other sites

First log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 3.9.9 (12.08.2012:3)

OS: Windows Vista Home Basic x86

Ran by Powell on 08/12/2012 at 17:35:53.69

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\S-1-5-21-2502074296-1060862760-2130226744-1000\software\microsoft\internet explorer\searchscopes\\DefaultScope

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{95b7759c-8c7f-4bf1-b163-73684a933233}

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on 08/12/2012 at 17:37:52.35

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

ESET...

C:\Qoobox\Quarantine\C\Windows\Installer\{ff89b466-57b4-627d-bc2f-2671b90096a1}\U\000000cb.@.vir Win32/Conedex.O trojan

C:\Users\Powell\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3e5a138c-6b0ec259 multiple threats

C:\Users\Powell\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\7502b54c-2dc93ce3 Java/Exploit.CVE-2012-0507.BR trojan

C:\Users\Powell\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\23dea351-263c965d Java/Exploit.CVE-2012-0507.BS trojan

C:\Users\Powell\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\55aa8f03-4205d649 Java/Exploit.CVE-2012-0507.BZ trojan

C:\Users\Powell\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\59516da1-45d16f38 Java/Exploit.CVE-2012-0507.BR trojan

C:\Users\Powell\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\877c433-657faa19 Java/Exploit.CVE-2012-0507.BR trojan

C:\Users\Powell\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120612015248717.rsc multiple threats

Link to post
Share on other sites

  • Staff

The items found are either in quarantine, not a concern or in Java cache, so we need to update Java and empty the Java cache

Please run the following:

Visit ADOBE and download the latest version of Acrobat Reader (version XI)

Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

javaicon.jpg

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 7 and Save it to your Desktop.
  • Scroll down to where it says Java SE 7u9
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u9-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are three options in the window to clear the cache - Leave these two Checked

      • Trace and Log Files
        Cached Applications and Applets

    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

NEXT

Please advise how the computer is running now and if there are any outstanding issues

Link to post
Share on other sites

  • Staff

not certain about the .pst as nothing we have used has deleted it and we can see what is going on with the Firewall and Defender

please run the following:

Please download Farbar Service Scanner and run it

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

NEXT

http://ask-leo.com/how_do_i_repair_a_corrupt_pst_file.html

have a look there for instructions on how to repair a corrupt .pst file, let me know if that helps

Link to post
Share on other sites

FSS

Farbar Service Scanner Version: 10-12-2012

Ran by Powell (administrator) on 10-12-2012 at 21:08:46

Running from "C:\Users\Powell\Desktop"

Windows Vista Home Basic Service Pack 2 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll

[2012-12-07 11:41] - [2012-06-02 00:02] - 0133120 ____A (Microsoft Corporation) F1E8C34892336D33EDDCDFE44E474F64

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

  • Staff

you may need to reinstall Outlook

please run the following:

  1. Please download ServicesRepair and save it to your desktop.
    • Double-click ServicesRepair.exe.
    • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
    • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
    • A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.

[*]After restart wait for a couple of minutes till the system has settled down. Then run Farbar Service scanner once more with all the options checked and post the log.

Link to post
Share on other sites

CC Support.....

Log Opened: 2012-12-11 @ 18:05:38

18:05:38 - -----------------

18:05:38 - | Begin Logging |

18:05:38 - -----------------

18:05:38 - Fix started on a WIN_VISTA X86 computer

18:05:38 - Prep in progress. Please Wait.

18:05:39 - Prep complete

18:05:39 - Repairing Services Now. Please wait...

INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.

INFORMATION: Input file for restore operation opened: '.\Vista\BFE.sddl'

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\SubLayer>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Provider>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Filter>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime\Filter>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE>

SetACL finished successfully.

INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.

INFORMATION: Input file for restore operation opened: '.\Vista\BITS.sddl'

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Security>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Performance>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Parameters>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS>

SetACL finished successfully.

INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.

INFORMATION: Input file for restore operation opened: '.\Vista\iphlpsvc.sddl'

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Teredo>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Interfaces>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\config>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc>

SetACL finished successfully.

INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.

INFORMATION: Input file for restore operation opened: '.\Vista\MpsSvc.sddl'

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Security>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\Teredo>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc>

SetACL finished successfully.

INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.

INFORMATION: Input file for restore operation opened: '.\Vista\SharedAccess.sddl'

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile\Logging>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile\Logging>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile\Logging>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess>

SetACL finished successfully.

INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.

INFORMATION: Input file for restore operation opened: '.\Vista\WinDefend.sddl'

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Security>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Parameters>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend>

SetACL finished successfully.

INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.

INFORMATION: Input file for restore operation opened: '.\Vista\wscsvc.sddl'

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Security>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Parameters>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc>

SetACL finished successfully.

INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.

INFORMATION: Input file for restore operation opened: '.\Vista\wuauserv.sddl'

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Security>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Parameters>

INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv>

SetACL finished successfully.

18:05:40 - Services Repair Complete.

18:06:08 - Reboot Initiated

Link to post
Share on other sites

Farbar Service Scanner Version: 10-12-2012

Ran by Powell (administrator) on 11-12-2012 at 18:11:46

Running from "C:\Users\Powell\Desktop"

Windows Vista Home Basic Service Pack 2 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll

[2012-12-07 11:41] - [2012-06-02 00:02] - 0133120 ____A (Microsoft Corporation) F1E8C34892336D33EDDCDFE44E474F64

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

  • Staff

I believe AVG is controlling that.

Are you now able to turn on Windows Firewall?

If you are not, try uninstalling AVG completely, use the removal tool to remove all traces of it, then see if the Firewall functions as it should. (It may have been corrupted by the infection)

http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe

If you want to try a different AV, give Microsoft Security Essentials a try.

http://www.microsoft.com/security_essentials/

let me know if there are any outstanding issues

Link to post
Share on other sites

  • Staff

yes, MSE disables Defender as it contains the same componants within it.

Is the firewall working properly now?

let's see if that .pst file pops up anywhere

please do the following:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *.pst


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.