Anything malicious lurking on this computer?

[tr_peregrine]

Hello. I'm helping a relative with their computer and their concerns about security after first noting the computer seemed to be running slower than expected (especially the browser) and after then having visited PC Health Boost via a random click (banner, I'm guessing) to try and tune up the computer. I became concerned when they related that the Health Boost person examined the PC remotely and said there was evidence of people trying to remote access the computer.

I first had them check the "Action Center" to make sure all was enabled correctly, and then clear the checkbox "Allow remote assistance connections to this computer" and also select "Don't allow connections to this computer". After that, all I could think of was to try a scan with MBAM to see if anything insidious was lurking around.

I've attached the last MBAM log that was run *after* I had instructed them to uninstall a number of (PUP.MyWebSearch) apps like "Search Assistant - My Way" and other "MyWebSearch" apps (using Programs and Features / uninstall; they were not removed using MBAM). I see there's one more in there, VideoDownloadConverter, but I wanted to solicit some professional opinions before going on.

I had also instructed them to remove the two items marked as Vundo (as shown in the log); I had told them it looked like Vundo didn't completely infect the computer, given there were only two registry key entries tagged by MBAM; was this correct, or is two registry keys enough to provide a breach of security?

I've hit the limit of my security expertise and hope to get some advice from the resident experts here as to what should be done next to ensure this computer was not compromised in any way. There may be a time lag between responses as I do not have physical access to the computer.

Last MBAM log and DDS text files attached.

Thanks very much.

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16457

Run by V at 19:51:57 on 2013-02-07

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.3966.2644 [GMT -7:00]

.

AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\LSI SoftModem\agr64svc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft LifeCam\MSCamS64.exe

C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.11.20\ccSvcHst.exe

C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\PROGRA~2\VIDEOD~2\bar\1.bin\4zbarsvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe

C:\Windows\vVX3000.exe

C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe

C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.EXE

C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe

C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.11.20\ccSvcHst.exe

C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe

C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe

C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe

C:\Program Files (x86)\Ask.com\Updater\Updater.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zbrmon.exe

C:\Windows\System32\WUDFHost.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe

c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe

C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe

C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\Windows Live\Mail\wlmail.exe

C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe

C:\Windows\splwow64.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskeng.exe

C:\Windows\SysWOW64\FlashPlayerInstaller.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.shawconnect.ca/

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cndt

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cndt

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cndt

uURLSearchHooks: {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - <orphaned>

uURLSearchHooks: <No Name>: {93a3111f-4f74-4ed8-895e-d9708497629e} - C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zSrcAs.dll

uURLSearchHooks: {3bbd3c14-4c16-4989-8366-95bc9179779d} - <orphaned>

uURLSearchHooks: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - <orphaned>

mURLSearchHooks: {3bbd3c14-4c16-4989-8366-95bc9179779d} - <orphaned>

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Toolbar BHO: {312f84fb-8970-4fd3-bddb-7012eac4afc9} - C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zbar.dll

BHO: {3bbd3c14-4c16-4989-8366-95bc9179779d} - <orphaned>

BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll

BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\IPSBHO.dll

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Search Assistant BHO: {c547c6c2-561b-4169-a2a5-20ba771ca93b} - C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zSrcAs.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingExt.dll

BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

TB: VideoDownloadConverter: {48586425-6BB7-4F51-8DC6-38C88E3EBB58} - C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zbar.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll

TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -

TB: VideoDownloadConverter: {48586425-6bb7-4f51-8dc6-38c88e3ebb58} - C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zbar.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe

mRun: [HP Remote Solution] C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe

mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED

mRun: [updatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"

mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"

mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [WsdtReplacer] C:\Users\V\AppData\Local\Temp\WebshotSupplantLauncher.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [VideoDownloadConverter Search Scope Monitor] "C:\PROGRA~2\VIDEOD~2\bar\1.bin\4zsrchmn.exe" /m=2 /w /h

mRun: [VideoDownloadConverter_4z Browser Plugin Loader] C:\PROGRA~2\VIDEOD~2\bar\1.bin\4zbrmon.exe

StartupFolder: C:\Users\V\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: NameServer = 64.59.135.133 64.59.128.120

TCP: Interfaces\{9A8D6AFF-E8E4-4400-9067-65B34A89C787} : DHCPNameServer = 64.59.135.133 64.59.128.120

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cndt

x64-mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cndt

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll

x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup

x64-Run: [smartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background

x64-Run: [VX3000] C:\Windows\vVX3000.exe

x64-Run: [WrtMon.exe] C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe

x64-Run: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe /logon

x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>

x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - <orphaned>

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\607\G2AWinLogon_x64.dll

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1008030.006\SymEFA64.sys [2011-10-10 402992]

R1 BHDrvx64;Symantec Heuristics Driver;C:\Windows\System32\drivers\NISx64\1008030.006\BHDrvx64.sys [2011-10-10 334384]

R1 ccHP;Symantec Hash Provider;C:\Windows\System32\drivers\NISx64\1008030.006\cchpx64.sys [2011-10-10 561800]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20130207.002\IDSviA64.sys [2013-2-7 513184]

R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-27 86528]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-1-24 398184]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-1-24 682344]

R2 Norton Internet Security;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [2011-10-10 117648]

R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe [2012-9-22 132056]

R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.11.20\ccSvcHst.exe [2011-5-8 126392]

R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-12-13 3290896]

R2 VideoDownloadConverter_4zService;VideoDownloadConverterService;C:\PROGRA~2\VIDEOD~2\bar\1.bin\4zbarsvc.exe [2013-1-4 42504]

R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-12 138912]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-1-24 24176]

R3 SYMNDISV;Symantec Network Filter Driver;C:\Windows\System32\drivers\NISx64\1008030.006\symndisv.sys [2011-10-10 56952]

S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate1ca811ad701c270;Google Update Service (gupdate1ca811ad701c270);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-12-19 133104]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-11-9 160944]

S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-6-19 48488]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-30 59392]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-4-16 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2013-02-08 02:52:05 15739760 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe

2013-02-07 16:55:14 -------- d-----w- C:\Users\V\AppData\Local\{94220681-D393-4D2F-A39A-9BCE3BF5A046}

2013-02-06 21:33:24 -------- d-----w- C:\Users\V\AppData\Local\{02F15337-F91E-422C-BE16-776FDFE1A3BE}

2013-02-05 20:51:31 -------- d-----w- C:\Users\V\AppData\Local\{6BCED327-0011-4815-895B-E575CC6582A6}

2013-02-04 21:48:20 -------- d-----w- C:\Users\V\AppData\Local\{47DE5ED8-0EA1-4504-B0D0-DDE8719C4224}

2013-02-04 05:15:16 -------- d-----w- C:\Users\V\AppData\Local\{48D31454-6EA1-4FD0-B5CF-2E3A076D764A}

2013-02-02 18:37:25 -------- d-----w- C:\Users\V\AppData\Local\{5AF89179-B3DC-4382-A6BC-B38294C250E5}

2013-02-01 21:21:33 -------- d-----w- C:\Users\V\AppData\Local\{B075A960-2F55-436F-AC97-CCCDAEA5D79F}

2013-01-31 21:31:00 -------- d-----w- C:\Users\V\AppData\Local\{0925C28D-34DC-4183-8684-C164DC9DE3D1}

2013-01-30 22:45:54 -------- d-----w- C:\Users\V\AppData\Local\{D7CA963D-4362-4E69-B9CA-46E6241715A3}

2013-01-29 18:47:21 -------- d-----w- C:\Users\V\AppData\Local\{28D716D8-E220-4E66-96DE-C45DB446AA1F}

2013-01-29 03:12:50 -------- d-----w- C:\Users\V\AppData\Local\{8A763B6C-6592-40B3-AA0F-FDA88F55EF62}

2013-01-28 23:31:05 -------- d-----w- C:\Users\V\AppData\Local\{817E9667-8D1E-48C2-9B5D-0440FDED6F16}

2013-01-27 16:40:41 -------- d-----w- C:\Users\V\AppData\Local\{F6B8B403-FBEF-46C7-9E1B-941A1C4ACE04}

2013-01-26 19:40:49 -------- d-----w- C:\Users\V\AppData\Local\{072EBEFA-EA83-4CBB-A5CF-47C6E11BB65E}

2013-01-25 13:46:16 -------- d-----w- C:\Users\V\AppData\Local\{002FF17B-F363-4CC4-ADF0-F816EA002124}

2013-01-24 23:05:57 -------- d-----w- C:\Users\V\AppData\Roaming\Malwarebytes

2013-01-24 23:05:31 -------- d-----w- C:\ProgramData\Malwarebytes

2013-01-24 23:05:29 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-01-24 23:05:29 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-01-24 23:01:54 -------- d-----w- C:\Users\V\AppData\Local\Programs

2013-01-24 22:00:51 -------- d-----w- C:\Users\V\AppData\Local\{9100E3F4-9DBF-46D6-83C6-E127D382F2E5}

2013-01-24 02:00:08 -------- d-----w- C:\Users\V\AppData\Local\{32B10E89-D8C0-4BC6-A1CA-4AAA34900F75}

2013-01-23 21:36:37 -------- d-----w- C:\Users\V\AppData\Local\{78750642-EA51-406F-A591-D836487048F6}

2013-01-22 18:36:51 -------- d-----w- C:\Users\V\AppData\Local\{43E3E793-6E6C-4D20-9146-039F58D38539}

2013-01-21 22:36:48 -------- d-----w- C:\Users\V\AppData\Local\LogMeIn Rescue Applet

2013-01-21 22:30:43 -------- d-----w- C:\Users\V\AppData\Local\{29F17FF1-6500-4DE8-BC3D-10FE3C88A54C}

2013-01-21 21:59:39 -------- d-----w- C:\temp

2013-01-21 00:26:21 -------- d-----w- C:\Users\V\AppData\Local\{7DCCBE98-EB06-4A52-81ED-47F2BBBA5E1F}

2013-01-19 19:55:25 -------- d-----w- C:\Users\V\AppData\Local\{19C328F1-3AAC-433E-8D16-685A5584D814}

2013-01-19 03:16:35 -------- d-----w- C:\Users\V\AppData\Local\{7F1F43C7-F076-4761-ACC4-0628175B3B44}

2013-01-18 03:58:27 -------- d-----w- C:\Users\V\AppData\Local\{135B15A3-FE9A-4A43-A5D2-F80AF6575AAD}

2013-01-17 01:54:26 -------- d-----w- C:\Users\V\AppData\Local\{3D228B40-4BB6-4D17-AA3C-D52A6BEC140B}

2013-01-15 23:57:24 -------- d-----w- C:\Users\V\AppData\Local\{3BC36A4B-13A9-42F6-940E-133B4F0ECC84}

2013-01-14 21:04:39 -------- d-----w- C:\Users\V\AppData\Local\{3DE2847A-7129-4466-979E-197BA9A738B9}

2013-01-14 06:30:19 -------- d-----w- C:\Users\V\AppData\Local\{CCBB6EC3-5E9F-4AE2-941D-051F9F84FFB2}

2013-01-13 17:00:51 -------- d-----w- C:\Users\V\AppData\Local\{8AB5E3D6-97B7-4938-AFE4-775024D546E6}

2013-01-12 22:48:28 -------- d-----w- C:\Users\V\AppData\Local\{D7899CAA-3FE4-46E4-8970-476149482834}

2013-01-12 02:03:10 -------- d-----w- C:\Users\V\AppData\Local\{E905B7D7-FDCF-4C3C-9DC3-155533BBA6B8}

2013-01-12 01:50:55 -------- d-----w- C:\Program Files (x86)\Kobo

2013-01-12 00:25:27 -------- d-----w- C:\Users\V\AppData\Local\{A3C7FA90-1F84-4740-A8FB-658D7903E4CD}

2013-01-10 15:55:42 -------- d-----w- C:\Users\V\AppData\Local\{5839E0BF-2F0E-4F1F-922C-15716716E423}

2013-01-09 21:14:28 750592 ----a-w- C:\Windows\System32\win32spl.dll

2013-01-09 21:14:28 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll

2013-01-09 21:14:08 2002432 ----a-w- C:\Windows\System32\msxml6.dll

2013-01-09 21:14:07 1882624 ----a-w- C:\Windows\System32\msxml3.dll

2013-01-09 21:14:07 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll

2013-01-09 21:14:07 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2013-01-09 21:14:05 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2013-01-09 21:14:05 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll

2013-01-09 21:14:04 800768 ----a-w- C:\Windows\System32\usp10.dll

2013-01-09 21:14:04 626688 ----a-w- C:\Windows\SysWow64\usp10.dll

2013-01-09 21:12:33 424448 ----a-w- C:\Windows\System32\KernelBase.dll

2013-01-09 21:11:42 68608 ----a-w- C:\Windows\System32\taskhost.exe

2013-01-09 21:11:40 3149824 ----a-w- C:\Windows\System32\win32k.sys

2013-01-09 21:06:52 -------- d-----w- C:\Users\V\AppData\Local\{D5075137-D620-4290-95F5-CAA72707321B}

.

==================== Find3M ====================

.

2013-01-15 23:56:10 477616 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll

2013-01-15 23:56:07 473520 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2013-01-09 02:03:30 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-01-09 02:03:30 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-01-04 04:10:06 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll

2013-01-04 04:10:05 175616 ----a-w- C:\Windows\System32\msclmd.dll

2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll

2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll

2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll

2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll

2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll

2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll

2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll

2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs

2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs

2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs

2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs

2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs

2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs

2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs

2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs

2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs

2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs

2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs

2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs

2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs

2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs

2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-11-30 05:45:14 215040 ----a-w- C:\Windows\System32\winsrv.dll

2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2012-11-30 04:54:00 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe

2012-11-30 02:44:06 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2012-11-30 02:44:04 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2012-11-30 02:44:04 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2012-11-30 02:44:03 2048 ----a-w- C:\Windows\SysWow64\user.exe

2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

.

============= FINISH: 19:52:37.18 ===============

attach.txt

mbam-log-2013-01-26 (15-13-14).txt

[Maurice Naggar]

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

[tr_peregrine]

Hey, Maurice, thanks for responding.

Here is the ESET log:

---

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

---

And here is the checkup log:

---

Results of screen317's Security Check version 0.99.59

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Norton Internet Security

WMI entry may not exist for antivirus; attempting automatic

update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

Java™ 6 Update 39

Java version out of Date!

Adobe Reader 9 Adobe Reader out of Date!

Google Chrome 24.0.1312.56

Google Chrome 24.0.1312.57

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 3%

````````````````````End of Log``````````````````````

---

As for how it's running, the user said this: "The computer is running fine - just slow opening during high usage hours - so no real obvious issues at the moment."

Thanks again,

Trevor

[Maurice Naggar]

You did not get me all of the ESET log nor did you say what that result showed.

Older versions of Java pose a security risk. Uninstall Java 6 Update 39

And if you do not need Java for the programs that you use, keep Java off your system .

How to disable Java in various browsers : http://blog.eset.com/2012/08/29/disabling-java-a-safer-way-to-browse

Also see No, Seriously, Just Disable Java in Your Browser Right Now

Step 2

Please download Junkware Removal Tool to your Desktop.

• Please close your security software to avoid potential conflicts.
  
• Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click JRT.exe and select Run as administrator.
  
• The tool will open and start scanning your system.
  
• Please be patient as this can take a while to complete, depending on your system's specifications.
  
• On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  
• Please post the contents of JRT.txt into your reply. And tell me, How is the system now?
  
• Re-enable your security software.

Step 3

• Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
  >> from here <<
  
• Quit all programs that you may have started.
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  For Windows XP, double-click to start.
  
• Wait until Prescan has finished ...
  
• Then Click on Scan button at upper right of screen.
  
• Wait until the Status box shows "Scan Finished"
  
• Click on Report and copy/paste the content of the Notepad into your next reply.
  
• The log should be found in RKreport[1].txt on your Desktop
  
• Do NOT press any Fix button.
  
• Exit/Close RogueKiller

There is a whole lot to do after this. Consider & treat this system like it is in quarantine / isolation.

[tr_peregrine]

Thanks Maurice, and apologies about the Eset log, I'm not running the above myself and I didn't know what to expect. I'll get back to you once I find out more.

[tr_peregrine]

Hi Maurice. I'm working on getting the next results for you. ESET online scan was run again with the proper options checked (they were missed last time).

-----

C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zdatact.dll a

variant of Win32/Toolbar.MyWebSearch.A application cleaned by deleting -

quarantined

C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zhtmlmu.dll

probably a variant of Win32/Toolbar.MyWebSearch.B application cleaned by

deleting - quarantined

C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zieovr.dll

probably a variant of Win32/Toolbar.MyWebSearch.P application cleaned by

deleting (after the next restart) - quarantined

C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zPlugin.dll

probably a variant of Win32/Toolbar.MyWebSearch application cleaned by

deleting - quarantined

C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zskin.dll a

variant of Win32/Toolbar.MyWebSearch.P application cleaned by deleting -

quarantined

C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\T8HTML.DLL

probably a variant of Win32/Toolbar.MyWebSearch.F application cleaned by

deleting - quarantined

-----

What is the best way to turn off Norton Internet Security for "close your security software"? Set it to silent mode? Turn it off? Or is there a way to exit it completely?

Thanks again.

[Maurice Naggar]

You have to know better than I. Turn it OFF.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please do the other steps I outlined before.

[tr_peregrine]

Sorry, I didn't know about Norton. I don't use it and am guiding someone else through this process (I don't have access to the computer, which is why there's a delay between responses). I figured you might have a preferred way but thanks for the link.

Making progress. Here's the JRT log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.6.5 (02.18.2013:1)

OS: Windows 7 Home Premium x64

Ran by V on 24/02/2013 at 11:18:56.19

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

Successfully stopped: [service] videodownloadconverter_4zservice

Successfully deleted: [service] videodownloadconverter_4zservice

~~~ Registry Values

Successfully deleted: [Registry Value]

hkey_local_machine\software\microsoft\windows\currentversion\run\\apnupdater

Successfully deleted: [Registry Value]

hkey_local_machine\software\microsoft\windows\currentversion\run\\videodownl

oadconverter search scope monitor

Successfully deleted: [Registry Value]

hkey_local_machine\software\microsoft\windows\currentversion\run\\videodownl

oadconverter_4z browser plugin loader

Successfully deleted: [Registry Value]

hkey_current_user\software\microsoft\internet

explorer\urlsearchhooks\\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}

Successfully deleted: [Registry Value]

hkey_current_user\software\microsoft\internet

explorer\toolbar\webbrowser\\{48586425-6bb7-4f51-8dc6-38c88e3ebb58}

Successfully deleted: [Registry Value]

hkey_local_machine\software\microsoft\internet

explorer\toolbar\\{48586425-6bb7-4f51-8dc6-38c88e3ebb58}

Successfully deleted: [Registry Value]

hkey_current_user\software\microsoft\internet

explorer\toolbar\webbrowser\\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}

Successfully deleted: [Registry Value]

hkey_current_user\software\microsoft\internet

explorer\urlsearchhooks\\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}

Successfully repaired: [Registry Value]

hkey_local_machine\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value]

hkey_current_user\software\microsoft\internet

explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value]

hkey_local_machine\software\microsoft\internet

explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value]

hkey_users\.default\software\microsoft\internet

explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value]

hkey_users\s-1-5-18\software\microsoft\internet

explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value]

hkey_users\s-1-5-19\software\microsoft\internet

explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value]

hkey_users\s-1-5-20\software\microsoft\internet

explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value]

hkey_users\S-1-5-21-3779351107-2320797998-501854850-1001\software\microsoft\

internet explorer\searchscopes\\DefaultScope

Successfully deleted: [Registry Value]

hkey_current_user\software\microsoft\internet

explorer\toolbar\webbrowser\\{d4027c7f-154a-4066-a1ad-4243d8127440}

Successfully deleted: [Registry Value]

hkey_local_machine\software\microsoft\internet

explorer\toolbar\\{d4027c7f-154a-4066-a1ad-4243d8127440}

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_local_machine\software\conduit

Successfully deleted: [Registry Key]

hkey_current_user\software\appdatalow\software\conduit

Successfully deleted: [Registry Key]

hkey_current_user\software\appdatalow\software\conduitsearchscopes

Successfully deleted: [Registry Key]

hkey_current_user\software\appdatalow\software\pricegong

Successfully deleted: [Registry Key]

hkey_current_user\software\appdatalow\software\smartbar

Successfully deleted: [Registry Key]

hkey_current_user\software\appdatalow\toolbar

Successfully deleted: [Registry Key]

hkey_local_machine\software\classes\installer\features\a28b4d68debaa244eb686

953b7074fef

Successfully deleted: [Registry Key]

hkey_local_machine\software\classes\installer\products\a28b4d68debaa244eb686

953b7074fef

Successfully deleted: [Registry Key]

hkey_local_machine\software\classes\installer\upgradecodes\f928123a039649549

966d4c29d35b1c9

Successfully deleted: [Registry Key-Heur]

HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT3201318

Successfully deleted: [Registry Key]

hkey_current_user\software\microsoft\internet

explorer\searchscopes\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}

Successfully deleted: [Registry Key]

hkey_local_machine\software\microsoft\internet

explorer\searchscopes\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}

Successfully deleted: [Registry Key]

hkey_classes_root\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}

Successfully deleted: [Registry Key]

hkey_classes_root\clsid\{48586425-6bb7-4f51-8dc6-38c88e3ebb58}

Successfully deleted: [Registry Key]

hkey_current_user\software\microsoft\internet

explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}

Successfully deleted: [Registry Key]

hkey_local_machine\software\microsoft\internet

explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}

Successfully deleted: [Registry Key]

hkey_classes_root\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}

Successfully deleted: [Registry Key]

hkey_classes_root\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}

Successfully deleted: [Registry Key]

hkey_local_machine\software\microsoft\windows\currentversion\explorer\browse

r helper objects\{d4027c7f-154a-4066-a1ad-4243d8127440}

Successfully deleted: [Registry Key]

"hkey_classes_root\genericasktoolbar.toolbarwnd"

Successfully deleted: [Registry Key]

"hkey_classes_root\genericasktoolbar.toolbarwnd.1"

Successfully deleted: [Registry Key] "hkey_current_user\software\apn"

Successfully deleted: [Registry Key]

"hkey_current_user\software\appdatalow\software\asktoolbar"

Successfully deleted: [Registry Key] "hkey_current_user\software\ask.com"

Successfully deleted: [Registry Key] "hkey_local_machine\software\apn"

Successfully deleted: [Registry Key]

"hkey_local_machine\software\asktoolbar"

Successfully deleted: [Registry Key]

"hkey_local_machine\software\classes\appid\genericasktoolbar.dll"

~~~ Files

Successfully deleted: [File] "C:\ProgramData\Microsoft\Windows\Start

Menu\Programs\ebay.lnk"

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\agi"

Successfully deleted: [Folder]

"C:\Users\V\AppData\Roaming\pccustubinstaller"

Successfully deleted: [Folder] "C:\Users\V\appdata\local\conduit"

Successfully deleted: [Folder]

"C:\Users\V\appdata\local\videodownloadconverter_4z"

Successfully deleted: [Folder] "C:\Users\V\appdata\locallow\agi"

Successfully deleted: [Folder] "C:\Users\V\appdata\locallow\conduit"

Successfully deleted: [Folder] "C:\Users\V\appdata\locallow\pricegong"

Successfully deleted: [Folder]

"C:\Users\V\appdata\locallow\videodownloadconverter_4z"

Successfully deleted: [Folder] "C:\Program Files (x86)\conduit"

Successfully deleted: [Folder] "C:\Program Files (x86)\video download

converter"

Failed to delete: [Folder] "C:\Program Files

(x86)\videodownloadconverter_4z"

Successfully deleted: [Folder] "C:\ProgramData\ask"

Successfully deleted: [Folder]

"C:\Users\V\appdata\locallow\asktoolbar"

Successfully deleted: [Folder] "C:\Program Files (x86)\ask.com"

Successfully deleted: [Folder]

"C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on 24/02/2013 at 11:26:49.18

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Will post back with the RogueKiller log when I have it.

[tr_peregrine]

[double post] And here is RogueKiller.

-----

RogueKiller V8.5.2 [Feb 23 2013] by Tig

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : V [Admin rights]

Mode : Scan -- Date : 02/25/2013 15:19:43

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0

¤

¤¤¤ Registry Entries : 5

¤

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\Run : WsdtReplacer

(C:\Users\V\AppData\Local\Temp\WebshotSupplantLauncher.exe) [-] ->

FOUND

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee}

(1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D}

(1) -> FOUND

¤¤¤ Particular Files / Folders:

¤

¤¤¤ Driver : [NOT LOADED]

¤

¤¤¤ HOSTS File:

¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check:

¤

+++++ PhysicalDrive0: WDC WD32 00AAJS-65M0A SCSI Disk Device +++++

--- User ---

[MBR] c32773d4e4cefed7696a326eb3cd12d5

[bSP] e98a7323bc9147f2534e7498294a7a41 : Windows Vista/7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 292071

Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 598368256 | Size: 13072

Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_02252013_02d1519.txt >>

RKreport[1]_S_02252013_02d1519.txt

-----

Thanks again. tr

[Maurice Naggar]

Download Dr.Web CureIt to the desktop.

The download is nearly 104.6 MB in size

• Turn OFF your antivirus program.
  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  
• Turn off any other add-on security app {if you have them} like MBAM File System Protection.
  
• If this system is Windows 8/7 or VISTA, then Right-click on drweb-cureit.exe and select Run as Administrator.
  
• Otherwise, on Windows XP, doubleclick on drweb-cureit.exe file to start the tool.
  
• You will see a screen similar to this:
  
  Click the checkbox to participate, and then click on Continue button.
  
• Next
  
  Click on Select onjects for scanning
  
• Next
  
  Put a checkmark by clicking on the boxes as shown.
  Do not select Temporary files or System Restore points.
  Then click on Start scanning button
  
• The scan in progress will be shown like this
  
  
• IF something is detected, you will see a screen similar to this
  
  For each item "detected", click on the Action column down arrow, like this
  
  Your options will be Cure or Ignore
  IF you see an item that you are very sure is ok, then un-check the checkbox for that item.
  Typically, you will keep the Cute default.
  Then click on the Neutralize button.
  
• When the actions are completed, you will see this
  
  
• Click on the green Open Report line. It will pop-up the report in NOTEPAD.
  Save the report to your desktop. The report will be called Cureit.log
  
• While in NOTEPAD, do a CTRL+A to Copy all to clipboard.
  
• You should be able to get back to your forum topic, start a new reply,
  click 1 time in the box
  and do a CTRL+V (Paste}
  into reply.
  
• Close Dr.Web Cureit.
  
• Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Cureit.log you saved previously in your next reply.
  ONLY if the log is too large, then you may "attach" it.
  

Re-Enable your antivirus program when all done.

[tr_peregrine]

CureIt was run, but unfortunately the log was not saved; is the log saved automatically anywhere? The user reported that it had removed two threats, but has no further details about them. Then they ran CureIt again, but it found nothing. Sorry about that.

[Maurice Naggar]

One has to click at the prompt (as I noted in my directions) in order to see & then save the log.

I hope you are giving the computer owner the link to this topic to follow directions.

Which reminds me, this middle-man arrangement is not the best way to deal with possible malware issues.

I would request (again) you have the pc-owner join this forum and get in touch directly.

[tr_peregrine]

Yes, they've been following the thread here directly, I've just been guiding them through some of the steps where they have questions. I first encouraged them to join the forum themselves, but not all users feel savvy enough to join and follow support forums (we forget that it can be pretty overwhelming) and so I volunteered to help (like you have) instead of leaving their system questionable.

In the circumstances, I'm doing my best and they're doing their best, and though they were much embarrassed about having missed the log I think they're doing a tremendous job. I appreciate your time and expertise here, but unfortunately things don't always go as planned. I will talk to them (again) about joining in (by the way, you didn't make the request previously, but I know you have a lot of threads to follow). Until then, do you have a next step?

[Maurice Naggar]

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Next, download my Security Check from here .

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!