Chips Posted April 7, 2013 ID:665927 Share Posted April 7, 2013 Hey guys. Hope someone can help me out, three days ago my netbook got infected with the ukash PCEU virus. I'm unable to run the computer in Safe Mode with Networking as the virus logs me off and shuts down the netbook (I don't have an external disk drive either) automatically. Safe Mode Command Prompt won't work either; little graphical blurs in the grey bar at the top of the screen make it look as if the virus is somehow disrupting that process too.I could have sworn that there was a system restore point, but apparently I don't have one, as I tried the msconfig route (I've just been trying to find different solutions with Google). I'm not very computer savvy, so I don't know if they can be deleted or not.I have a USB drive with Malwarebytes and Hitmanpro on and I'm posting from my laptop. If I can provide any more relevant information, just let me know. Any help would be massively appreciated. Link to post Share on other sites More sharing options...
Maniac Posted April 7, 2013 ID:665954 Share Posted April 7, 2013 Hello Chips and ! My name is Maniac and I will be glad to help you solve your malware problem.Please note:If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.Make sure you read all of the instructions and fixes thoroughly before continuing with them.Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.Please give me some information about what is your operating system. Link to post Share on other sites More sharing options...
Chips Posted April 8, 2013 Author ID:666371 Share Posted April 8, 2013 Hi Maniac, thanks for replying! Sorry, I forgot to mention which operating system the netbook has - it's Windows 7 Home Starter. By the way, unfortunately I don't have an external disk drive to load a recovery CD from, just a USB drive at present.Took notice of all your pointers though, no probs. Link to post Share on other sites More sharing options...
Maniac Posted April 11, 2013 ID:667424 Share Posted April 11, 2013 Please download Farbar Recovery Scan Tool and save it to a flash drive.Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Plug the flash drive into the infected PC. enter System Recovery Options.Enter in System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand PromptSelect Command PromptOnce in the Command Prompt:In the command window type in notepad and press Enter.The notepad opens. Under File menu select Open.Select "Computer" and find your flash drive letter and close the notepad.In the command window type e:\frst (for x64 bit version type e:\frst64) and press EnterNote: Replace letter e with the drive letter of your flash drive.The tool will start to run.When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply. Link to post Share on other sites More sharing options...
Chips Posted April 12, 2013 Author ID:667953 Share Posted April 12, 2013 All steps followed, managed to start up FRST, here's the log:Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2013 (ATTENTION: FRST version is 30 days old)Ran by SYSTEM at 12-04-2013 13:11:45Running from G:\Windows 7 Starter Service Pack 1 (X86) OS Language: English(US)The current controlset is ControlSet001==================== Registry (Whitelisted) ===================HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [10119784 2011-06-24] (Realtek Semiconductor)HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1770792 2010-05-20] (Synaptics Incorporated)HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)HKLM\...\Run: [Freecorder FLV Service] "C:\Program Files\Freecorder\FLVSrvc.exe" /run [167936 2011-03-23] (Applian Technologies, Inc.)HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)HKLM\...\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" [24576 2013-03-01] ()HKLM\...\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot [295512 2013-03-23] (RealNetworks, Inc.)HKLM\...\Run: [Wondershare Helper Compact.exe] C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1691136 2012-05-31] (Wondershare)HKU\Us\...\Winlogon: [shell] explorer.exe,C:\Users\Us\AppData\Roaming\AltShell.dat [31232 2011-11-16] ()Tcpip\Parameters: [DhcpNameServer] 192.168.1.1Startup: C:\ProgramData\Start Menu\Programs\Startup\Adobe Gamma Loader.lnkShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)==================== Services (Whitelisted) ===================2 AMPPALR3; C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [923136 2011-04-21] (Intel Corporation)2 Bluetooth Device Monitor; "C:\Program Files\Intel\Bluetooth\devmonsrv.exe" [923984 2011-03-30] (Intel Corporation)3 Bluetooth Media Service; "C:\Program Files\Intel\Bluetooth\mediasrv.exe" [1321296 2011-03-30] (Intel Corporation)2 Bluetooth OBEX Service; "C:\Program Files\Intel\Bluetooth\obexsrv.exe" [1001808 2011-03-30] (Intel Corporation)2 BT Connection Manager; "C:\Program Files\BT Connection Manager\btomosrv.exe" [28747 2009-10-02] (British Telecommunications Plc.)2 BTHSSecurityMgr; "C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe" [102672 2011-04-20] (Intel® Corporation)2 N360; "C:\Program Files\Norton 360\Engine\20.3.0.36\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton 360\Engine\20.3.0.36\diMaster.dll" /prefetch:1 [551728 2013-02-06] (Symantec Corporation)2 NOBU; "C:\Program Files\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [3235200 2013-02-08] (Symantec Corporation)2 RealNetworks Downloader Resolver Service; "C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe" [39056 2013-03-05] ()3 Samsung UPD Service; "C:\windows\System32\SUPDSvc.exe" [131888 2010-08-09] (Samsung Electronics CO., LTD.)==================== Drivers (Whitelisted) ====================3 AMPPAL; C:\Windows\System32\DRIVERS\AMPPAL.sys [240640 2011-04-21] (Windows ® Win 7 DDK provider)3 AMPPALP; C:\Windows\System32\DRIVERS\amppal.sys [240640 2011-04-21] (Windows ® Win 7 DDK provider)1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\BASHDefs\20130322.001\BHDrvx86.sys [997464 2013-03-21] (Symantec Corporation)3 btmaux; C:\Windows\System32\DRIVERS\btmaux.sys [40960 2011-03-08] (Intel Corporation)3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [263680 2011-11-14] (Intel Corporation)2 BTWSp50; C:\Windows\System32\Drivers\BTWSp50.sys [24560 2007-04-20] (Printing Communications Assoc., Inc. (PCAUSA))1 ccSet_N360; C:\Windows\system32\drivers\N360\1403000.024\ccSetx86.sys [134304 2012-11-15] (Symantec Corporation)1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-09] (Symantec Corporation)3 iBtFltCoex; C:\Windows\System32\DRIVERS\iBtFltCoex.sys [47616 2011-12-09] (Intel Corporation)1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\IPSDefs\20130403.001\IDSvix86.sys [386720 2012-11-23] (Symantec Corporation)3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\VirusDefs\20130404.003\NAVENG.SYS [93296 2013-03-07] (Symantec Corporation)3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\VirusDefs\20130404.003\NAVEX15.SYS [1603824 2013-03-07] (Symantec Corporation)3 NETwNs32; C:\Windows\System32\DRIVERS\NETwNs32.sys [7513088 2011-04-30] (Intel Corporation)3 rtport; \??\C:\windows\system32\drivers\rtport.sys [15656 2011-11-25] (Windows ® 2003 DDK 3790 provider)3 SRTSP; C:\Windows\System32\Drivers\N360\1403000.024\SRTSP.SYS [602712 2013-01-28] (Symantec Corporation)1 SRTSPX; C:\Windows\system32\drivers\N360\1403000.024\SRTSPX.SYS [32344 2013-01-28] (Symantec Corporation)0 SymDS; C:\Windows\System32\drivers\N360\1403000.024\SYMDS.SYS [367704 2013-01-21] (Symantec Corporation)0 SymEFA; C:\Windows\System32\drivers\N360\1403000.024\SYMEFA.SYS [934488 2013-01-30] (Symantec Corporation)3 SymEvent; \??\C:\windows\system32\Drivers\SYMEVENT.SYS [142496 2012-11-22] (Symantec Corporation)1 SymIRON; C:\Windows\system32\drivers\N360\1403000.024\Ironx86.SYS [175264 2012-11-15] (Symantec Corporation)1 SymNetS; C:\Windows\System32\Drivers\N360\1403000.024\SYMNETS.SYS [338592 2013-01-30] (Symantec Corporation)==================== NetSvcs (Whitelisted) ======================================= One Month Created Files and Folders ========2013-04-12 13:11 - 2013-04-12 13:11 - 00000000 ____D C:\FRST2013-04-07 06:07 - 2013-04-07 06:07 - 00003288 ____N C:\bootsqm.dat2013-04-07 06:05 - 2013-04-07 06:05 - 00000000 __SHD C:\found.0012013-04-03 23:55 - 2013-04-12 04:04 - 00000004 ____A C:\Users\Us\AppData\Roaming\AltShell.ini2013-03-31 12:16 - 2013-03-31 12:16 - 00000000 ____D C:\Users\Us\Documents\Wondershare Video Converter Ultimate2013-03-31 12:16 - 2013-03-31 12:16 - 00000000 ____D C:\Users\Us\AppData\Roaming\Wondershare Video Converter Ultimate2013-03-31 12:16 - 2013-03-31 12:16 - 00000000 ____D C:\Users\Us\AppData\Roaming\{950EB46C-6AC7-4ACC-AB36-9A6A77C08B6A}2013-03-31 12:14 - 2013-03-31 12:14 - 00001410 ____A C:\Users\Public\Desktop\Wondershare Video Converter Ultimate.lnk2013-03-31 12:14 - 2013-03-31 12:14 - 00000000 ____D C:\Users\Us\AppData\Local\Wondershare2013-03-31 12:14 - 2013-03-31 12:14 - 00000000 ____D C:\Program Files\Common Files\Wondershare2013-03-31 12:13 - 2013-03-31 12:16 - 00000000 ____D C:\ProgramData\Wondershare Video Converter Ultimate2013-03-31 12:13 - 2012-11-20 02:05 - 00727952 ____A () C:\Windows\System32\WSCM64.dll2013-03-31 12:13 - 2012-11-20 02:05 - 00153088 ____A () C:\Windows\System32\WSCM32.dll2013-03-31 12:12 - 2013-03-31 12:12 - 00000000 ____D C:\Program Files\Wondershare2013-03-31 12:09 - 2013-03-31 12:09 - 34602936 ____A (Wondershare Software ) C:\Users\Us\Downloads\video-converter-ultimate_full495.exe2013-03-28 10:01 - 2013-03-28 10:01 - 00042733 ____A C:\Users\Us\Downloads\Majisuka Gakuen Season 1 And 2 HD (Eng Subs) + PV Music Videos.torrent2013-03-23 15:49 - 2013-02-11 19:32 - 00015872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys2013-03-23 00:47 - 2013-03-23 00:47 - 00001016 ____A C:\Users\Public\Desktop\RealPlayer.lnk2013-03-23 00:46 - 2013-03-23 00:46 - 00000000 ____D C:\Program Files\RealNetworks2013-03-23 00:42 - 2013-03-23 00:42 - 00000000 ____D C:\Program Files\Common Files\xing shared2013-03-13 19:09 - 2013-02-01 19:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll2013-03-13 19:09 - 2013-02-01 19:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll2013-03-13 19:09 - 2013-02-01 19:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl2013-03-13 19:09 - 2013-02-01 19:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll2013-03-13 19:09 - 2013-02-01 19:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll2013-03-13 19:09 - 2013-02-01 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll2013-03-13 19:09 - 2013-02-01 19:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll2013-03-13 19:09 - 2013-02-01 19:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll2013-03-13 19:09 - 2013-02-01 19:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe2013-03-13 19:09 - 2013-02-01 19:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll2013-03-13 19:09 - 2013-02-01 19:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb2013-03-13 19:09 - 2013-02-01 19:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll2013-03-13 19:09 - 2013-02-01 19:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll2013-03-13 19:09 - 2013-02-01 19:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll2013-03-13 19:08 - 2013-02-01 20:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll2013-03-13 19:08 - 2013-02-01 19:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll2013-03-13 18:58 - 2013-03-14 15:01 - 00000536 ____A C:\Users\Us\Documents\l.a.names.txt==================== One Month Modified Files and Folders ========2013-04-12 04:04 - 2013-04-03 23:55 - 00000004 ____A C:\Users\Us\AppData\Roaming\AltShell.ini2013-04-12 04:03 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT2013-04-12 04:03 - 2009-07-13 20:39 - 00069032 ____A C:\Windows\setupact.log2013-04-07 06:15 - 2011-07-14 09:45 - 01203452 ____A C:\Windows\WindowsUpdate.log2013-04-07 06:13 - 2012-06-15 10:17 - 00000000 ____D C:\ProgramData\boost_interprocess2013-04-07 06:07 - 2013-04-07 06:07 - 00003288 ____N C:\bootsqm.dat2013-04-07 06:05 - 2013-04-07 06:05 - 00000000 __SHD C:\found.0012013-04-06 04:37 - 2012-05-01 02:00 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job2013-04-04 13:14 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles2013-04-04 04:40 - 2009-07-13 20:34 - 00016160 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02013-04-04 04:40 - 2009-07-13 20:34 - 00016160 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02013-04-04 04:33 - 2012-04-21 13:48 - 00000000 ____D C:\Users\Us\AppData\Local\CrashDumps2013-04-04 04:05 - 2010-11-20 13:48 - 00714864 ____A C:\Windows\PFRO.log2013-04-04 00:02 - 2010-11-20 13:01 - 00727182 ____A C:\Windows\System32\PerfStringBackup.INI2013-04-03 23:53 - 2012-08-01 12:42 - 00000000 ____D C:\Users\Us\AppData\Local\FLVService2013-03-31 13:27 - 2012-09-12 05:18 - 00004159 ____A C:\Users\Us\Documents\posts.txt2013-03-31 12:16 - 2013-03-31 12:16 - 00000000 ____D C:\Users\Us\Documents\Wondershare Video Converter Ultimate2013-03-31 12:16 - 2013-03-31 12:16 - 00000000 ____D C:\Users\Us\AppData\Roaming\Wondershare Video Converter Ultimate2013-03-31 12:16 - 2013-03-31 12:16 - 00000000 ____D C:\Users\Us\AppData\Roaming\{950EB46C-6AC7-4ACC-AB36-9A6A77C08B6A}2013-03-31 12:16 - 2013-03-31 12:13 - 00000000 ____D C:\ProgramData\Wondershare Video Converter Ultimate2013-03-31 12:14 - 2013-03-31 12:14 - 00001410 ____A C:\Users\Public\Desktop\Wondershare Video Converter Ultimate.lnk2013-03-31 12:14 - 2013-03-31 12:14 - 00000000 ____D C:\Users\Us\AppData\Local\Wondershare2013-03-31 12:14 - 2013-03-31 12:14 - 00000000 ____D C:\Program Files\Common Files\Wondershare2013-03-31 12:12 - 2013-03-31 12:12 - 00000000 ____D C:\Program Files\Wondershare2013-03-31 12:09 - 2013-03-31 12:09 - 34602936 ____A (Wondershare Software ) C:\Users\Us\Downloads\video-converter-ultimate_full495.exe2013-03-31 12:07 - 2012-10-04 11:46 - 00000000 ____D C:\Users\Us\AppData\Roaming\Orbit2013-03-30 10:42 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore2013-03-28 10:01 - 2013-03-28 10:01 - 00042733 ____A C:\Users\Us\Downloads\Majisuka Gakuen Season 1 And 2 HD (Eng Subs) + PV Music Videos.torrent2013-03-23 00:47 - 2013-03-23 00:47 - 00001016 ____A C:\Users\Public\Desktop\RealPlayer.lnk2013-03-23 00:46 - 2013-03-23 00:46 - 00000000 ____D C:\Program Files\RealNetworks2013-03-23 00:42 - 2013-03-23 00:42 - 00000000 ____D C:\Program Files\Common Files\xing shared2013-03-23 00:42 - 2012-08-01 12:42 - 00000000 ____D C:\ProgramData\Real2013-03-23 00:40 - 2012-12-19 00:45 - 00201872 ____A (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll2013-03-23 00:38 - 2012-12-19 00:43 - 00272896 ____A (Progressive Networks) C:\Windows\System32\pncrt.dll2013-03-23 00:38 - 2012-12-19 00:43 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll2013-03-23 00:38 - 2012-12-19 00:43 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll2013-03-23 00:37 - 2012-12-19 00:43 - 00499712 ____A (Microsoft Corporation) C:\Windows\System32\msvcp71.dll2013-03-23 00:37 - 2012-08-01 12:46 - 00348160 ____A (Microsoft Corporation) C:\Windows\System32\msvcr71.dll2013-03-22 06:55 - 2012-04-11 11:54 - 00000000 ____D C:\Users\Us\AppData\Local\VirtualStore2013-03-18 10:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache2013-03-16 17:57 - 2012-08-16 11:51 - 00000000 ____D C:\Users\Us\R+V2013-03-14 15:01 - 2013-03-13 18:58 - 00000536 ____A C:\Users\Us\Documents\l.a.names.txt2013-03-14 13:36 - 2011-07-13 18:44 - 00000000 ____D C:\Program Files\Microsoft Silverlight2013-03-13 19:21 - 2012-04-27 05:46 - 69796088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe2013-03-13 05:19 - 2012-05-01 01:59 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe2013-03-13 05:19 - 2012-05-01 01:59 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl==================== Known DLLs (Whitelisted) ===================================== Bamital & volsnap Check =================C:\Windows\explorer.exe => MD5 is legitC:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit==================== EXE ASSOCIATION =====================HKLM\...\.exe: exefile => OKHKLM\...\exefile\DefaultIcon: %1 => OKHKLM\...\exefile\open\command: "%1" %* => OK==================== Restore Points ============================================= Memory info ===========================Percentage of memory in use: 40%Total physical RAM: 1013.3 MBAvailable physical RAM: 598.91 MBTotal Pagefile: 1013.3 MBAvailable Pagefile: 619.21 MBTotal Virtual: 2047.88 MBAvailable Virtual: 1960.68 MB==================== Partitions =============================1 Drive c: () (Fixed) (Total:113 GB) (Free:30.26 GB) NTFS2 Drive d: (Local Disk) (Fixed) (Total:166.32 GB) (Free:10.95 GB) NTFS3 Drive f: (SAMSUNG_REC) (Fixed) (Total:18.67 GB) (Free:0.96 GB) NTFS ==>[system with boot components (obtained from reading drive)]4 Drive g: (FLASH DRIVE) (Removable) (Total:3.72 GB) (Free:3.67 GB) FAT325 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS6 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.03 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 298 GB 1024 KB Disk 1 Online 3812 MB 0 B Partitions of Disk 0:===============Disk ID: 58C6802B Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 100 MB 1024 KB Partition 2 Primary 113 GB 101 MB Partition 0 Extended 166 GB 113 GB Partition 4 Logical 166 GB 113 GB Partition 3 Recovery 18 GB 279 GB=========================================================Disk: 0Partition 1Type : 07Hidden: NoActive: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 0 Y SYSTEM NTFS Partition 100 MB Healthy =========================================================Disk: 0Partition 2Type : 07Hidden: NoActive: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 1 C NTFS Partition 113 GB Healthy =========================================================Disk: 0Partition 4Type : 07Hidden: NoActive: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 2 D Local Disk NTFS Partition 166 GB Healthy =========================================================Disk: 0Partition 3Type : 27Hidden: YesActive: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 3 F SAMSUNG_REC NTFS Partition 18 GB Healthy Hidden =========================================================Partitions of Disk 1:===============Disk ID: C3072E18 Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 3808 MB 4032 KB=========================================================Disk: 1Partition 1Type : 0CHidden: NoActive: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 4 G FLASH DRIVE FAT32 Removable 3808 MB Healthy ======================================================================================= MBR Partition Table ================================================Partitions of Disk 0:===============Disk ID: 58C6802BPartition 1:=========Hex: 8020210007DF130C0008000000200300Active: YESType: 07 (NTFS)Size: 100 MBPartition 2:=========Hex: 00DF140C07FEFFFF002803000000200EActive: NOType: 07 (NTFS)Size: 113 GBPartition 3:=========Hex: 00FEFFFF0FFEFFFF0028230E0028CA14Active: NOType: OF (Extended)Size: 166 GBPartition 4:=========Hex: 00FEFFFF27FEFFFF0050ED2200985502Active: NOType: 27Size: 19 GB==============================Partitions of Disk 1:===============Disk ID: C3072E18Partition 1:=========Hex: 000001010C10D1C7801F000080007700Active: NOType: 0CSize: 4 GBLast Boot: 2013-04-04 01:22==================== End Of Log ============================How bad's the damage? Will it need reformatting or can we get around it? Link to post Share on other sites More sharing options...
Maniac Posted April 12, 2013 ID:667961 Share Posted April 12, 2013 Give me this chance and I will tell you.Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txtHKU\Us\...\Winlogon: [shell] explorer.exe,C:\Users\Us\AppData\Roaming\AltShell.dat [31232 2011-11-16] ()2013-04-03 23:55 - 2013-04-12 04:04 - 00000004 ____A C:\Users\Us\AppData\Roaming\AltShell.ini2013-04-07 06:13 - 2012-06-15 10:17 - 00000000 ____D C:\ProgramData\boost_interprocessNOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options then select Command PromptRun FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.Reboot Normally. Link to post Share on other sites More sharing options...
Chips Posted April 12, 2013 Author ID:667992 Share Posted April 12, 2013 Hi, here's Fixlog.txt:Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2013Ran by SYSTEM at 2013-04-12 15:41:39 Run:1Running from G:\==============================================HKEY_USERS\Us\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.C:\Users\Us\AppData\Roaming\AltShell.ini moved successfully.C:\ProgramData\boost_interprocess moved successfully.==== End of Fixlog ====Rebooted as normal, everything running normally by the looks of things. Link to post Share on other sites More sharing options...
Maniac Posted April 12, 2013 ID:668021 Share Posted April 12, 2013 This is not the end.Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look herePlease visit this webpage for download links, and instructions for running the tool:http://www.bleepingc...to-use-combofix* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Please post the C:\ComboFix.txt in your next reply for further review.Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error. Link to post Share on other sites More sharing options...
Chips Posted April 12, 2013 Author ID:668061 Share Posted April 12, 2013 Is it safe to back up all my important files to an external hard drive before I do that? Just wanted to make sure. Link to post Share on other sites More sharing options...
Maniac Posted April 13, 2013 ID:668255 Share Posted April 13, 2013 Just don't backup any executable files (like .exe and .com files). However, it is okay to do that. Link to post Share on other sites More sharing options...
Chips Posted April 13, 2013 Author ID:668315 Share Posted April 13, 2013 So, I ran ComboFix and here's the log file:ComboFix 13-04-12.02 - Us 13/04/2013 15:10:27.1.4 - x86Microsoft Windows 7 Starter 6.1.7601.1.1252.44.1033.18.1013.152 [GMT 1:00]Running from: c:\users\Us\Desktop\ComboFix.exeAV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\program files\WinPCapc:\program files\WinPCap\LICENSEc:\programdata\boost_interprocess\20130412154530.109999c:\programdata\boost_interprocess\20130412154530.109999\NobuAgentServicec:\programdata\boost_interprocess\20130412154530.109999\NobuTrayIconc:\programdata\FullRemove.exec:\users\Us\AppData\Roaming\2XLc:\users\Us\AppData\Roaming\2XL\2XL Games Launcher\config.inic:\users\Us\AppData\Roaming\2XL\Trophylite\config.inic:\users\Us\AppData\Roaming\2XL\Trophylite\gamestats.binc:\users\Us\AppData\Roaming\2XL\Trophylite\profile00.prfc:\users\Us\AppData\Roaming\2XL\Trophylite\profilenames.bin..((((((((((((((((((((((((( Files Created from 2013-03-13 to 2013-04-13 )))))))))))))))))))))))))))))))..2013-04-13 14:30 . 2013-04-13 14:30 -------- d-----w- c:\users\Default\AppData\Local\temp2013-04-12 21:11 . 2013-04-12 21:11 -------- d-----w- C:\FRST2013-04-12 14:48 . 2013-04-13 14:28 -------- d-----w- c:\programdata\boost_interprocess2013-04-07 14:05 . 2013-04-07 14:05 -------- d-----w- C:\found.0012013-03-31 20:16 . 2013-03-31 20:16 -------- d-----w- c:\users\Us\AppData\Roaming\Wondershare Video Converter Ultimate2013-03-31 20:16 . 2013-03-31 20:16 -------- d-----w- c:\users\Us\AppData\Roaming\{950EB46C-6AC7-4ACC-AB36-9A6A77C08B6A}2013-03-31 20:14 . 2013-03-31 20:14 -------- d-----w- c:\users\Us\AppData\Local\Wondershare2013-03-31 20:14 . 2013-03-31 20:14 -------- d-----w- c:\program files\Common Files\Wondershare2013-03-31 20:13 . 2012-11-20 10:05 727952 ----a-w- c:\windows\system32\WSCM64.dll2013-03-31 20:13 . 2012-11-20 10:05 153088 ----a-w- c:\windows\system32\WSCM32.dll2013-03-31 20:13 . 2013-03-31 20:16 -------- d-----w- c:\programdata\Wondershare Video Converter Ultimate2013-03-31 20:12 . 2013-03-31 20:12 -------- d-----w- c:\program files\Wondershare2013-03-23 23:49 . 2013-02-12 03:32 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys2013-03-23 08:46 . 2013-03-23 08:46 -------- d-----w- c:\program files\RealNetworks2013-03-23 08:42 . 2013-03-23 08:42 -------- d-----w- c:\program files\Common Files\xing shared...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-03-23 08:37 . 2012-12-19 08:43 499712 ----a-w- c:\windows\system32\msvcp71.dll2013-03-23 08:37 . 2012-08-01 20:46 348160 ----a-w- c:\windows\system32\msvcr71.dll2013-03-13 13:19 . 2012-05-01 09:59 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-03-13 13:19 . 2012-05-01 09:59 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe2013-02-12 04:48 . 2013-03-13 10:02 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll2013-02-12 04:48 . 2013-03-13 10:02 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll2013-02-02 03:38 . 2013-03-14 03:09 1800704 ----a-w- c:\windows\system32\jscript9.dll2013-02-02 03:30 . 2013-03-14 03:09 1427968 ----a-w- c:\windows\system32\inetcpl.cpl2013-02-02 03:30 . 2013-03-14 03:09 1129472 ----a-w- c:\windows\system32\wininet.dll2013-02-02 03:26 . 2013-03-14 03:09 142848 ----a-w- c:\windows\system32\ieUnatt.exe2013-02-02 03:26 . 2013-03-14 03:09 420864 ----a-w- c:\windows\system32\vbscript.dll2013-02-02 03:23 . 2013-03-14 03:09 2382848 ----a-w- c:\windows\system32\mshtml.tlb2013-01-31 03:18 . 2013-02-27 01:48 338592 ----a-w- c:\windows\system32\drivers\N360\1403000.024\symnets.sys2013-01-31 03:18 . 2013-02-27 01:48 934488 ----a-w- c:\windows\system32\drivers\N360\1403000.024\symefa.sys2013-01-29 01:45 . 2013-02-27 01:48 602712 ----a-w- c:\windows\system32\drivers\N360\1403000.024\srtsp.sys2013-01-29 01:45 . 2013-02-27 01:48 32344 ----a-w- c:\windows\system32\drivers\N360\1403000.024\srtspx.sys2013-01-22 02:15 . 2013-02-27 01:48 367704 ----a-w- c:\windows\system32\drivers\N360\1403000.024\symds.sys..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFree.dll" [2011-05-09 176936].[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}].[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}].[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]2011-05-09 09:49 176936 ----a-w- c:\program files\Freecorder\prxtbFree.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{687578b9-7132-4a7a-80e4-30ee31099e03}]2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl2\prxtbuTor.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFree.dll" [2011-05-09 176936].[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}].[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}].[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{687578B9-7132-4A7A-80E4-30EE31099E03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFree.dll" [2011-05-09 176936].[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}].[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-06-25 10119784]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-21 1770792]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2011-03-24 167936]"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2013-03-01 24576]"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2013-03-23 295512]"Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-05-31 1691136].c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2012-9-18 113664].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]R3 AMPPALP;Intel® Centrino® Bluetooth 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [x]R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe [x]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403000.024\SYMDS.SYS [x]S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403000.024\SYMEFA.SYS [x]S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\BASHDefs\20130322.001\BHDrvx86.sys [x]S1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\1403000.024\ccSetx86.sys [x]S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\IPSDefs\20130412.001\IDSvix86.sys [x]S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [x]S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1403000.024\Ironx86.SYS [x]S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360\1403000.024\SYMNETS.SYS [x]S2 AMPPALR3;Intel® Centrino® Bluetooth 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [x]S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files\Intel\Bluetooth\devmonsrv.exe [x]S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\Intel\Bluetooth\obexsrv.exe [x]S2 BT Connection Manager;BT Connection Manager;c:\program files\BT Connection Manager\btomosrv.exe [x]S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [x]S2 BTWSp50;BTWSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BTWSp50.sys [x]S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]S2 N360;Norton 360;c:\program files\Norton 360\Engine\20.3.0.36\ccSvcHst.exe [x]S2 NOBU;Norton Online Backup;c:\program files\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [x]S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [x]S3 AMPPAL;Intel® Centrino® Bluetooth 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [x]S3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\Intel\Bluetooth\mediasrv.exe [x]S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [x]S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [x]S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]S3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [x]S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [x]..--- Other Services/Drivers In Memory ---.*Deregistered* - EraserUtilDrv11220.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvcGPSvcGroup REG_MULTI_SZ GPSvc.Contents of the 'Scheduled Tasks' folder.2013-04-13 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 13:19]..------- Supplementary Scan -------.uStart Page = https://www.google.co.uk/uInternet Settings,ProxyOverride = *.localIE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202TCP: DhcpNameServer = 192.168.1.1.- - - - ORPHANS REMOVED - - - -.Toolbar-Locked - (no file)...[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]"ImagePath"="\"c:\program files\Norton 360\Engine\20.3.0.36\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.3.0.36\diMaster.dll\" /prefetch:1".--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]@Denied: (2) (LocalSystem)"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8, 7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8, 89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39, 64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40, 69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23, 94,30,02,d1,0f,f1,da,12,24,73,56,27,d2"{AA609D72-8482-4076-8991-8CDAE5B93BCB}"=hex:51,66,7a,6c,4c,1d,38,12,1c,9e,73, ae,b0,ca,18,05,f6,87,cf,9a,e0,e7,7f,df"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd, d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b"{E99987AC-6311-4686-B095-EB30B69F9258}"=hex:51,66,7a,6c,4c,1d,38,12,c2,84,8a, ed,23,2d,e8,03,cf,83,a8,70,b3,c1,d6,4c.[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]@Denied: (2) (LocalSystem)"Timestamp"=hex:c8,97,52,da,d5,2a,cd,01.[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,80,0c,42,c3,9c,f7,82,4e,a3,de,e1,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,80,0c,42,c3,9c,f7,82,4e,a3,de,e1,\.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2013-04-13 15:35:40ComboFix-quarantined-files.txt 2013-04-13 14:35.Pre-Run: 32,209,686,528 bytes freePost-Run: 32,127,152,128 bytes free.- - End Of File - - 305ACA378ECC809939A70F8483619715 Link to post Share on other sites More sharing options...
Maniac Posted April 13, 2013 ID:668318 Share Posted April 13, 2013 Please copy/paste here the content of C:\Qoobox\Add-Remove Programs.txt Link to post Share on other sites More sharing options...
Chips Posted April 13, 2013 Author ID:668378 Share Posted April 13, 2013 Here it is:???? ??? Windows Live???? Windows Live????? Windows Live?????? ??????? ?? Windows Live???????? ?????????? Windows Live?????????? Windows Live??????????? ?? Windows LiveAC3Filter 1.63bAdobe Flash Player 11 ActiveXAdobe Photoshop 7.0Adobe Reader X (10.1.6)Any Video Converter 3.2.0Apple Application SupportApple Mobile Device SupportApple Software UpdateAtheros Client Installation ProgramµTorrentAuction Sentry„Windows Live Essentials“„Windows Live Mail“„Windows Live Messenger“„Windows Live“ fotogalerijaBatteryLifeExtenderBonjourBroadcom 802.11 Network AdapterBT Connection ManagerChargeableUSBCyberLink YouCamD3DX10Easy Content ShareEasy Display ManagerEasy Network ManagerEasy Resolution ManagerEasy SpeedUp ManagerEasyBatteryManagerEasyFileShareFast StartFLVPlayer4Free Free FLV Player 4.0.0.0Fotogalerija Windows LiveFoxreal YouTube FLV Downloader version: 1.0.1.1Freecorder 5Freecorder ToolbarGaleria de Fotografias do Windows LiveGaleria fotografii uslugi Windows LiveGalerie de photos Windows LiveGalerie foto Windows LiveGalería fotográfica de Windows LiveGIF Construction Set Professional 4Intel PROSet WirelessIntel® Graphics Media Accelerator DriverIntel® PROSet/Wireless for Bluetooth® 3.0 + High SpeedIntel® PROSet/Wireless Software for Bluetooth® TechnologyIntel® PROSet/Wireless WiFi SoftwareIntel® Rapid Storage TechnologyiTunesJava 2 Runtime Environment, SE v1.4.1Java Auto UpdaterJava Web StartJava 7 Update 5JavaFX 2.1.1Junk Mail filter updateMesh RuntimeMicrosoft .NET Framework 4 Client ProfileMicrosoft Application Error ReportingMicrosoft GIF AnimatorMicrosoft Office 2010Microsoft Office Click-to-Run 2010Microsoft Office Starter 2010 - EnglishMicrosoft SilverlightMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 Redistributable - x86 9.0.30729Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Movie Color EnhancerMSVCRTNorton 360Norton Online BackupOrbit DownloaderPaint XP version 1.1PhoneSharePoczta uslugi Windows LivePodstawowe programy Windows LivePošta Windows LiveRaccolta foto di Windows LiveRealDownloaderRealNetworks - Microsoft Visual C++ 2008 RuntimeRealNetworks - Microsoft Visual C++ 2010 RuntimeRealPlayerRealtek Ethernet Controller DriverRealtek High Definition Audio DriverRealUpgrade 1.1S?????? f?t???af??? t?? Windows LiveSamsung AnyWeb PrintSamsung Printer Live UpdateSamsung Recovery Solution 5Samsung Support Center 1.0Samsung Universal Print DriverSamsung Universal Scan DriverSamsung Update PlusSamsungMovieSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)SISShortcutSkype™ 5.10Synaptics Pointing Device DriverUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)User GuideuTorrentControl2 ToolbarVLC media player 2.0.5Winamp (Remove Only)Windows LiveWindows Live ??Windows Live ?? ???Windows Live ???Windows Live ????Windows Live Communications PlatformWindows Live EssentialsWindows Live FotótárWindows Live Foto-galerijaWindows Live fotoattelu galerijaWindows Live FotogalerieWindows Live FotogalleriWindows Live FotogalériaWindows Live Fotograf GalerisiWindows Live Galeria de FotosWindows Live Galerija fotografijaWindows Live ID Sign-in AssistantWindows Live InstallerWindows Live MailWindows Live MeshWindows Live MessengerWindows Live MIME IFilterWindows Live Movie MakerWindows Live Photo CommonWindows Live Photo GalleryWindows Live PIMT PlatformWindows Live PoštaWindows Live Remote ClientWindows Live Remote Client ResourcesWindows Live Remote ServiceWindows Live Remote Service ResourcesWindows Live SOXEWindows Live SOXE DefinitionsWindows Live Temel ParçalarWindows Live UX PlatformWindows Live UX Platform Language PackWindows Live WriterWindows Live Writer ResourcesWindows Liven asennustyökaluWindows Liven sähköpostiWindows Liven valokuvavalikoimaWondershare Video Converter Ultimate(Build 6.0.3.2)-----------By the way, I don't know if this is useful information to you, but since running ComboFix there was an attack by something called Trojan.Gen.2. Norton said it sorted it out but I thought I'd let you know in any case. Link to post Share on other sites More sharing options...
Chips Posted April 13, 2013 Author ID:668388 Share Posted April 13, 2013 What I'm also a little concerned about is that the Norton program window which I had open, suddenly closed, as did the My Computer window. That doesn't seem normal, any advice? I've shut down the computer for now. Link to post Share on other sites More sharing options...
Maniac Posted April 13, 2013 ID:668478 Share Posted April 13, 2013 Give me more specific information about Norton detections.Step 1Please uninstall the following applications:µTorrentFreecorder ToolbaruTorrentControl2 ToolbarStep 2Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message.Step 3Launch Malwarebytes' Anti-MalwareGo to Update tab and select Check for Updates. If an update is found, it will download and install the latest version. Go to Scanner tab and select Perform Quick Scan, then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.In your next reply, post the following log files:Junkware Removal Tool logMalwarebytes' Anti-Malware log Link to post Share on other sites More sharing options...
Chips Posted April 14, 2013 Author ID:668739 Share Posted April 14, 2013 Okay, so first is the information from Norton. It says:Severity: HighActivity: altshell.dat (Trojan.Gen.2) detected by Auto-ProtectStatus: QuarantinedDate & Time: 13/04/2013, 16:35:01File path: c:\users\us\appdata\roaming\altshell.datDownloaded from: UnknownIt says 'This threat has been removed. No further action is needed.'Here's JRT.txt:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 4.8.3 (04.05.2013:1)OS: Windows 7 Starter x86Ran by Us on 14/04/2013 at 16:35:41.26~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Services~~~ Registry ValuesSuccessfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{1392b8d2-5c05-419f-a8f6-b9f15a596612}Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{1392b8d2-5c05-419f-a8f6-b9f15a596612}Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{687578b9-7132-4a7a-80e4-30ee31099e03}Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{687578b9-7132-4a7a-80e4-30ee31099e03}~~~ Registry KeysSuccessfully deleted: [Registry Key] hkey_current_user\software\conduitSuccessfully deleted: [Registry Key] hkey_local_machine\software\conduitSuccessfully deleted: [Registry Key] hkey_current_user\software\softonicSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\conduitSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\conduitsearchscopesSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\pricegongSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\smartbarSuccessfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\conduitinstaller_rasapi32Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\conduitinstaller_rasmancsSuccessfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT1060933Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT3072253Successfully deleted: [Registry Key] hkey_classes_root\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}~~~ FilesSuccessfully deleted: [File] C:\windows\system32\sho6AEA.tmpSuccessfully deleted: [File] C:\windows\system32\sho8607.tmpSuccessfully deleted: [File] C:\windows\system32\shoC9AC.tmpSuccessfully deleted: [File] "C:\end"~~~ FoldersFailed to delete: [Folder] "C:\ProgramData\boost_interprocess"Failed to delete: [Folder] "C:\ProgramData\application data\boost_interprocess"Successfully deleted: [Folder] "C:\Users\Us\appdata\local\conduit"Successfully deleted: [Folder] "C:\Users\Us\appdata\locallow\conduit"Successfully deleted: [Folder] "C:\Users\Us\appdata\locallow\pricegong"Successfully deleted: [Folder] "C:\Program Files\conduit"~~~ Event Viewer Logs were cleared~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on 14/04/2013 at 17:00:22.69End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~And here's the Malwarebytes log:Malwarebytes Anti-Malware (Trial) 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.04.14.03Windows 7 Service Pack 1 x86 NTFSInternet Explorer 9.0.8112.16421Us :: WORKHORSE-BETA [administrator]Protection: Enabled14/04/2013 17:06:07mbam-log-2013-04-14 (17-06-07).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 208619Time elapsed: 15 minute(s), 16 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 2C:\Users\Us\Downloads\installer_ac3_dts_codec.exe (PUP.BundleInstaller.BT) -> Quarantined and deleted successfully.C:\Users\Us\Downloads\installer_gif_construction_set_pro.exe (PUP.BundleInstaller.PHP) -> Quarantined and deleted successfully.(end)Also, this time I took the precaution of disconnecting from the internet, except when I had to check for MBAM updates. When I was shutting down though, I noticed that the program which Windows needed to close before it could shut down was called 'explorer.exe' which I've seen mentioned in different virus removal guides. Is that meant to be there? Link to post Share on other sites More sharing options...
Maniac Posted April 14, 2013 ID:668788 Share Posted April 14, 2013 It's not necessarily to be malware. This is the user shell, which we see as the familiar taskbar, desktop, and other user interface features.Please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scanTick the box next to YES, I accept the Terms of UseClick StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick Scan (This scan can take several hours, so please be patient)Once the scan is completed, you may close the windowUse Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txtCopy and paste that log as a reply to this topic Link to post Share on other sites More sharing options...
Chips Posted April 15, 2013 Author ID:669066 Share Posted April 15, 2013 It's not necessarily to be malware. This is the user shell, which we see as the familiar taskbar, desktop, and other user interface features. Please run a free online scan with the ESET Online Scanner Note: You will need to use Internet Explorer for this scanTick the box next to YES, I accept the Terms of Use Click Start When asked, allow the ActiveX control to install Click Start Make sure that the options Remove found threats and the option Scan unwanted applications is checked Click Scan (This scan can take several hours, so please be patient) Once the scan is completed, you may close the window Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt Copy and paste that log as a reply to this topic Okay, I ran the scanner. There were two logs available - here's the first, log.txt:ESETSmartInstaller@High as CAB hook log:OnlineScanner.ocx - registred OKBut since it didn't have much information, I clicked 'Export to text file...' which seems to be the one you need. I renamed it to esetlog.txt:C:\Users\Us\Downloads\OrbitDownloaderSetup.exe Win32/OpenCandy application cleaned by deleting - quarantinedC:\Users\Us\Downloads\SoftonicDownloader_for_ms-gif-animator.exe a variant of Win32/SoftonicDownloader.E application cleaned by deleting - quarantinedC:\Users\Us\USB Drive\avc-free.exe Win32/OpenCandy application cleaned by deleting - quarantinedDo I delete the quarantined files? Link to post Share on other sites More sharing options...
Maniac Posted April 15, 2013 ID:669089 Share Posted April 15, 2013 When we clean these tools, quarantined files will gone.How are things now? Link to post Share on other sites More sharing options...
Chips Posted April 15, 2013 Author ID:669099 Share Posted April 15, 2013 I haven't been using the netbook at all, but it's been left switched on, and nothing out of the ordinary has happened yet. I did decide to run the ESET scan on the laptop though - it's found 5 threats so far, and I was wondering, will no further action be needed after they're quarantined?What should I do next? Link to post Share on other sites More sharing options...
Maniac Posted April 15, 2013 ID:669182 Share Posted April 15, 2013 Download AVPTool from Here to your desktop Run the programme you have just downloaded to your desktop (it will be randomly named) Click the cog in the upper right Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan Allow AVP to delete all infections foundOnce it has finished select report tab (last tab)Select Detected threads report from the left and press Save buttonSave it to your desktop and post it in your next reply. Link to post Share on other sites More sharing options...
Chips Posted April 16, 2013 Author ID:670064 Share Posted April 16, 2013 There isn't actually anything there on the Detected Threats page, the scan was all clear. Two other things which I thought worthy of mentioning though, a tiny dialogue box for something called 'SmartRestore_SEC' appeared in the top right corner of the screen after startup with only an 'OK' and 'Cancel' button. It seems to be something to do with Samsung but that hasn't come up before.The second is that while the Kaspersky scan was running, some of the the files weren't scanned because they were password protected, locked or there were read errors and such. Is this important? Some of the password protected files had names like rar.exe and stuff. Link to post Share on other sites More sharing options...
Chips Posted April 16, 2013 Author ID:670065 Share Posted April 16, 2013 a tiny dialogue box for something called 'SmartRestore_SEC'Correction: 'SmartRestarter_SEC' Link to post Share on other sites More sharing options...
Maniac Posted April 16, 2013 ID:670072 Share Posted April 16, 2013 Some of the password protected files had names like rar.exe and stuff. That's normal, because not every file could be scanned, because of your operating system protections.Now, please monitor your system for a day or two and come back to let me know how are things. Link to post Share on other sites More sharing options...
Chips Posted April 16, 2013 Author ID:670085 Share Posted April 16, 2013 Well I tried to save the scan report from Kaspersky but the program stopped responding so I decided to shut down the computer. On restarting, a command prompot window came up with '_uninst_82750393'. I allowed the installer to launch again but then exited the application when the licence agreement window appeared. A couple of times a window saying 'Deleting files' has appeared, but I'm assuming that's to do with Kaspersky, like the uninstall command prompt window. Different things keep popping up and disappearing but again, I'm assuming they're attributed to how the computer should be running.Other than that, I'll keep an eye on how it's running and post again tomorrow evening, if that's alright. Link to post Share on other sites More sharing options...
Recommended Posts