Jump to content

help removing fbi moneypak virus


Recommended Posts

The administrator account (my account) on my pc is infected with the fbi moneypak virus. It will not let me in safe mode. I am currently logged on another account but it does not have administrative rights. I have tried accessing files on my admin account so I can delete the infected files but It won't let me access them. I was running avg when I was infected and still got the virus. I have run malwarebytes from this standard account but it does not find anything.

any help would be greatly appreciated!

thanks,

Andy

Link to post
Share on other sites

Hy

my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • I am currently visiting an evening school and working nightshift only which might be evening for you. In this time I am mostly online with my mobile devices and won't be able to reply.

Download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log ( FRST.txt ) on the flash drive. Please copy and paste it to your reply.

Link to post
Share on other sites

Thank you so much for your help! Here is the log from FRST.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2013 (ATTENTION: FRST version is 14 days old)

Ran by Andy at 27-03-2013 15:51:01

Running from D:\

Service Pack 2 (X86) OS Language: English(US)

Attention: Could not load system hive.

ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==================== One Month Created Files and Folders ========

2013-03-27 15:39 - 2013-03-27 15:51 - 00000000 ____D C:\FRST

2013-03-27 15:39 - 2013-03-27 15:39 - 00911462 ____A (Farbar) C:\Users\Ali\Downloads\FRST.exe

2013-03-27 15:38 - 2013-03-27 15:38 - 00000000 ____D C:\Users\Ali\Desktop\usb card drive

2013-03-27 10:42 - 2013-03-27 10:42 - 00000066 ____A C:\Users\Ali\Desktop\New Text Document.txt

2013-03-26 22:01 - 2013-03-26 22:01 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Malwarebytes

2013-03-26 20:54 - 2013-03-26 20:54 - 00000000 ____D C:\Users\Ali\AppData\Local\Macromedia

2013-03-26 20:53 - 2013-03-26 20:53 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Mozilla

2013-03-26 20:53 - 2013-03-26 20:53 - 00000000 ____D C:\Users\Ali\AppData\Local\Mozilla

2013-03-26 20:41 - 2013-03-27 10:39 - 00000004 ____A C:\Users\Andy\AppData\Roaming\skype.ini

2013-03-25 19:17 - 2013-03-25 19:17 - 00000000 ____D C:\Users\Andy\Desktop\stand pics

2013-03-25 16:39 - 2013-03-25 16:39 - 04546560 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr

2013-03-25 12:49 - 2013-03-25 12:49 - 00001902 ____A C:\Users\Public\Desktop\SketchUp 8.lnk

2013-03-21 14:21 - 2013-02-11 21:57 - 00015872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys

2013-03-14 03:02 - 2013-02-02 00:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-03-14 03:02 - 2013-02-01 23:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-03-14 03:02 - 2013-02-01 23:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-03-14 03:02 - 2013-02-01 23:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-03-14 03:02 - 2013-02-01 23:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-03-14 03:02 - 2013-02-01 23:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-03-14 03:02 - 2013-02-01 23:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-03-14 03:02 - 2013-02-01 23:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-03-14 03:02 - 2013-02-01 23:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-03-14 03:02 - 2013-02-01 23:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-03-14 03:02 - 2013-02-01 23:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-03-14 03:02 - 2013-02-01 23:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-03-14 03:02 - 2013-02-01 23:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-03-14 03:02 - 2013-02-01 23:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-03-14 03:02 - 2013-02-01 23:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-03-14 03:02 - 2013-02-01 23:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-03-01 10:32 - 2013-03-01 10:32 - 00022328 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsshimx.sys

2013-02-26 23:40 - 2013-02-26 23:40 - 00208184 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsdriverx.sys

2013-02-26 11:10 - 2013-02-26 11:18 - 00000000 ____D C:\Users\Andy\Desktop\tank2

==================== One Month Modified Files and Folders ========

2013-03-27 15:44 - 2006-11-02 08:46 - 00003648 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2013-03-27 15:44 - 2006-11-02 08:46 - 00003648 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2013-03-27 15:43 - 2006-11-02 09:00 - 00032548 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-03-27 15:43 - 2006-11-02 09:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-03-27 15:43 - 2006-11-02 08:51 - 01367204 ____A C:\Windows\WindowsUpdate.log

2013-03-27 15:39 - 2013-03-27 15:39 - 00911462 ____A (Farbar) C:\Users\Ali\Downloads\FRST.exe

2013-03-27 15:39 - 2006-11-02 06:33 - 00707520 ____A C:\Windows\System32\PerfStringBackup.INI

2013-03-27 15:38 - 2013-03-27 15:38 - 00000000 ____D C:\Users\Ali\Desktop\usb card drive

2013-03-27 15:35 - 2012-03-29 15:27 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-03-27 10:42 - 2013-03-27 10:42 - 00000066 ____A C:\Users\Ali\Desktop\New Text Document.txt

2013-03-27 10:39 - 2013-03-26 20:41 - 00000004 ____A C:\Users\Andy\AppData\Roaming\skype.ini

2013-03-27 10:33 - 2010-12-13 03:03 - 00000000 ____D C:\users\Andy

2013-03-27 09:47 - 2010-12-13 19:58 - 00000000 ____D C:\ProgramData\MFAData

2013-03-26 22:01 - 2013-03-26 22:01 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Malwarebytes

2013-03-26 21:08 - 2012-12-31 15:15 - 00000000 ____D C:\Users\Ali\AppData\Local\Avg2013

2013-03-26 20:54 - 2013-03-26 20:54 - 00000000 ____D C:\Users\Ali\AppData\Local\Macromedia

2013-03-26 20:53 - 2013-03-26 20:53 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Mozilla

2013-03-26 20:53 - 2013-03-26 20:53 - 00000000 ____D C:\Users\Ali\AppData\Local\Mozilla

2013-03-26 20:43 - 2006-11-02 08:59 - 00066570 ____A C:\Windows\PFRO.log

2013-03-25 19:17 - 2013-03-25 19:17 - 00000000 ____D C:\Users\Andy\Desktop\stand pics

2013-03-25 19:17 - 2012-12-11 22:15 - 00000842 ____A C:\Users\Public\Desktop\AVG 2013.lnk

2013-03-25 16:39 - 2013-03-25 16:39 - 04546560 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr

2013-03-25 12:49 - 2013-03-25 12:49 - 00001902 ____A C:\Users\Public\Desktop\SketchUp 8.lnk

2013-03-25 09:14 - 2011-04-24 21:05 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-03-14 03:28 - 2011-04-12 14:35 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2013-03-14 03:11 - 2010-12-14 22:54 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-03-14 03:07 - 2006-11-02 06:24 - 69796088 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2013-03-12 21:35 - 2012-03-29 15:27 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-03-12 21:35 - 2011-06-19 14:19 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-03-12 14:17 - 2012-01-24 20:17 - 00002619 ____A C:\Users\Andy\Desktop\Microsoft Outlook 2010.lnk

2013-03-04 19:02 - 2010-12-13 03:20 - 00000000 ____D C:\Users\Andy\AppData\Local\Apple Computer

2013-03-01 10:32 - 2013-03-01 10:32 - 00022328 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsshimx.sys

2013-02-26 23:40 - 2013-02-26 23:40 - 00208184 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsdriverx.sys

2013-02-26 11:18 - 2013-02-26 11:10 - 00000000 ____D C:\Users\Andy\Desktop\tank2

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-11 18:31] - [2012-08-21 07:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A

==================== Memory info ===========================

Percentage of memory in use: 17%

Total physical RAM: 2046.58 MB

Available physical RAM: 1681.34 MB

Total Pagefile: 4330.42 MB

Available Pagefile: 4124.72 MB

Total Virtual: 2047.88 MB

Available Virtual: 1969.39 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:149.05 GB) (Free:67.96 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: () (Removable) (Total:0.06 GB) (Free:0.06 GB) FAT32

3 Drive e: () (Fixed) (Total:316.71 GB) (Free:109.74 GB) NTFS

5 Drive g: () (Fixed) (Total:74.52 GB) (Free:23.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 75 GB 8 MB

Disk 1 Online 466 GB 0 B

Disk 2 Online 63 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 75 GB 32 KB

=========================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 G NTFS Partition 75 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 149 GB 1024 KB

Partition 2 Primary 317 GB 149 GB

=========================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 149 GB Healthy System (partition with boot components)

=========================================================

Disk: 1

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E NTFS Partition 317 GB Healthy

=========================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 62 MB 16 KB

=========================================================

Disk: 2

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 D FAT32 Removable 62 MB Healthy

=========================================================

============================== MBR Partition Table ==================

==============================

Partitions of Disk 0:

===============

Disk ID: 1CE11CE0

Partition 1:

=========

Hex: 8001010007FEFFFF3F000000C1A55009

Active: YES

Type: 07 (NTFS)

Size: 75 GB

==============================

Partitions of Disk 1:

===============

Disk ID: 12A812A7

Partition 1:

=========

Hex: 8020210007FEFFFF000800000088A112

Active: YES

Type: 07 (NTFS)

Size: 149 GB

Partition 2:

=========

Hex: 00FEFFFF07FEFFFF0090A112F8C79627

Active: NO

Type: 07 (NTFS)

Size: 317 GB

==============================

Partitions of Disk 2:

===============

Disk ID: 09D5E9CB

Partition 1:

=========

Hex: 800101000B0F20F820000000E0F10100

Active: YES

Type: 0B

Size: 62 MB

Last Boot: 2013-03-27 11:06

==================== End Of Log ============================

Link to post
Share on other sites

Sorry, I think I got it this time.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2013 (ATTENTION: FRST version is 14 days old)

Ran by SYSTEM at 27-03-2013 16:55:32

Running from G:\

Windows Vista Ultimate (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-18] (Microsoft Corporation)

HKLM\...\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [1778064 2010-07-21] (Microsoft Corporation)

HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)

HKLM\...\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKLM\...\Run: [Wondershare Helper Compact.exe] C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1686528 2012-03-27] (Wondershare)

HKLM\...\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY [4394032 2013-03-13] (AVG Technologies CZ, s.r.o.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)

HKU\Ali\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKU\Ali\...\Policies\system: [LogonHoursAction] 2

HKU\Ali\...\Policies\system: [DontDisplayLogonHoursWarnings] 1

HKU\Andy\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)

HKU\Andy\...\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" [247728 2012-01-22] (TomTom)

HKU\Andy\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]

HKU\Andy\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)

HKU\Andy\...\Policies\system: [LogonHoursAction] 2

HKU\Andy\...\Policies\system: [DontDisplayLogonHoursWarnings] 1

HKU\Andy\...\Winlogon: [shell] explorer.exe,C:\Users\Andy\AppData\Roaming\skype.dat [94208 2011-11-18] ()

HKU\Mcx1\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)

HKU\Mcx1\...\Winlogon: [shell] C:\Windows\eHome\McrMgr.exe [173056 2009-04-10] (Microsoft Corporation)

HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x]

Tcpip\Parameters: [DhcpNameServer] 24.159.64.23 24.217.201.67 24.177.176.38

==================== Services (Whitelisted) ===================

2 AVGIDSAgent; "C:\Program Files\AVG\AVG2013\avgidsagent.exe" [4937264 2013-02-27] (AVG Technologies CZ, s.r.o.)

2 avgwd; "C:\Program Files\AVG\AVG2013\avgwdsvc.exe" [282624 2013-02-19] (AVG Technologies CZ, s.r.o.)

3 DMService; C:\Windows\DOWNLO~1\DMService.exe [468368 2011-01-01] (Microsoft ® Corporation)

2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75064 2011-09-12] ()

2 uagqecsvc; C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [149904 2009-12-14] (Microsoft ® Corporation)

3 rpcapd; "C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini" [x]

==================== Drivers (Whitelisted) ====================

3 A3AB; C:\Windows\System32\DRIVERS\A3ABv.sys [738304 2007-06-30] (D-Link Corporation)

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-02-26] (AVG Technologies CZ, s.r.o.)

0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-02-08] (AVG Technologies CZ, s.r.o.)

1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-03-01] (AVG Technologies CZ, s.r.o.)

1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [170808 2013-02-08] (AVG Technologies CZ, s.r.o.)

0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [245048 2013-02-08] (AVG Technologies CZ, s.r.o.)

0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-02-08] (AVG Technologies CZ, s.r.o.)

0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [39224 2013-02-08] (AVG Technologies CZ, s.r.o.)

1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-02-13] (AVG Technologies CZ, s.r.o.)

3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [62216 2012-04-13] (FTDI Ltd.)

2 NPF; C:\Windows\System32\drivers\npf.sys [35088 2010-06-25] (CACE Technologies, Inc.)

3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [21520 2010-07-21] (Microsoft Corporation)

4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

3 RimUsb; C:\Windows\System32\Drivers\RimUsb.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-03-27 11:39 - 2013-03-27 11:51 - 00000000 ____D C:\FRST

2013-03-27 11:39 - 2013-03-27 11:39 - 00911462 ____A (Farbar) C:\Users\Ali\Downloads\FRST.exe

2013-03-27 11:38 - 2013-03-27 11:38 - 00000000 ____D C:\Users\Ali\Desktop\usb card drive

2013-03-27 06:42 - 2013-03-27 06:42 - 00000066 ____A C:\Users\Ali\Desktop\New Text Document.txt

2013-03-26 18:01 - 2013-03-26 18:01 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Malwarebytes

2013-03-26 16:54 - 2013-03-26 16:54 - 00000000 ____D C:\Users\Ali\AppData\Local\Macromedia

2013-03-26 16:53 - 2013-03-26 16:53 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Mozilla

2013-03-26 16:53 - 2013-03-26 16:53 - 00000000 ____D C:\Users\Ali\AppData\Local\Mozilla

2013-03-26 16:41 - 2013-03-27 06:39 - 00000004 ____A C:\Users\Andy\AppData\Roaming\skype.ini

2013-03-25 15:17 - 2013-03-25 15:17 - 00000000 ____D C:\Users\Andy\Desktop\stand pics

2013-03-25 12:39 - 2013-03-25 12:39 - 04546560 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr

2013-03-25 08:49 - 2013-03-25 08:49 - 00001902 ____A C:\Users\Public\Desktop\SketchUp 8.lnk

2013-03-21 10:21 - 2013-02-11 17:57 - 00015872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys

2013-03-13 23:02 - 2013-02-01 20:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-03-13 23:02 - 2013-02-01 19:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-03-13 23:02 - 2013-02-01 19:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-03-13 23:02 - 2013-02-01 19:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-03-13 23:02 - 2013-02-01 19:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-03-13 23:02 - 2013-02-01 19:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-03-13 23:02 - 2013-02-01 19:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-03-13 23:02 - 2013-02-01 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-03-13 23:02 - 2013-02-01 19:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-03-13 23:02 - 2013-02-01 19:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-03-13 23:02 - 2013-02-01 19:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-03-13 23:02 - 2013-02-01 19:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-03-13 23:02 - 2013-02-01 19:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-03-13 23:02 - 2013-02-01 19:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-03-13 23:02 - 2013-02-01 19:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-03-13 23:02 - 2013-02-01 19:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-03-01 06:32 - 2013-03-01 06:32 - 00022328 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsshimx.sys

2013-02-26 19:40 - 2013-02-26 19:40 - 00208184 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsdriverx.sys

2013-02-26 07:10 - 2013-02-26 07:18 - 00000000 ____D C:\Users\Andy\Desktop\tank2

==================== One Month Modified Files and Folders ========

2013-03-27 12:45 - 2006-11-02 05:00 - 00032548 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-03-27 12:45 - 2006-11-02 05:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-03-27 12:45 - 2006-11-02 04:46 - 00003648 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2013-03-27 12:45 - 2006-11-02 04:46 - 00003648 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2013-03-27 12:30 - 2006-11-02 04:51 - 01371753 ____A C:\Windows\WindowsUpdate.log

2013-03-27 12:00 - 2006-11-02 02:33 - 00707520 ____A C:\Windows\System32\PerfStringBackup.INI

2013-03-27 11:51 - 2013-03-27 11:39 - 00000000 ____D C:\FRST

2013-03-27 11:39 - 2013-03-27 11:39 - 00911462 ____A (Farbar) C:\Users\Ali\Downloads\FRST.exe

2013-03-27 11:38 - 2013-03-27 11:38 - 00000000 ____D C:\Users\Ali\Desktop\usb card drive

2013-03-27 11:35 - 2012-03-29 11:27 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-03-27 06:42 - 2013-03-27 06:42 - 00000066 ____A C:\Users\Ali\Desktop\New Text Document.txt

2013-03-27 06:39 - 2013-03-26 16:41 - 00000004 ____A C:\Users\Andy\AppData\Roaming\skype.ini

2013-03-27 06:33 - 2010-12-12 23:03 - 00000000 ____D C:\users\Andy

2013-03-27 05:47 - 2010-12-13 15:58 - 00000000 ____D C:\ProgramData\MFAData

2013-03-26 18:01 - 2013-03-26 18:01 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Malwarebytes

2013-03-26 17:08 - 2012-12-31 11:15 - 00000000 ____D C:\Users\Ali\AppData\Local\Avg2013

2013-03-26 16:54 - 2013-03-26 16:54 - 00000000 ____D C:\Users\Ali\AppData\Local\Macromedia

2013-03-26 16:53 - 2013-03-26 16:53 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Mozilla

2013-03-26 16:53 - 2013-03-26 16:53 - 00000000 ____D C:\Users\Ali\AppData\Local\Mozilla

2013-03-26 16:43 - 2006-11-02 04:59 - 00066570 ____A C:\Windows\PFRO.log

2013-03-25 15:17 - 2013-03-25 15:17 - 00000000 ____D C:\Users\Andy\Desktop\stand pics

2013-03-25 15:17 - 2012-12-11 18:15 - 00000842 ____A C:\Users\Public\Desktop\AVG 2013.lnk

2013-03-25 12:39 - 2013-03-25 12:39 - 04546560 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr

2013-03-25 08:49 - 2013-03-25 08:49 - 00001902 ____A C:\Users\Public\Desktop\SketchUp 8.lnk

2013-03-25 05:14 - 2011-04-24 17:05 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-03-13 23:28 - 2011-04-12 10:35 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2013-03-13 23:11 - 2010-12-14 18:54 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-03-13 23:07 - 2006-11-02 02:24 - 69796088 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2013-03-12 17:35 - 2012-03-29 11:27 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-03-12 17:35 - 2011-06-19 10:19 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-03-12 10:17 - 2012-01-24 16:17 - 00002619 ____A C:\Users\Andy\Desktop\Microsoft Outlook 2010.lnk

2013-03-04 15:02 - 2010-12-12 23:20 - 00000000 ____D C:\Users\Andy\AppData\Local\Apple Computer

2013-03-01 06:32 - 2013-03-01 06:32 - 00022328 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsshimx.sys

2013-02-26 19:40 - 2013-02-26 19:40 - 00208184 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsdriverx.sys

2013-02-26 07:18 - 2013-02-26 07:10 - 00000000 ____D C:\Users\Andy\Desktop\tank2

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-11 14:31] - [2012-08-21 03:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-14 20:00:18

Restore point made on: 2013-03-15 20:00:20

Restore point made on: 2013-03-16 20:18:39

Restore point made on: 2013-03-17 15:00:22

Restore point made on: 2013-03-21 23:00:26

Restore point made on: 2013-03-22 18:43:39

Restore point made on: 2013-03-23 20:00:23

Restore point made on: 2013-03-24 15:00:39

Restore point made on: 2013-03-25 08:47:36

Restore point made on: 2013-03-25 15:11:10

Restore point made on: 2013-03-25 15:13:31

Restore point made on: 2013-03-26 08:34:36

Restore point made on: 2013-03-27 08:26:45

==================== Memory info ===========================

Percentage of memory in use: 20%

Total physical RAM: 2046.69 MB

Available physical RAM: 1627.75 MB

Total Pagefile: 1865.01 MB

Available Pagefile: 1694.81 MB

Total Virtual: 2047.88 MB

Available Virtual: 1982.35 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:149.05 GB) (Free:65.89 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: () (Fixed) (Total:74.52 GB) (Free:23.03 GB) NTFS

3 Drive e: () (Fixed) (Total:316.71 GB) (Free:110.13 GB) NTFS

4 Drive f: (LRMCFRE_EN_DVD) (CDROM) (Total:2.49 GB) (Free:0 GB) UDF

5 Drive g: () (Removable) (Total:0.06 GB) (Free:0.06 GB) FAT32

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 75 GB 9 MB

Disk 1 Online 466 GB 1021 KB

Disk 2 Online 63 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 75 GB 32 KB

=========================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D NTFS Partition 75 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 149 GB 1024 KB

Partition 2 Primary 317 GB 149 GB

=========================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 0 C NTFS Partition 149 GB Healthy

=========================================================

Disk: 1

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 E NTFS Partition 317 GB Healthy

=========================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 62 MB 16 KB

=========================================================

Disk: 2

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G FAT32 Removable 62 MB Healthy

=========================================================

============================== MBR Partition Table ==================

==============================

Partitions of Disk 0:

===============

Disk ID: 1CE11CE0

Partition 1:

=========

Hex: 8001010007FEFFFF3F000000C1A55009

Active: YES

Type: 07 (NTFS)

Size: 75 GB

==============================

Partitions of Disk 1:

===============

Disk ID: 12A812A7

Partition 1:

=========

Hex: 8020210007FEFFFF000800000088A112

Active: YES

Type: 07 (NTFS)

Size: 149 GB

Partition 2:

=========

Hex: 00FEFFFF07FEFFFF0090A112F8C79627

Active: NO

Type: 07 (NTFS)

Size: 317 GB

==============================

Partitions of Disk 2:

===============

Disk ID: 09D5E9CB

Partition 1:

=========

Hex: 800101000B0F20F820000000E0F10100

Active: YES

Type: 0B

Size: 62 MB

Last Boot: 2013-03-27 12:01

==================== End Of Log ============================

Link to post
Share on other sites

Thanks :)

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKU\Andy\...\Winlogon: [Shell] explorer.exe,C:\Users\Andy\AppData\Roaming\skype.dat [94208 2011-11-18] ()
C:\Users\Andy\AppData\Roaming\skype.dat
2013-03-26 16:41 - 2013-03-27 06:39 - 00000004 ____A C:\Users\Andy\AppData\Roaming\skype.ini

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST by typing F:\frst and press the Fix button just once and wait.

Note: You might need to choose a different drive letter.

The tool will make a log on the flashdrive ( Fixlog.txt ) please post it to your reply.

You should now be able to boot in your infected account. If not, stop here and let me know.

Download ComboFix from this location:

Link 1

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic How to disable your security applications

====================================================

Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

*Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.

Link to post
Share on other sites

Thank you so much! I am now logged into the previously infected account! Here is the fixlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2013

Ran by SYSTEM at 2013-03-28 08:03:49 Run:1

Running from G:\

==============================================

HKEY_USERS\Andy\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.

==== End of Fixlog ====

Ok, I ran combofix from the desktop after disabling antivirus and security software. Here is the log.

ComboFix 13-03-27.01 - Andy 03/28/2013 8:14.1.2 - x86

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2047.1163 [GMT -4:00]

Running from: c:\users\Andy\Desktop\ComboFix.exe

AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Andy\AppData\Roaming\Fuobu

c:\users\Andy\AppData\Roaming\Fuobu\efxui.faz

c:\users\Andy\AppData\Roaming\Naumty

c:\users\Andy\AppData\Roaming\Naumty\qooci.sem

c:\users\Andy\AppData\Roaming\skype.dat

c:\users\Andy\AppData\Roaming\Ubka

c:\users\Andy\AppData\Roaming\Ubka\veos.exe

E:\install.exe

.

.

((((((((((((((((((((((((( Files Created from 2013-02-28 to 2013-03-28 )))))))))))))))))))))))))))))))

.

.

2013-03-28 12:25 . 2013-03-28 12:25 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2013-03-28 12:25 . 2013-03-28 12:27 -------- d-----w- c:\users\Andy\AppData\Local\temp

2013-03-28 12:25 . 2013-03-28 12:25 -------- d-----w- c:\users\Mcx1\AppData\Local\temp

2013-03-28 12:25 . 2013-03-28 12:25 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-03-28 12:25 . 2013-03-28 12:25 -------- d-----w- c:\users\Ali\AppData\Local\temp

2013-03-27 19:39 . 2013-03-27 19:51 -------- d-----w- C:\FRST

2013-03-27 02:01 . 2013-03-27 02:01 -------- d-----w- c:\users\Ali\AppData\Roaming\Malwarebytes

2013-03-27 00:54 . 2013-03-27 00:54 -------- d-----w- c:\users\Ali\AppData\Local\Macromedia

2013-03-27 00:53 . 2013-03-27 00:53 -------- d-----w- c:\users\Ali\AppData\Local\Mozilla

2013-03-25 20:39 . 2013-03-25 20:39 4546560 ----a-w- c:\windows\system32\GPhotos.scr

2013-03-21 18:21 . 2013-02-12 01:57 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys

2013-03-01 14:32 . 2013-03-01 14:32 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys

2013-02-27 03:40 . 2013-02-27 03:40 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-03-13 01:35 . 2012-03-29 19:27 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-13 01:35 . 2011-06-19 18:19 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-02-14 07:52 . 2013-02-14 07:52 182072 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2013-02-08 08:37 . 2013-02-08 08:37 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2013-02-08 08:37 . 2013-02-08 08:37 245048 ----a-w- c:\windows\system32\drivers\avglogx.sys

2013-02-08 08:37 . 2013-02-08 08:37 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys

2013-02-08 08:37 . 2013-02-08 08:37 170808 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2013-02-08 08:37 . 2013-02-08 08:37 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2013-01-05 05:26 . 2013-02-12 21:46 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-01-05 05:26 . 2013-02-12 21:46 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-01-04 11:28 . 2013-02-12 21:46 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-01-04 01:38 . 2013-02-12 21:46 2048512 ----a-w- c:\windows\system32\win32k.sys

2012-10-09 03:32 . 2011-04-25 01:05 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 247728]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-03-27 1686528]

"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-03-13 4394032]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3916923604-2398097945-3001843192-1002]

"EnableNotificationsRef"=dword:00000002

.

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3ABv.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]

2008-04-11 22:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]

2008-08-28 15:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-03-28 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 01:35]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 24.177.176.38

DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab

DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab

FF - ProfilePath - c:\users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\3ucdh5rj.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=994519&p=

FF - prefs.js: network.proxy.type - 0

FF - ExtSQL: !HIDDEN! 2010-12-15 21:28; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

user_pref('extensions.dealply.partner', 'dpknlg');

user_pref('extensions.dealply.channel', 'dpknlgadk');

user_pref('extensions.dealply.installId', 'v24300219291542231288232012092918291920');

user_pref('extensions.dealply.installIdSource', 'inst');

user_pref('extensions.dealply.sampleGroup', '0');

FF - user.js: extensions.autoDisableScopes - 14//iBryte

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKCU-Run-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe

SafeBoot-WudfPf

SafeBoot-WudfRd

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-03-28 08:27

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0]

"0"=hex:64,00,31,00,00,00,00,00,04,41,65,b8,10,00,44,49,41,4e,41,27,7e,31,00,

00,4c,00,07,00,04,00,ef,be,04,41,fd,b3,04,41,65,b8,26,00,00,00,8c,cc,00,00,\

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

.

[HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0]

@Class="Shell"

.

[HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0\OpenWithList]

@Class="Shell"

"a"="Corel PaintShop Pro.exe"

"MRUList"="a"

.

[HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0]

"0"=hex:45,00,34,00,30,00,20,00,34,00,78,00,31,00,30,00,2e,00,6a,70,67,00,fe,

ff,ff,ff,8a,9c,4c,75,8a,9c,4c,75,60,5e,74,5d,a4,7f,be,30,10,01,00,00,a2,00,\

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2013-03-28 08:31:08

ComboFix-quarantined-files.txt 2013-03-28 12:31

.

Pre-Run: 70,978,289,664 bytes free

Post-Run: 72,547,049,472 bytes free

.

- - End Of File - - 105E53BF998A4D00524301362D7CE732

Link to post
Share on other sites

Good work :)

I notice you have Malwarebytes' Anti-Malware installed on your machine. Please launch the program and select the update tab, then click on the check for updates button.

  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop.

Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

Please post the following logfile as well.

C:\Qoobox\Add-Remove Programs.txt

Link to post
Share on other sites

I'm back. Sorry it took so long. Eset took 3 hours to scan. Here are my logs.

1. Malwarebytes log

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.03.28.10

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Andy :: MAIN-PC [administrator]

3/28/2013 12:54:04 PM

mbam-log-2013-03-28 (12-54-04).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 278217

Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

2. Eset log

C:\Program Files\AWS\WeatherBug\Local\askToolbarInstaller-1.9.1.0.exe a variant of Win32/Bundled.Toolbar.Ask application

C:\Qoobox\Quarantine\C\Users\Andy\AppData\Roaming\skype.dat.vir a variant of Win32/Kryptik.AXPR trojan

C:\Users\Ali\AppData\Local\32f8aa03-247c-4192-b075-ee9eef1e23e0.crx JS/Redirector.NCG trojan

C:\Users\Ali\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\581c70da-1b586c4f multiple threats

C:\Users\Ali\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\581c70da-31326f70 multiple threats

C:\Users\Ali\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\581c70da-6982c5c5 multiple threats

C:\Users\Andy\AppData\Local\32f8aa03-247c-4192-b075-ee9eef1e23e0.crx JS/Redirector.NCG trojan

C:\Users\Andy\AppData\Local\{54464204-0291-11E2-8271-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan

C:\Users\Andy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\36e023ca-321cc33f probably a variant of Java/Exploit.CVE-2012-1723.EB trojan

C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\3ucdh5rj.default\extensions\{32f8aa03-247c-4192-b075-ee9eef1e23e0}.xpi JS/Redirector.NCL trojan

E:\Downloads\gimp_31.exe probably a variant of Win32/InstallIQ application

E:\Downloads\GraboidVideoSetup-1.73m-complete.exe Win32/Graboid application

E:\Downloads\serial_key_of_card_recovery_v6.10_build_1210_evaluation_version.rar_downloader_224.exe a variant of Win32/YourFileDownloader.A application

E:\Downloads\SetupImgBurn_2.5.6.0.exe a variant of Win32/Bundled.Toolbar.Ask application

E:\Downloads\The_Dark_Knight_Rises_2012_DVDRip_XviD-NeDiVx.exe Win32/Adware.1ClickDownload.J application

E:\Downloads\WeatherBugSetup.msi a variant of Win32/Bundled.Toolbar.Ask.A application

3. Qoobox log

32 Bit HP CIO Components Installer

3DVIA player 5.0

AC3Filter 1.63b

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.5.3

Adobe Shockwave Player 11.6

Apple Application Support

Apple Mobile Device Support

Apple Software Update

AVG 2013

Avi2Dvd 0.6.4

AviSynth 2.5

Battlefield 2

BitLord 2.2

Bonjour

BufferChm

C309g-m

CDBurnerXP

CoreAAC Audio Decoder (remove only)

D3DX10

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Delta Force - Black Hawk Down

Delta Force Task Force Dagger

Destinations

DeviceDiscovery

DVD Photo Slideshow Professional 8.05

ffdshow [rev 3299] [2010-03-03]

FileZilla Client 3.5.1

Finding Nemo: Nemo's Underwater World of Fun Special Edition

Flickr Uploadr 3.2.1

GIMP 2.6.11

GPBaseService2

Haali Media Splitter

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Customer Participation Program 14.0

HP Imaging Device Functions 14.0

HP Photo Creations

HP Photosmart Premium C309g-m All-in-One Driver Software 14.0 Rel. 6

HP Product Detection

HP Smart Web Printing 4.60

HP Solution Center 14.0

HP Update

HPDiagnosticAlert

HPPhotoGadget

HPProductAssistant

iCloud

ImgBurn

IrfanView (remove only)

iTunes

Java Auto Updater

Java 6 Update 26

Joint Operations: Typhoon Rising

Junk Mail filter update

Malwarebytes Anti-Malware version 1.70.0.1100

MarketResearch

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Forefront UAG endpoint components v4.0.0

Microsoft IntelliType Pro 8.0

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office File Validation Add-In

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook Connector

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Windows SDK for Windows 7 (7.1)

Microsoft Windows SDK for Windows 7 Common Utilities (30514)

Microsoft Windows SDK for Windows 7 Headers and Libraries (30514)

Microsoft Windows SDK for Windows 7 Utilities for Win32 Development (30514)

Mozilla Firefox 12.0 (x86 en-US)

Mozilla Maintenance Service

Mozilla Thunderbird (3.1.7)

MSVCRT

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Network

Network Stumbler 0.4.0 (remove only)

NVIDIA 3D Vision Controller Driver

NVIDIA 3D Vision Controller Driver 301.42

NVIDIA Control Panel 306.97

NVIDIA Graphics Driver 306.97

NVIDIA Install Application

NVIDIA Update 1.10.8

NVIDIA Update Components

Picasa 3

PS_AIO_06_C309g-m_SW_Min

PunkBuster for Joint Operations: Typhoon Rising

PVSonyDll

QuickTime

QuickTransfer

Scan

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition

Security Update for Microsoft Filter Pack 2.0 (KB2553501) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition

Security Update for Microsoft OneNote 2010 (KB2760600) 32-Bit Edition

Security Update for Microsoft Visio 2010 (KB2760762) 32-Bit Edition

Security Update for Microsoft Visio Viewer 2010 (KB2687505) 32-Bit Edition

Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition

Segoe UI

SketchUp 8

SmartWebPrinting

SolutionCenter

Status

swMSM

TomTom HOME 2.8.3.2499

TomTom HOME Visual Studio Merge Modules

Toolbox

TrayApp

Ultimate Extras sounds from Microsoft® Tinker™

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553092)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition

Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition

Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition

Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition

WeatherBug

WebReg

Windows Driver Package - FTDI CDM Driver Package (10/22/2009 2.06.00)

Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Windows Sound Schemes

WinPcap 4.1.2

Wireshark 1.8.2 (32-bit)

Wondershare DVD Creator(Build 2.6.5)

Xvid 1.2.2 final uninstall

Link to post
Share on other sites

I see you have P2P ( peer to peer ) software installed on your machine ( In your case test ). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here , here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 7 and Save it to your Desktop.
  • Scroll down to where it says Java SE 7u17
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u17-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are three options in the window to clear the cache - Leave these two Checked

      • Trace and Log Files
        Cached Applications and Applets

    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

There is a newer version of Adobe Acrobat Reader available.

  • Please go to this link Adobe Acrobat Reader Download Link
  • Untick Free McAfee® Security Scan Plus if you do not wish to include this in the installation.
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

Open notepad and copy/paste the text in the Code-box below into it:


File::
C:\Users\Andy\AppData\Local\32f8aa03-247c-4192-b075-ee9eef1e23e0.crx
C:\Users\Andy\AppData\Local\{54464204-0291-11E2-8271-B8AC6F996F26}\chrome\content\browser.xul
C:\Users\Ali\AppData\Local\32f8aa03-247c-4192-b075-ee9eef1e23e0.crx
C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\3ucdh5rj.default\extensions\{32f8aa03-247c-4192-b075-ee9eef1e23e0}.xpi
ClearJavaCache::

  • Save this as CFScript.txt, in the same location as ComboFix.exe.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hi, I uninstalled BitLord and updated java and adobe acrobat reader. Here is the log from combofix.

ComboFix 13-03-30.01 - Andy 03/30/2013 7:07.2.2 - x86

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2047.1088 [GMT -4:00]

Running from: c:\users\Andy\Desktop\ComboFix.exe

Command switches used :: c:\users\Andy\Desktop\CFScript.txt

AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}

.

.

((((((((((((((((((((((((( Files Created from 2013-02-28 to 2013-03-30 )))))))))))))))))))))))))))))))

.

.

2013-03-30 11:17 . 2013-03-30 11:17 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2013-03-30 11:17 . 2013-03-30 11:17 -------- d-----w- c:\users\Mcx1\AppData\Local\temp

2013-03-30 11:17 . 2013-03-30 11:17 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-03-30 11:17 . 2013-03-30 11:17 -------- d-----w- c:\users\Ali\AppData\Local\temp

2013-03-30 10:59 . 2013-03-30 10:59 -------- d-----w- c:\program files\Common Files\Adobe

2013-03-30 10:51 . 2013-03-30 10:51 -------- d-----w- c:\program files\Common Files\Java

2013-03-30 10:50 . 2013-03-30 10:49 861088 ----a-w- c:\windows\system32\npDeployJava1.dll

2013-03-30 10:50 . 2013-03-30 10:49 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-03-28 17:03 . 2013-03-28 17:03 -------- d-----w- c:\program files\ESET

2013-03-28 12:31 . 2013-03-30 11:18 -------- d-----w- c:\users\Andy\AppData\Local\temp

2013-03-27 19:39 . 2013-03-27 19:51 -------- d-----w- C:\FRST

2013-03-27 02:01 . 2013-03-27 02:01 -------- d-----w- c:\users\Ali\AppData\Roaming\Malwarebytes

2013-03-27 00:54 . 2013-03-27 00:54 -------- d-----w- c:\users\Ali\AppData\Local\Macromedia

2013-03-27 00:53 . 2013-03-27 00:53 -------- d-----w- c:\users\Ali\AppData\Local\Mozilla

2013-03-25 20:39 . 2013-03-25 20:39 4546560 ----a-w- c:\windows\system32\GPhotos.scr

2013-03-21 18:21 . 2013-02-12 01:57 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys

2013-03-01 14:32 . 2013-03-01 14:32 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-03-30 10:49 . 2011-05-23 17:57 782240 ----a-w- c:\windows\system32\deployJava1.dll

2013-03-13 01:35 . 2012-03-29 19:27 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-13 01:35 . 2011-06-19 18:19 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-02-27 03:40 . 2013-02-27 03:40 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys

2013-02-14 07:52 . 2013-02-14 07:52 182072 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2013-02-08 08:37 . 2013-02-08 08:37 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2013-02-08 08:37 . 2013-02-08 08:37 245048 ----a-w- c:\windows\system32\drivers\avglogx.sys

2013-02-08 08:37 . 2013-02-08 08:37 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys

2013-02-08 08:37 . 2013-02-08 08:37 170808 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2013-02-08 08:37 . 2013-02-08 08:37 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2013-01-05 05:26 . 2013-02-12 21:46 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-01-05 05:26 . 2013-02-12 21:46 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-01-04 11:28 . 2013-02-12 21:46 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-01-04 01:38 . 2013-02-12 21:46 2048512 ----a-w- c:\windows\system32\win32k.sys

2012-10-09 03:32 . 2011-04-25 01:05 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 247728]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-03-27 1686528]

"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-03-13 4394032]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3916923604-2398097945-3001843192-1002]

"EnableNotificationsRef"=dword:00000002

.

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3ABv.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]

2008-04-11 22:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]

2008-08-28 15:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-03-30 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 01:35]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 24.177.176.38

DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab

DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab

FF - ProfilePath - c:\users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\3ucdh5rj.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=994519&p=

FF - prefs.js: network.proxy.type - 0

FF - ExtSQL: !HIDDEN! 2010-12-15 21:28; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

user_pref('extensions.dealply.partner', 'dpknlg');

user_pref('extensions.dealply.channel', 'dpknlgadk');

user_pref('extensions.dealply.installId', 'v24300219291542231288232012092918291920');

user_pref('extensions.dealply.installIdSource', 'inst');

user_pref('extensions.dealply.sampleGroup', '0');

FF - user.js: extensions.autoDisableScopes - 14//iBryte

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-03-30 07:18

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0]

"0"=hex:64,00,31,00,00,00,00,00,04,41,65,b8,10,00,44,49,41,4e,41,27,7e,31,00,

00,4c,00,07,00,04,00,ef,be,04,41,fd,b3,04,41,65,b8,26,00,00,00,8c,cc,00,00,\

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

.

[HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0]

@Class="Shell"

.

[HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0\OpenWithList]

@Class="Shell"

"a"="Corel PaintShop Pro.exe"

"MRUList"="a"

.

[HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0]

"0"=hex:45,00,34,00,30,00,20,00,34,00,78,00,31,00,30,00,2e,00,6a,70,67,00,fe,

ff,ff,ff,8a,9c,4c,75,8a,9c,4c,75,60,5e,74,5d,a4,7f,be,30,10,01,00,00,a2,00,\

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2013-03-30 07:21:40

ComboFix-quarantined-files.txt 2013-03-30 11:21

ComboFix2.txt 2013-03-28 12:31

.

Pre-Run: 73,257,160,704 bytes free

Post-Run: 72,640,905,216 bytes free

.

- - End Of File - - 69FD9D553D7B23F35AB199D7B00C8539

Link to post
Share on other sites

Great :)

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

There is a newer version of Adobe Acrobat Reader available.

  • Please go to this link Adobe Acrobat Reader Download Link
  • Untick Free McAfee® Security Scan Plus if you do not wish to include this in the installation.
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 7 and Save it to your Desktop.
  • Scroll down to where it says Java SE 7u17
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u17-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are three options in the window to clear the cache - Leave these two Checked

      • Trace and Log Files
        Cached Applications and Applets

    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

Unless you have any open issues, you are good to go. Please follow these last few steps.

Please press the windows.jpg + R Key and Copy/Paste the following single-line command into the Run box and click OK

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

Please download delfix to your Desktop.

  • Close all running programms.
  • Doubleclick on the delfix.exe
  • Make sure that all options are checked.
  • Click Start.

This tool will delete most of the tools we have used for the cleanup procedure. If something remaints, simply delete it.

Now that you appear to be free from malware lets help you stay that way!

It is vital that you keep your system up to date

  • Please enable Automatic Updates to keep your system up to date.
  • Windows Updates
    • Win XP: Start --> Control Panel and double- click on Automatic Updates.
    • Vista / 7: Start --> Control Panel --> System and Security --> Windows Updates

    [*] Software Updates

    Your installed Software also can have vulnerabilities that malware can use to infect your system.

    To keep your installed Software up to date I recommend File Hippo.

Anti Virus Software

  • Make sure to have one Anti Virus programme installed and update it on a regular basis. It is useless with out of date definitions.

Additional Protection
  • Malwarebytes Anti Malware
    The freeware Version is an on demand scanner which will check your system for malware. Update it once a week and run a Quick Scan. You can also buy a licence which offers more features.
  • WinPatrol
    WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Safer Browsing

Use an alternate browser

Other browsers tend to be more secure than IE as they do not make use of active x objects. Active x objects can be used by spyware as an infection point on your computer.

Note: If you use Firefox you may want to have a look on this Add Ons.

Computer Maintenance

Clean out your temp files on a regular basis -I recommend TFC ( Temp File Cleaner ).

Thinking while surfing

There is no software which will protect your system from yourself.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preventing infection, and how to stay safe whilst browsing the internet.

If you have any questions kindly ask.

Please respond to this thread one more time so we can mark this thread as resolved.

Link to post
Share on other sites

Thank You very much for all of your help! I followed your instructions in the last post. I am going to read through the links you provided. Also, I am going to start using firefox and i downloaded the add ons you suggested. I truly appreciate all the help you gave me, thanks again!

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.