Jump to content

Windows Command Processor


GarethO

Recommended Posts

Hello. I am having some trouble with Windows Command Processor. Whenever I am using my computer (usually a few seconds after first loading it up) I get a prompt telling me Windows Command Processor wants to make changes to system. Unsure of what exactly it wants to change I click no but it just keeps popping up requesting the same thing. I ran a scan with Malwarebytes in Safemode (I don't get the prompt in Safemode) but it detected nothing.

I have attatched the text files you requested and am eagerly awaiting any responce. Thank you for your time.

attach.txt

dds.txt

Link to post
Share on other sites

Please download OTM from either of the following links and save to your Desktop:

http://oldtimer.geekstogo.com/OTM.exe.

http://www.itxassociates.com/OT-Tools/OTM.com

http://www.itxassociates.com/OT-Tools/OTM.exe

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "QydVvetf"=-
    :Files
    ipconfig /flushdns /c
    C:\Users\Gareth\AppData\Local\isljleno
    C:\Users\Gareth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qydvvetf.exe
    C:\Users\Gareth\14895421.exe
    C:\Users\Gareth\AppData\Local\7R488qwy71m
    C:\Users\Gareth\AppData\Roaming\Vedu
    C:\Users\Gareth\AppData\Roaming\Domydu
    C:\Users\Gareth\AppData\Roaming\Koece
    C:\Users\Gareth\AppData\Roaming\Eqipo
    C:\Users\Gareth\AppData\Roaming\Arne
    :Commands
    [EmptyTemp]


  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Next,

Run Malwarebytes, check for updates then run a Full scan, post that log..

Post the logs from OTM and Malwarebytes in your reply, give update on any issues or concirns..

Kevin

Link to post
Share on other sites

Hey Kevin! Thanks for the quick responce. I have posted the log from OTM below and will post the log from the Malwarebytes scan when it is completed (it will take some time however - about 8 hours last time I did a full scan).

All processes killed

========== REGISTRY ==========

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\QydVvetf deleted successfully.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Gareth\Desktop\cmd.bat deleted successfully.

C:\Users\Gareth\Desktop\cmd.txt deleted successfully.

C:\Users\Gareth\AppData\Local\isljleno folder moved successfully.

C:\Users\Gareth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qydvvetf.exe moved successfully.

C:\Users\Gareth\14895421.exe moved successfully.

C:\Users\Gareth\AppData\Local\7R488qwy71m folder moved successfully.

C:\Users\Gareth\AppData\Roaming\Vedu folder moved successfully.

C:\Users\Gareth\AppData\Roaming\Domydu folder moved successfully.

C:\Users\Gareth\AppData\Roaming\Koece folder moved successfully.

C:\Users\Gareth\AppData\Roaming\Eqipo folder moved successfully.

C:\Users\Gareth\AppData\Roaming\Arne folder moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 41620 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Gareth

Link to post
Share on other sites

Sorry about the delay. Malwarebytes has finished its scan and found no malicious threats (I assume the scan was to confirm nothing remained and and OTM did the threat removal itself?). Everything appears to be running fine on this end! You have my sincerest thanks for your assistance with this Kevin! Is there anything else you would like me to run or do?

One quick question - while everything seems to be running fine now if the problem does reoccur should I continue to reply to this topic or start a new one (effectively treating it as a new issue)?

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.22.04

Windows 7 x64 NTFS (Safe Mode/Networking)

Internet Explorer 8.0.7600.16385

Gareth :: GARETH-PC [administrator]

22/12/2012 17:27:05

mbam-log-2012-12-22 (17-27-05).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 1496337

Time elapsed: 8 hour(s), 33 minute(s), 31 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Dont worry about reply times, just respond when you`re ready. The MB full scan is more indepth and looks at more areas such as the system restore cache, hence the extended time taken.

If the system is responding normally now the next step is to run DDS one more time and post a fresh set of logs. also run the following:

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Post the two logs from DDS and the log from Security Checks in next reply...

Regarding your other questionIf we get to a point where the system is clean, no malware. the thread will be closed out. If the same issue returned you can PM any of the moderators and have the thread re-opened....

Kevin

Link to post
Share on other sites

Find below the logs as requested (DDS, Attach, then Checkup);

DDS

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 1.6.0_37

Run by Gareth at 17:07:26 on 2012-12-23

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3263.2060 [GMT 0:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\SearchFilterHost.exe

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

uRun: [steam] "C:\Program Files (x86)\Steam\steam.exe" -silent

uRun: [TheCreativeAssembly] Rundll32.exe C:\Users\Gareth\AppData\Local\TheCreativeAssembly\wudctnxo.dll,CryModuleGetMemoryInfo

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

StartupFolder: C:\Users\Gareth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.26.0.cab

TCP: NameServer = 192.168.0.1

TCP: Interfaces\{7D5D1731-41C9-4A56-9CFB-7A8E84421ADE} : DHCPNameServer = 192.168.0.1

SSODL: WebCheck - <orphaned>

x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Gareth\AppData\Roaming\Mozilla\Firefox\Profiles\7yum43hf.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_278.dll

FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

FF - ExtSQL: 2012-11-06 23:27; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-11-30 382824]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-12-23 59392]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-12-23 1255736]

.

=============== Created Last 30 ================

.

2012-12-23 05:19:45 -------- d-----w- C:\Windows\SysWow64\Wat

2012-12-23 05:19:45 -------- d-----w- C:\Windows\System32\Wat

2012-12-23 05:12:29 -------- d-----w- C:\Windows\System32\SPReview

2012-12-23 05:10:45 -------- d-----w- C:\Windows\System32\EventProviders

2012-12-23 05:05:59 958464 ----a-w- C:\Windows\System32\actxprxy.dll

2012-12-23 05:04:59 957440 ----a-w- C:\Windows\System32\mblctr.exe

2012-12-23 05:03:55 606208 ----a-w- C:\Windows\SysWow64\wbem\fastprox.dll

2012-12-23 05:03:55 363008 ----a-w- C:\Windows\SysWow64\wbemcomn.dll

2012-12-23 05:03:55 189952 ----a-w- C:\Program Files (x86)\Windows Portable Devices\sqmapi.dll

2012-12-23 05:02:49 529408 ----a-w- C:\Windows\System32\wbemcomn.dll

2012-12-23 05:02:49 244736 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll

2012-12-23 05:02:40 244736 ----a-w- C:\Windows\System32\sqmapi.dll

2012-12-23 03:47:23 294912 ----a-w- C:\Windows\System32\browserchoice.exe

2012-12-23 03:29:30 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{90DB79FF-BCE3-46DA-A9C8-5542D6944F79}\mpengine.dll

2012-12-23 03:28:42 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll

2012-12-23 03:28:42 46080 ----a-w- C:\Windows\System32\atmlib.dll

2012-12-23 03:28:42 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2012-12-23 03:28:41 367616 ----a-w- C:\Windows\System32\atmfd.dll

2012-12-23 03:28:41 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll

2012-12-23 03:28:41 100864 ----a-w- C:\Windows\System32\fontsub.dll

2012-12-23 03:22:48 81408 ----a-w- C:\Windows\System32\imagehlp.dll

2012-12-23 03:22:48 5120 ----a-w- C:\Windows\SysWow64\wmi.dll

2012-12-23 03:22:48 5120 ----a-w- C:\Windows\System32\wmi.dll

2012-12-23 03:22:48 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys

2012-12-23 03:22:48 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll

2012-12-23 03:13:54 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll

2012-12-23 03:12:48 1544704 ----a-w- C:\Windows\System32\DWrite.dll

2012-12-23 03:11:54 1395712 ----a-w- C:\Windows\System32\mfc42.dll

2012-12-23 03:05:03 956928 ----a-w- C:\Windows\System32\localspl.dll

2012-12-23 03:05:03 39424 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\winprint.dll

2012-12-23 03:00:57 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll

2012-12-23 03:00:57 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys

2012-12-23 03:00:57 1031680 ----a-w- C:\Windows\System32\rdpcore.dll

2012-12-23 03:00:55 288640 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

2012-12-23 03:00:55 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-12-23 03:00:54 861696 ----a-w- C:\Windows\System32\oleaut32.dll

2012-12-23 03:00:53 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll

2012-12-23 03:00:53 331776 ----a-w- C:\Windows\System32\oleacc.dll

2012-12-23 03:00:53 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll

2012-12-23 02:58:29 723456 ----a-w- C:\Windows\System32\EncDec.dll

2012-12-23 02:58:29 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll

2012-12-23 02:58:23 1464320 ----a-w- C:\Windows\System32\crypt32.dll

2012-12-23 02:58:21 184320 ----a-w- C:\Windows\System32\cryptsvc.dll

2012-12-23 02:58:21 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2012-12-23 02:58:21 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2012-12-23 02:58:21 1159680 ----a-w- C:\Windows\SysWow64\crypt32.dll

2012-12-23 02:58:21 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

2012-12-23 02:58:14 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys

2012-12-23 02:58:12 77312 ----a-w- C:\Windows\System32\packager.dll

2012-12-23 02:58:12 67072 ----a-w- C:\Windows\SysWow64\packager.dll

2012-12-23 02:47:33 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-12-23 02:47:00 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-12-23 02:46:23 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-12-23 02:46:23 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-12-22 17:06:39 -------- d-----w- C:\_OTM

2012-12-22 03:56:38 95184 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2012-12-05 23:36:43 96224 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe

2012-12-02 07:05:35 -------- d-sh--w- C:\$RECYCLE.BIN

2012-11-30 22:43:52 438632 ----a-w- C:\Windows\SysWow64\nvStreaming.exe

.

==================== Find3M ====================

.

2012-12-23 05:30:17 175616 ----a-w- C:\Windows\System32\msclmd.dll

2012-12-23 05:30:17 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll

2012-12-22 03:56:26 859072 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll

2012-12-22 03:56:26 779704 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-12-01 05:49:25 63336 ----a-w- C:\Windows\System32\nvshext.dll

2012-12-01 05:49:25 118120 ----a-w- C:\Windows\System32\nvmctray.dll

2012-12-01 05:49:24 890216 ----a-w- C:\Windows\System32\nvvsvc.exe

2012-12-01 05:48:41 6223208 ----a-w- C:\Windows\System32\nvcpl.dll

2012-12-01 05:48:37 3311464 ----a-w- C:\Windows\System32\nvsvc64.dll

2012-11-22 03:26:40 3149824 ----a-w- C:\Windows\System32\win32k.sys

2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-11-02 05:59:11 478208 ----a-w- C:\Windows\System32\dpnet.dll

2012-11-02 05:11:31 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll

2012-10-04 17:46:16 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-10-04 17:46:15 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-10-04 17:46:15 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-10-04 17:45:55 215040 ----a-w- C:\Windows\System32\winsrv.dll

2012-10-04 17:43:28 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2012-10-04 17:41:16 424960 ----a-w- C:\Windows\System32\KernelBase.dll

2012-10-04 16:47:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2012-10-04 16:47:41 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-10-04 15:21:55 338432 ----a-w- C:\Windows\System32\conhost.exe

2012-10-04 14:46:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2012-10-04 14:46:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2012-10-04 14:46:44 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2012-10-04 14:46:43 2048 ----a-w- C:\Windows\SysWow64\user.exe

2012-10-04 14:41:50 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-10-04 14:41:50 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-10-04 14:41:50 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-10-04 14:41:50 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

2012-09-29 18:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll

2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll

2012-09-25 16:14:48 73136 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-09-25 16:14:48 696240 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

.

============= FINISH: 17:10:05.09 ===============

Attach

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 10/12/2009 12:44:10

System Uptime: 23/12/2012 17:01:04 (0 hours ago)

.

Motherboard: ASRock | | G31M-S.

Processor: Intel® Core2 Quad CPU Q9550 @ 2.83GHz | CPUSocket | 2825/333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 1397 GiB total, 885.788 GiB free.

D: is CDROM ()

E: is Removable

F: is Removable

G: is Removable

H: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP335: 23/12/2012 05:12:09 - Windows 7 Service Pack 1

.

==== Installed Programs ======================

.

Acrobat.com

Adobe AIR

Adobe Bridge 1.0

Adobe Common File Installer

Adobe Flash Player 11 ActiveX 64-bit

Adobe Flash Player 11 Plugin

Adobe Help Center 2.0

Adobe Reader 9.5.2

Adobe Stock Photos 1.0

Adventure Tools

Aliens vs Predator

Baldur's Gate & Tales of the Sword Coast

Baldur's Gate Tutu

Baldur's Gate II - Throne of Bhaal

Bastion

BioShock

BookSmart® 2.6.0 2.6.0

Breath of Death VII

Call of Cthulhu: Dark Corners of the Earth

Call of Duty® - World at War

Character Builder

Circle of Eight Modpack version 7.1.0 NC

Commandos 2: Men of Courage

Commandos 3: Destination Berlin

Commandos: Behind Enemy Lines

Commandos: Beyond the Call of Duty

Company of Heroes

Costume Quest

Cthulhu Saves the World

Dark Messiah Might and Magic Single Player

Dawn of War - Dark Crusade

Dawn of War - Soulstorm

Deus Ex: Game of the Year Edition

Deus Ex: Human Revolution

DoWpro 3.40 Full Installer

Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.11.00.812

Fallout

Fallout 2

Fallout Tactics

Fallout: New Vegas

ffdshow v1.1.3800 [2011-03-28]

FTL: Faster Than Light

Grand Theft Auto Vice City

Heroes of Might and Magic V

Heroes of Might and Magic V: Hammers of Fate

Heroes of Might and Magic V: Tribes of the East

Heroes of Might and Magic® III The Shadow of Death

Icewind Dale

Icewind Dale - Heart of Winter

Icewind Dale II

Installer

Jade Empire: Special Edition

Java 7 Update 10

Java Auto Updater

Java 6 Update 37

Java 7 Update 5 (64-bit)

King's Bounty: Armored Princess

King's Bounty: Crossworlds

King's Bounty: The Legend

King Arthur: Collection

L.A. Noire: The Complete Edition

Legend of Grimrock

Magic Online

Magic: The Gathering - Duels of the Planeswalkers 2013

Magic: The Gathering — Duels of the Planeswalkers 2012

Magicka

Malwarebytes Anti-Malware version 1.65.1.1000

Mass Effect

Mass Effect 2

Max Payne

Medal of Honor

Microsoft .NET Framework 1.1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Games for Windows - LIVE

Microsoft Games for Windows - LIVE Redistributable

Microsoft Office Excel MUI (English) 2007

Microsoft Office Office 64-bit Components 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Shared 64-bit MUI (English) 2007

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Standard 2007

Microsoft Office Word MUI (English) 2007

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft XNA Framework Redistributable 3.1

Microsoft XNA Framework Redistributable 4.0

Might and Magic: Clash of Heroes

Morrowind

Mount & Blade: With Fire and Sword

Mount and Blade: Warband

Mozilla Firefox 17.0.1 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

Neverwinter Nights 2: Platinum

Neverwinter Nights 2: Platinum - Map Editor

NVIDIA 3D Vision Controller Driver

NVIDIA 3D Vision Controller Driver 310.70

NVIDIA 3D Vision Driver 310.70

NVIDIA Control Panel 310.70

NVIDIA Graphics Driver 310.70

NVIDIA Install Application

NVIDIA PhysX

NVIDIA PhysX System Software 9.12.1031

NVIDIA Stereoscopic 3D Driver

NVIDIA Update 1.11.3

NVIDIA Update Components

Oblivion

Oddworld: Abe's Exoddus

Oddworld: Abe's Oddysee

Oddworld: Munch's Oddysee

Penny Arcade's On the Rain-Slick Precipice of Darkness 3

Planescape - Torment

Plants vs. Zombies: Game of the Year

Poker Night at the Inventory

Portal

Portal 2

Psychonauts

Recettear: An Item Shop's Tale

RGSS-RTP Standard

Rockstar Games Social Club

RollerCoaster Tycoon 2

RPGXP

Rusty Hearts

Sam & Max 101: Culture Shock

Sam & Max 102: Situation: Comedy

Sam & Max 103: The Mole, the Mob and the Meatball

Sam & Max 104: Abe Lincoln Must Die!

Sam & Max 105: Reality 2.0

Sam & Max 106: Bright Side of the Moon

Sam & Max 201: Ice Station Santa

Sam & Max 202: Moai Better Blues

Sam & Max 203: Night of the Raving Dead

Sam & Max 204: Chariots of the Dogs

Sam & Max 205: What's New Beelzebub?

Sam & Max 301: The Penal Zone

Sam & Max 302: The Tomb of Sammun-Mak

Sam & Max 303: They Stole Max's Brain!

Sam & Max 304: Beyond the Alley of the Dolls

Sam & Max 305: The City that Dares not Sleep

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Sonic Generations

SONIC THE HEDGEHOG 4 Episode I

SONIC THE HEDGEHOG 4 Episode II

Stacking

Star Wars: Knights of the Old Republic

Steam

SWAT 4

SWAT 4 - The Stetchkov Syndicate

Sword of the Stars Complete Collection

System Requirements Lab

System Requirements Lab CYRI

Temple of Elemental Evil

TES Construction Set

The Elder Scrolls V: Skyrim

The Lord of the Rings Online™ v03.02.04.8010

The Secret World

The Witcher: Enhanced Edition

Torchlight II

Ubisoft Game Launcher

Vampire - The Masquerade Bloodlines

Vtune 7.5

Warcraft III

Warcraft III: All Products

Warhammer 40,000 Space Marine

Warhammer 40,000: Dawn of War II

Warhammer 40,000: Dawn of War II - Chaos Rising

Warhammer® 40,000®: Dawn of War® II – Retribution™

Warhammer® 40,000®: Dawn of War® II – Retribution™ Beta

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Live Upload Tool

XCOM: Enemy Unknown

.

==== Event Viewer Messages From Past Week ========

.

23/12/2012 17:01:38, Error: Service Control Manager [7000] - The TBPanel service failed to start due to the following error: The system cannot find the file specified.

23/12/2012 17:01:14, Error: Microsoft-Windows-Kernel-Processor-Power [6] - Some processor performance power management features have been disabled due to a known firmware problem. Check with the computer manufacturer for updated firmware.

23/12/2012 05:42:54, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63AA156-D534-4BAC-9BF1-55359CF5EC30} and APPID {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} to the user Gareth-PC\UpdatusUser SID (S-1-5-21-968410254-3297394599-293989845-1004) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

23/12/2012 05:28:41, Error: Service Control Manager [7022] - The Windows Update service hung on starting.

23/12/2012 04:34:01, Error: Service Control Manager [7023] -

23/12/2012 04:29:57, Error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error %%-2147023781.

23/12/2012 04:29:57, Error: Microsoft-Windows-Bits-Client [16392] - The BITS service failed to start. Error 0x8007045B.

23/12/2012 04:29:54, Error: Service Control Manager [7034] - The NVIDIA Stereoscopic 3D Driver Service service terminated unexpectedly. It has done this 1 time(s).

23/12/2012 04:25:26, Error: Service Control Manager [7043] - The Windows Modules Installer service did not shut down properly after receiving a preshutdown control.

23/12/2012 04:24:17, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.

22/12/2012 17:02:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

22/12/2012 17:02:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

22/12/2012 17:02:33, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

22/12/2012 17:02:25, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

22/12/2012 17:02:21, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6

22/12/2012 05:30:10, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service NVSvc with arguments "" in order to run the server: {DCAB0989-1301-4319-BE5F-ADE89F88581C}

22/12/2012 03:44:21, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

19/12/2012 16:00:30, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

19/12/2012 16:00:29, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

19/12/2012 16:00:29, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

19/12/2012 16:00:19, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf

19/12/2012 16:00:15, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

19/12/2012 16:00:15, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

19/12/2012 16:00:15, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

19/12/2012 16:00:15, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

19/12/2012 16:00:15, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

19/12/2012 16:00:15, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.

19/12/2012 16:00:15, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

19/12/2012 16:00:15, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

19/12/2012 16:00:15, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

19/12/2012 16:00:15, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

.

==== End Of File ===========================

Checkup Log

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Java 6 Update 37

Java 7 Update 10

Java version out of Date!

Adobe Flash Player 11.4.402.278 Flash Player out of Date!

Adobe Reader 9 Adobe Reader out of Date!

Mozilla Firefox (17.0.1)

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 2%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

DDS logs are clean, do the following :-

Delete Java™ 6 Update 37 via start > control panel > uninstall a program..Is outdated version of Java,,,

Next,

Adobe reader is outdated. Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat Reader

Step 1 - Select your Operating System.

Step 2 - Select your Langauge.

Step 3 - Select latest version.

Untick the option for McAfee security scanner if offered.

Download and install.

Having the latest updates ensures there are no security vulnerabilities in your system.

Next,

Flash Player is outdated, Go here www.adobe.com/shockwave/welcome/ and have Adobe Flashplayer checked. Accept new version if required.

There maybe an offer of Google Chrome, untick those options if offered...

Next,

One more indepth AV scan required, unfortunately this is also very thorough so will take a couple of hours:

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

If threats were found

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

close program

copy and paste the report here

Kevin....

Link to post
Share on other sites

Hey Kevin. I have updated Flash Player, Java and Abode Reader as requested. Unfortunately Windows Updater restarted my system to install updates some 8 hours into the scan so I will have to redo that from the start. I will post the scan log when it has completed but it will most likely be sometime in the afternoon now. Apologies for this signifigant delay.

Link to post
Share on other sites

ESET Scan Log found below.

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.6.9.12\BabylonToolbarApp.dll a variant of Win32/Toolbar.Babylon application

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.6.9.12\BabylonToolbarsrv.exe probably a variant of Win32/Toolbar.Babylon application

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\177RMVXC\i[1].htm JS/Kryptik.NX trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\177RMVXC\i[2].htm JS/Kryptik.NX trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\177RMVXC\i[3].htm JS/Kryptik.NX trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\99JZBGYJ\i[1].htm JS/Kryptik.NX trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9HGF100N\bf8c5[1].pdf JS/Exploit.Pdfka.PXS trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9HGF100N\f490e[1].pdf JS/Exploit.Pdfka.PWF trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9HGF100N\p50c13d92128721354841490[1].pdf JS/Exploit.Pdfka.OXB.Gen trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BOH4U5WT\sta1wo[1].pdf JS/Exploit.Pdfka.OXG.Gen trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C3QPI279\19[1].htm HTML/Iframe.B.Gen virus

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C3QPI279\19[2].htm HTML/Iframe.B.Gen virus

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C3QPI279\microkeep_com[1].htm HTML/ScrInject.B.Gen virus

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DINUEZ2T\19[1].htm HTML/Iframe.B.Gen virus

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DINUEZ2T\19[2].htm HTML/Iframe.B.Gen virus

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DINUEZ2T\pe3zu6tw[1].htm HTML/ScrInject.B.Gen virus

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FP3PVXXS\i[1].htm JS/Kryptik.NX trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FP3PVXXS\update20_voipassistant_uni_me[1].htm JS/TrojanDownloader.FraudLoad.NAQ trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JVSRD09V\19[1].htm HTML/Iframe.B.Gen virus

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JVSRD09V\9[1].htm HTML/Iframe.B.Gen virus

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O0TRCXKC\19[1].htm HTML/Iframe.B.Gen virus

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OMX3WSHF\19[1].htm HTML/Iframe.B.Gen virus

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PA6YHRSM\pe3zu6tw[1].htm HTML/ScrInject.B.Gen virus

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PA6YHRSM\pe3zu6tw[2].htm HTML/ScrInject.B.Gen virus

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\18140778[1].pdf JS/Exploit.Pdfka.PMN trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\43765[1].pdf JS/Exploit.Pdfka.PPO trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\64428a2b[1].pdf JS/Exploit.Pdfka.PMN trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\goldshwepes_biz[1].htm HTML/IFrame.L trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\inseo[4].pdf PDF/Exploit.CVE-2010-0188.AK trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\inseo[5].pdf JS/Exploit.Pdfka.PPC trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\inseo[6].pdf JS/Exploit.Pdfka.PPC trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\inseo[7].pdf PDF/Exploit.CVE-2010-0188.AK trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\i[1].htm JS/Kryptik.NX trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\i[2].htm JS/Kryptik.NX trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\i[3].htm JS/Kryptik.NX trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\i[4].htm JS/Kryptik.NX trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YEB16ELI\i[1].htm JS/Kryptik.NX trojan

C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YEB16ELI\i[2].htm JS/Kryptik.NX trojan

C:\Users\Gareth\AppData\Local\TheCreativeAssembly\wudctnxo.dll Win32/Kryptik.AQGX.Gen trojan

C:\Users\Gareth\AppData\Roaming\Mozilla\Firefox\Profiles\7yum43hf.default\user.js JS/SecurityDisabler.A.Gen application

C:\Users\Gareth\Desktop\winzip155.exe Win32/OpenCandy application

C:\_OTM\MovedFiles\12222012_170639\C_Users\Gareth\14895421.exe a variant of Win32/Kryptik.ARBF trojan

C:\_OTM\MovedFiles\12222012_170639\C_Users\Gareth\AppData\Local\isljleno\qydvvetf.exe a variant of Win32/Kryptik.ARBF trojan

C:\_OTM\MovedFiles\12222012_170639\C_Users\Gareth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qydvvetf.exe a variant of Win32/Kryptik.ARBF trojan

Link to post
Share on other sites

We need to run OTM one more time, ok do the following:

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
    C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.6.9.12\BabylonToolbarApp.dll
    C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.6.9.12\BabylonToolbarsrv.exe
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\177RMVXC\i[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\177RMVXC\i[2].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\177RMVXC\i[3].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\99JZBGYJ\i[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9HGF100N\bf8c5[1].pdf
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9HGF100N\f490e[1].pdf
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9HGF100N\p50c13d92128721354841490[1].pdf
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BOH4U5WT\sta1wo[1].pdf
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C3QPI279\19[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C3QPI279\19[2].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C3QPI279\microkeep_com[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DINUEZ2T\19[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DINUEZ2T\19[2].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DINUEZ2T\pe3zu6tw[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FP3PVXXS\i[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FP3PVXXS\update20_voipassistant_uni_me[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JVSRD09V\19[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JVSRD09V\9[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O0TRCXKC\19[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OMX3WSHF\19[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PA6YHRSM\pe3zu6tw[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PA6YHRSM\pe3zu6tw[2].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\18140778[1].pdf
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\43765[1].pdf
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\64428a2b[1].pdf
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\goldshwepes_biz[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\inseo[4].pdf
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\inseo[5].pdf
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\inseo[6].pdf
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\inseo[7].pdf
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\i[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\i[2].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\i[3].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RRSF6ELU\i[4].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YEB16ELI\i[1].htm
    C:\Users\Gareth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YEB16ELI\i[2].htm
    C:\Users\Gareth\AppData\Local\TheCreativeAssembly\wudctnxo.dll
    C:\Users\Gareth\AppData\Roaming\Mozilla\Firefox\Profiles\7yum43hf.default\user.js
    C:\Users\Gareth\Desktop\winzip155.exe
    :Commands
    [EmptyTemp]


  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Next,

When OTM has complete run this:

download http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Post both of the above logs, also let me know if any remaining issues or concerns....

Thanks,

Kevin,,

Link to post
Share on other sites

Okay I have run OTM and AdwareCleaner (the log for which can be found below). However, after completing its service OTM became unresponsive so I was unable to get the log from it. Will this be a problem?

As for other issues or concerns nothing springs to mind. Computer seems to be running fine and I have no complaints. Thank you for your assistance in this. I greatly appreciate you help, especially at this busy time of the year.

# AdwCleaner v2.102 - Logfile created 12/25/2012 at 05:51:03

# Updated 23/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Gareth - GARETH-PC

# Boot Mode : Safe mode with networking

# Running from : C:\Users\Gareth\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml

File Deleted : C:\user.js

Folder Deleted : C:\Program Files (x86)\BabylonToolbar

Folder Deleted : C:\ProgramData\Babylon

Folder Deleted : C:\Users\Gareth\AppData\Local\Babylon

Folder Deleted : C:\Users\Gareth\AppData\Roaming\Babylon

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Users\Gareth\AppData\Roaming\Mozilla\Firefox\Profiles\7yum43hf.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [1093 octets] - [25/12/2012 05:51:03]

########## EOF - C:\AdwCleaner[s1].txt - [1153 octets] ##########

Link to post
Share on other sites

We really need to see a log from OTM to know if the infected files where moved. It does produce a log at the following c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log.

If you navigate start > computer > C:\ > Open C:\ and look for this folder _OTMoveIt if that is present open that folder, inside will be a sub folder MovedFiles. Open that folder and you will find log files. Those files will be named date-time.log. The file you want will be the most recent date-time.log

Is that file present, if so open the file copy and paste the contents to your reply. If the file is not present re-run OTM with the same script and see if a log is produced this time...

Link to post
Share on other sites

Okay I found the log file bu it is only a few lines log (see below). Is that normal? I will attempt to run OTM again and get the full log from that if I can.

Files moved on Reboot...

File move failed. C:\Users\Gareth\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Link to post
Share on other sites

So I've tried running OTM a few more times but keep getting the same result - its completes the moves but becoomes unresponsive when I click on it to try and copy the log. Turning security off dosn't seem to have had any effect one way or the other.

I'm not sure if this will help but I had a look under C:\_OTM\MovedFiles and compared the files located there to the ones in the script you wanted me to run and they are all accounted for. Like I said I'm not sure if this means they have been moved successfully but I am having real trouble aquireing the OTM log.

Link to post
Share on other sites

Run this final check to see if we need any updates:

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Post that log, also let me know if there are any remaining issues or concerns...

Kevin

Link to post
Share on other sites

Log posted below. Everything is running fine and I have no other issues! Thank you for all your help Kevin!

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Java 7 Update 10

Java version out of Date!

Adobe Flash Player 11.5.502.135

Adobe Reader XI

Mozilla Firefox (17.0.1)

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Just need to clean up, run the following:

Any tools/logs remaining on the Desktop can be deleted.

Next,

Your Java javaicon.gif maybe out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

Go to http://java.com/en/ and click on "Do I have Java"

It will check your current version and then offer to update to the latest version

Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them.

Next,

Create a new restore point:

1. Right-click on Computer and go to Properties.

2. Next click on the System Protection link.

3. The System Properties dialog screen opens up and you will want to click on Create.

4. Type in a description for the restore point which will help you remember the point at which it was created. Click on create.

5. You should see the message "The restore point was created successfully

To remove all but the most recent restore point do the following:

1. Open Disk Cleanup by clicking the Start button 4f6cbd09-148c-4dd8-b1f2-48f232a2fd33.jpg. In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.

2. If prompted, select the drive that you want to clean up, and then click OK.

3. In the Disk Cleanup for (usually C:\) dialog box, click Clean up system files. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

4. If prompted, select the drive that you want to clean up, and then click OK.

5. Click the More Options tab, under System Restore and Shadow Copies, click Clean up.

6. In the Disk Cleanup dialog box, click Delete.

7. Click Delete Files, and then click OK. Re-Boot your PC.

Thats it, if no issues we can close out....

Kevin...

Link to post
Share on other sites

Okay. I have deleted the previous versions of Java and installed the new one, created a restore point and done the disk cleanup. Everything is working fine. Thank you for all your help and taking time out to help me during the holidays. If thats everything you need me to do feel free to close the thread.

Link to post
Share on other sites

It was a pleasure to work with you, Here are some tips to reduce the potential for malware infection in the future:

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use WinPatrol from here http://www.winpatrol.com/download.html This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained here http://www.winpatrol.com/features.html

Go here http://www.filehippo.com/updatechecker/ run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates. (Use stand alone version, not a full install)

If Java or Adobe are updated please check under Start > Control Panel > Add/Remove Programs, ensure any old versions are removed. <--- Very important

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

FireFox http://www.mozilla.com/en-US/,

Opera http://www.opera.com/, and

Chrome http://www.google.com/chrome.

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here http://www.bleepingcomputer.com/tutorials/tutorial102.html which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,

Yellow for caution, and

Red to stop.

Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at this article:

http://browsers.about.com/od/addonsplugi2/tp/browser_security_privacy.htm

Here a couple of links by two security experts that will give some excellent tips and advice.

So how did I get infected in the first place by Tony Klein

How to prevent Malware by Miekiemoes

Finally this link http://www.geekstogo.com/forum/topic/38-free-antivirus-and-antispyware-software will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

Take care,

Kevin

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.