msavyy.cmd -

[longbeachlouise]

Please have patience until you have the 1st reply from an authorized helper. Don't reply until then.

Hi, What happened to my topic? Here is the 4th scan, the 2nd full scan results, before I reboot:

 

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.06.20.10

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Carol :: BILL [administrator]

6/20/2013 10:42:59 PM

mbam-log-2013-06-20 (22-42-59).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 206030

Time elapsed: 13 minute(s), 22 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\Carol\LOCALS~1\Temp\msavyy.cmd -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\Carol\LOCALS~1\Temp\msavyy.cmd -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

 

************************************** End Report*****************************************************************

 

Am I  in the wrong bulletin board?

Okay, My topic is still here. I thought it was okay to attach a jpeg. Otherwise, I'll post again, without a jpeg attached.

[AdvancedSetup]

Sorry for the mixup. I replied to you last night but it seems that my post was lost in a maintenance fix.

You should be able to reboot the computer and hopefully we will have caught and stopped it from spreading.

If the system does get worse then we may have to use another tool but let me know how things go please.

[longbeachlouise]

Malwarebytes doesn't delete the tojan. Above is scan 3. Here are the first 2 scans:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.20.10

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Carol :: BILL [administrator]

6/20/2013 5:50:49 PM
mbam-log-2013-06-20 (17-50-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 209274
Time elapsed: 8 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Java Auto Update (Backdoor.Bot) -> Data: C:\Users\Carol\AppData\Roaming\Java\Update\Download\Cache\jsheded.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\Carol\LOCALS~1\Temp\msavyy.cmd -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\Carol\LOCALS~1\Temp\msavyy.cmd -> Delete on reboot.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Inject.RRE) -> Bad: (C:\Users\Carol\LOCALS~1\Temp\msavyy.cmd) Good: () -> Delete on reboot.

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Carol\AppData\Roaming\Java\Update\Download\Cache\jsheded.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\Carol\Local Settings\temp\msavyy.cmd (Trojan.Inject.RRE) -> Delete on reboot.
C:\Users\Carol\AppData\Local\temp\msavyy.cmd (Trojan.Inject.RRE) -> Delete on reboot.

(end)

 

*********************************End of First Scan [Quick] ****************************************

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.20.10

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Carol :: BILL [administrator]

6/20/2013 7:04:34 PM
mbam-log-2013-06-20 (19-04-34).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 362437
Time elapsed: 3 hour(s), 20 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\Carol\LOCALS~1\Temp\msavyy.cmd -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\Carol\LOCALS~1\Temp\msavyy.cmd -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Carol\AppData\LocalLow\3B5C.tmp (Heuristics.Shuriken) -> Quarantined and deleted successfully.

(end)

 

****************************************End of 2nd Scan [Full] *********************************************************

 

Then I ran the full scan; results in first post. Every time I have to reboot to delete the malware, it appears again on a scan.

 

Here is the DDS and Attach I ran - sorry I noticed that last night!

 

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by Carol at 5:47:12 on 2013-06-21
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3262.1825 [GMT -7:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\astsrv.exe
C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\WinTV\WinTV7\WinTVTray.exe
C:\Windows\System32\Macromed\Shockwave 10\SwHelper_1020023.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank

uWindows: Load=c:\users\carol\locals~1\temp\msavyy.cmd
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web

printing\hpswp_BHO.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [TClockEx] c:\program files\tclockex\TCLOCKEX.EXE
uRun: [Google Update] "c:\users\carol\appdata\local\google\update\GoogleUpdate.exe" /c
uRunOnce: [shockwave Updater] "c:\windows\system32\macromed\shockwave 10\SwHelper_1020023.exe" -Update -1020023 -

iexplore.exe9.0
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [synTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?

lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk"&"inst=NzctNzgyNDkzMzAzLVhPMTArMi1RSVgxKzQtRjEwTTEwRCsxLVgyMDEwKzItRkwxMC

sxLUNJUCsyLUREVCs1MDYyNi1ERDEwRisxLVNUMTBGQVBQKzEtTDEwTSsxLUYxME0xMkFOKzIyLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLVNUMTJGT0krMS1

GMTBNMTJBVSsxLUVVTEErMS1TVDEyRkFQUCsxLVNURjEwTTEyQVVGKzE"&"prod=90"&"ver=2012.0.1831"&"mid=2f5e155032c547d6a51ed1572eb0a5f4-

67a770033ab46c38be4f16cb6e0539da3b11bf91
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common

files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autostart ir.lnk - c:\program files\wintv\Ir.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wintv recording status..lnk - c:\program

files\wintv\wintv7\WinTVTray.exe
uPolicies-explorer: NoInstrumentation = 1
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12

\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12

\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital

imaging\smart web printing\hpswp_BHO.dll

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5BDA6017-34CF-4407-A303-0315F31DBA14} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AFF8AD68-D2A5-4A7C-BBF2-ED461B9A885C} : DhcpNameServer = 192.168.1.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\carol\appdata\roaming\mozilla\firefox\profiles\6j2g9fmw.default-1357757927839\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrl.1.0.20926.0.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\users\carol\appdata\local\citrix\plugins\104\npappdetector.dll
FF - plugin: c:\users\carol\appdata\local\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\users\carol\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\carol\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\users\carol\appdata\roaming\mozilla\plugins\npo1d.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 HauppaugeTVServer;HauppaugeTVServer;c:\program files\wintv\tvserver\HauppaugeTVServer.exe [2011-12-16 562176]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-15 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-19 701512]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-19 22856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319

\mscorsvw.exe [2010-3-18 130384]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-

6-7 117144]
S3 MxL111SF_AVS_USB;Hauppauge WinTV-Aero-M;c:\windows\system32\drivers\hcwC6bda.sys [2011-12-16 85248]
.
=============== Created Last 30 ================
.
2013-06-12 04:31:20 -------- d-----w- c:\users\carol\appdata\local\Citrix
2013-06-03 05:54:16 -------- d-----w- c:\users\carol\appdata\roaming\Java
2013-06-01 19:45:43 262552 ----a-w- c:\program files\mozilla firefox\browser\components\browsercomps.dll
.
==================== Find3M ====================
.
2013-04-04 21:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 5:54:45.60 ===============

 

**************************************************End DDS**************************************************************

 

Attach:

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume1
Install Date: 5/4/2008 1:11:16 PM
System Uptime: 6/21/2013 5:29:42 AM (0 hours ago)
.
Motherboard: Quanta | | 30EA
Processor: AMD Athlon 64 X2 Dual-Core Processor

TK-57 | Socket S1 | 1900/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 101 GiB total, 46.511 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 1.876 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
7-Zip 9.20
Activation Assistant for the 2007 Microsoft Office

suites
Adobe Flash Player 11 ActiveX
Adobe Photoshop 6.0
Adobe Reader X (10.1.4)
Adobe Shockwave Player
AIM 6
Atheros Driver Installation Program
Cards_Calendar_OrderGift_DoMorePlugout
CCleaner
Cisco WebEx Meetings
Citrix Online Launcher
Compatibility Pack for the 2007 Office system
Conexant HD Audio
Defraggler
DVD Suite
EPSON Scan
EPSON Stylus NX400 Series Printer Uninstall
Google Talk Plugin
GoToMeeting 5.7.0.1172
Hauppauge WinTV 7
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1

(KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1

(KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.6
HP Easy Setup - Frontend
HP Help and Support
HP Photosmart Essential 2.5
HP Quick Launch Buttons 6.40 B2
HP Smart Web Printing
HP Total Care Advisor
HP User Guides 0091
HP Wireless Assistant
HPNetworkAssistant
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabel_Tattoo
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookHolidayPack1
HPPhotoSmartPhotobookModernPack1
HPPhotoSmartPhotobookPlayfulPack1
HPPhotoSmartPhotobookScrapbookPack1
HPPhotoSmartPhotobookWebPack1
Icon Restore 1.0
Java 7 Update 7
Java Auto Updater
JetMP3
Keynote Mobile Internet Testing Environment 3
LabelPrint
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3

(SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English)

2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition

(SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual Basic 2008 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86

9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86

9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86

9.0.30729.6161
Microsoft Windows SDK for Visual Studio 2008 Express

Tools for .NET Framework
Microsoft Windows SDK for Visual Studio 2008 Express

Tools for Win32
Microsoft Works
Mozilla Firefox 21.0 (x86 en-US)
Mozilla Maintenance Service
MSDN Library for Microsoft Visual Studio 2008 Express

Editions
MSVCRT Redists
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
NVIDIA Drivers
Power2Go
PowerDirector
PSSWCORE
QuickPlay SlingPlayer 0.4.6
RICOH R5C83x/84x Flash Media Controller Driver

Ver.3.52.02
Security Update for Microsoft .NET Framework 3.5 SP1

(KB2657424)
Security Update for Microsoft .NET Framework 4 Client

Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client

Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client

Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client

Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client

Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client

Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client

Profile (KB2656351)
Security Update for Microsoft Office 2007 suites

(KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007

(KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007

(KB2596912) 32-Bit Edition
Synaptics Pointing Device Driver
TClockEx
TeamViewer 7
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1

(KB963707)
Update for Microsoft .NET Framework 4 Client Profile

(KB2468871)
Update for Microsoft .NET Framework 4 Client Profile

(KB2533523)
Update for Microsoft .NET Framework 4 Client Profile

(KB2600217)
Update for Microsoft Office 2007 Help for Common

Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651)

32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789)

32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596)

32-Bit Edition
Update for Microsoft Office Excel 2007 Help

(KB963678)
Update for Microsoft Office OneNote 2007 Help

(KB963670)
Update for Microsoft Office Powerpoint 2007 Help

(KB963669)
Update for Microsoft Office Script Editor Help

(KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC Runtimes MSI
VideoToolkit01
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Watchtower Library 2001 - English Edition
WeatherBug Gadget
Windows 7 Upgrade Advisor
Windows Movie Maker 2.6
.
==== End Of File ===========================

[AdvancedSetup]

Please uninstall ALL versions of Java then run the following for me.

 

Please visit this webpage for instructions on downloading and running ComboFix: How to use ComboFix

Please make sure you disable your security applications before running ComboFix.

Once Combofix has completed it will produce and open a log file.  Please attach that log file to your next reply.
If needed the file can be located here:  C:\combofix.txt

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
 

[longbeachlouise]

 

Hi, I goofed. I ran the ComboFix, before uninstalling java. I will uninstall it next, and start over.  Here is the ComboFix report, as it currently appears:

ComboFix 13-06-21.02 - Carol 06/21/2013  18:14:16.3.2 - x86

Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.3262.2051 [GMT -7:00]

Running from: c:\users\Carol\Downloads\ComboFix.exe

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\Microsoft\Windows\DRM\3B2C.tmp

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\check_update.bat

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\csrss.exe

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\diablo121016.cl

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\diakgcn121016.cl

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\libcurl-4.dll

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\libeay32.dll

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\libidn-11.dll

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\libpdcurses.dll

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\libusb-1.0.dll

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\OpenCL.dll

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\phatk121016.cl

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\poclbm121016.cl

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\pthreadGC2.dll

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\ssleay32.dll

c:\users\Carol\AppData\Roaming\Java\Update\Download\Cache\zlib1.dll

.

.

(((((((((((((((((((((((((   Files Created from 2013-05-22 to 2013-06-22  )))))))))))))))))))))))))))))))

.

.

2013-06-22 01:35 . 2013-06-22 01:35 -------- d-----w- c:\users\Williaim\AppData\Local\temp

2013-06-22 01:35 . 2013-06-22 01:35 -------- d-----w- c:\users\Public\AppData\Local\temp

2013-06-22 01:35 . 2013-06-22 01:35 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-06-12 04:31 . 2013-06-12 04:31 -------- d-----w- c:\users\Carol\AppData\Local\Citrix

2013-06-03 05:54 . 2013-06-03 05:54 -------- d-----w- c:\users\Carol\AppData\Roaming\Java

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-04-04 21:50 . 2012-06-19 15:51 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-10-09 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-09 8497696]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-09 81920]

"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]

"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzgyNDkzMzAzLVhPMTArMi1RSVgxKzQtRjEwTTEwRCsxLVgyMDEwKzItRkwxMCsxLUNJUCsyLUREVCs1MDYyNi1ERDEwRisxLVNUMTBGQVBQKzEtTDEwTSsxLUYxME0xMkFOKzIyLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLVNUMTJGT0krMS1GMTBNMTJBVSsxLUVVTEErMS1TVDEyRkFQUCsxLVNURjEwTTEyQVVGKzE∏=90&ver=2012.0.1831&mid=2f5e155032c547d6a51ed1572eb0a5f4-67a770033ab46c38be4f16cb6e0539da3b11bf91" [?]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

AutoStart IR.lnk - c:\program files\WinTV\Ir.exe /QUIET [2011-12-16 117344]

WinTV Recording Status..lnk - c:\program files\WinTV\WinTV7\WinTVTray.exe [2011-12-16 82944]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc

LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2013-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3482760682-2379212304-40738887-1000Core.job

- c:\users\Carol\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-10 02:56]

.

2013-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3482760682-2379212304-40738887-1000UA.job

- c:\users\Carol\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-10 02:56]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\6j2g9fmw.default-1357757927839\

FF - ExtSQL: !HIDDEN! 2008-10-17 07:47; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-06-21 18:35

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ... 

.

scanning hidden autostart entries ...

.

scanning hidden files ... 

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2013-06-21  18:46:48

ComboFix-quarantined-files.txt  2013-06-22 01:46

ComboFix2.txt  2012-08-23 23:18

.

Pre-Run: 24,667,684,864 bytes free

Post-Run: 25,801,527,296 bytes free

.

- - End Of File - - 2BEA4346802E46DB12AAF8A24D317644

1A1A06F62E891045814007163C1C76C3

 

[longbeachlouise]

Okay, I

 

(1) removed java

(2) ran Combofix

 

Report:

 

ComboFix 13-06-22.01 - Carol 06/21/2013  21:06:31.4.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.3262.1933 [GMT -7:00]
Running from: c:\users\Carol\Downloads\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-22 to 2013-06-22  )))))))))))))))))))))))))))))))
.
.
2013-06-22 04:35 . 2013-06-22 04:35 -------- d-----w- c:\users\Williaim\AppData\Local\temp
2013-06-22 04:35 . 2013-06-22 04:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-06-22 04:35 . 2013-06-22 04:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-12 04:31 . 2013-06-12 04:31 -------- d-----w- c:\users\Carol\AppData\Local\Citrix
2013-06-03 05:54 . 2013-06-03 05:54 -------- d-----w- c:\users\Carol\AppData\Roaming\Java
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-04 21:50 . 2012-06-19 15:51 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-10-09 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-09 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-09 81920]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzgyNDkzMzAzLVhPMTArMi1RSVgxKzQtRjEwTTEwRCsxLVgyMDEwKzItRkwxMCsxLUNJUCsyLUREVCs1MDYyNi1ERDEwRisxLVNUMTBGQVBQKzEtTDEwTSsxLUYxME0xMkFOKzIyLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLVNUMTJGT0krMS1GMTBNMTJBVSsxLUVVTEErMS1TVDEyRkFQUCsxLVNURjEwTTEyQVVGKzE∏=90&ver=2012.0.1831&mid=2f5e155032c547d6a51ed1572eb0a5f4-67a770033ab46c38be4f16cb6e0539da3b11bf91" [?]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe /QUIET [2011-12-16 117344]
WinTV Recording Status..lnk - c:\program files\WinTV\WinTV7\WinTVTray.exe [2011-12-16 82944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3482760682-2379212304-40738887-1000Core.job
- c:\users\Carol\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-10 02:56]
.
2013-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3482760682-2379212304-40738887-1000UA.job
- c:\users\Carol\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-10 02:56]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\6j2g9fmw.default-1357757927839\
FF - ExtSQL: !HIDDEN! 2008-10-17 07:47; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-21 21:35
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-06-21  22:00:42
ComboFix-quarantined-files.txt  2013-06-22 05:00
ComboFix2.txt  2013-06-22 01:46
ComboFix3.txt  2012-08-23 23:18
.
Pre-Run: 23,346,454,528 bytes free
Post-Run: 21,091,799,040 bytes free
.
- - End Of File - - 200675667DED3A929C0E5148E1DB0B48
1A1A06F62E891045814007163C1C76C3
 

[AdvancedSetup]

I'm going to be in and out most of the weekend but I'll check back with you as soon as I can. Please go ahead and run the following in the order provided.

STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
• Make sure that at least the first two check boxes are selected.
• Click on OK
• Then click on YES to create the folder.
• Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

  STEP 02

  Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
  STEP 03

  Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus
  STEP 04

  Please download AdwCleaner by Xplode to your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • If prompted by the User Account Control click Yes to allow it to run.
  • Under Actions click on the Delete button.
  • Click OK on all prompts.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the entire contents of that logfile to your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.
  STEP 05

  

  Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

[longbeachlouise]

Step 1: Check!

Step 2: Said, No malware found. Here are the logs:
 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.06.22.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Carol :: BILL [administrator]

6/22/2013 11:08:10 AM
mbar-log-2013-06-22 (11-08-10).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 209443
Time elapsed: 28 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 1.900000 GHz
Memory total: 3420446720, free: 1779159040

Downloaded database version: v2013.06.22.05
Initializing...
------------ Kernel report ------------
     06/22/2013 11:07:56
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\amdk8.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\cpqbttn.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\nvsmu.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\rimmptsk.sys
\SystemRoot\system32\DRIVERS\rimsptsk.sys
\SystemRoot\system32\DRIVERS\rixdptsk.sys
\SystemRoot\system32\DRIVERS\nvmfdx32.sys
\SystemRoot\system32\DRIVERS\athr.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\CHDRT32.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\HSXHWAZL.sys
\SystemRoot\system32\DRIVERS\HSX_DPV.sys
\SystemRoot\system32\DRIVERS\HSX_CNXT.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\NuidFltr.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\ssmdrv.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\xaudio.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\ATMFD.DLL
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8694fa20
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-4\
Lower Device Object: 0xffffffff86859b98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8694fa20, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8694f648, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8694fa20, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff85ed54d8, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff86859b98, DeviceName: \Device\Ide\IdeDeviceP2T0L0-4\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
The directory C:\Windows\system32\drivers seems inaccessible or encrypted.
Drivers scan is aborted.
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 89488948

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 211045842
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 211045905  Numsec = 23390640

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 120034123776 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-234421648-234441648)...
Done!
Scan finished
=======================================

Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_63_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished

[longbeachlouise]

Step 3: JRT.txt

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows Vista Home Basic x86
Ran by Carol on Sat 06/22/2013 at 12:05:40.42
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\systweak
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\systweak
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{77077FEF-F2EC-462E-BA11-7E6DDEF3F2C6}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{77077FEF-F2EC-462E-BA11-7E6DDEF3F2C6}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Users\Carol\AppData\Roaming\registry mechanic"
Successfully deleted: [Folder] "C:\Users\Carol\AppData\Roaming\systweak"
Successfully deleted: [Folder] "C:\Users\Carol\appdata\local\jetmp3"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 06/22/2013 at 12:10:41.26
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[longbeachlouise]

Step 4: AdwCleaner:

 

# AdwCleaner v2.303 - Logfile created 06/22/2013 at 12:23:39
# Updated 08/06/2013 by Xplode
# Operating system : Windows Vista Home Basic Service Pack 2 (32 bits)
# User : Carol - BILL
# Boot Mode : Normal
# Running from : C:\Users\Carol\Desktop\AdwCleaner.exe
# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A0E8BC7D-6959-40B6-8E05-204D9768AD6E}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v21.0 (en-US)

File : C:\Users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\6j2g9fmw.default-1357757927839\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1241 octets] - [22/06/2013 12:22:47]
AdwCleaner[s1].txt - [1182 octets] - [22/06/2013 12:23:39]

########## EOF - C:\AdwCleaner[s1].txt - [1242 octets] ##########

 

 

 

******************************End of Report**********************************************************

 

Please view attached screenshots of popup alert on reboot from AdwCleaner

 

(BTW, I clicked, Search, first, then Delete, so added a step.)

[longbeachlouise]

Hi, Step 5: ESET

There was one found threat on my computer.. What is happening? There is a line through my text, on my screen! The threat had to do with bitcoin something on one of the games I didn't download. But I couldn't see "list of found threats." Okay, I got the line off! I didn't see the link. Is there anyway I could get the list of found threats now that ESET scan is over? I didn't disable it from this computer.

[AdvancedSetup]

I'm in and out running around this weekend with limited access to the site, but will check back in on you as soon as I can.

 

The issue you're having with ERU is that it probably starts from the startup group with limited user rights.  You probably need to see if you can right click over the shortcut in the START MENU -> All Programs -> Startup

 

Inside there should be a shortcut for ERUNT AutoBackup   - Right click over it and choose Properties.  Then on the "Shortcut" tab click on the Advanced button and make sure there is a check mark on the "Run as administrator" and click OK.   That should stop that error from happening.  Restart the computer again and make sure you no longer get that error.

 

Please run the following and also let me know if there are any other issues you're having or that you're seeing on your computer as related to possible malware.

 

Next, download Security Check from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

 

 

Thanks

 

[longbeachlouise]

 Inside there should be a shortcut for ERUNT AutoBackup - Right click over it and choose Properties. Then on the "Shortcut" tab click on the Advanced button and make sure there is a check mark on the "Run as administrator" and click OK

I did that part. Now, I will turn the computer off, and start it in the morning, and let you know!

 

Thanx so much!

[AdvancedSetup]

You're welcome. Please don't forget to run the Security Check as well and post back that log too.

Thanks

[longbeachlouise]

That worked! The ERNDT message stopped on reboot.

 

Would you be patient with me, because of my spotty schedule?

 

Next is: download and run the security check . . .

[AdvancedSetup]

No problem - we're here as long as it doesn't take too long.   Sometimes infections can change and take on a new issue if you wait too long between fixes.

[longbeachlouise]

Hi, Here is the report for the Security Check:

 

 Results of screen317's Security Check version 0.99.68 
 Windows Vista Service Pack 2 x86 (UAC is enabled) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
 Adobe Reader 10.1.4 Adobe Reader out of Date! 
 Mozilla Firefox 21.0 Firefox out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
 windows defender MpCmdRun.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 17 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

[AdvancedSetup]

Please note the items in red.  Please open Adobe Reader and on the Help menu have it check for updates and apply them after it downloads them.

Same thing for Firefox.  Do Help About and there should be an item to check for updates and go ahead and update Firefox.

 

Otherwise - How is the computer running now and are you still seeing any signs of infection?

[longbeachlouise]

Hi, My computer seems virus-free, except it is running slow. When I surf the web, sites resolve slowly. I followed your instructions to delete java, but haven't uploaded the new one.

[longbeachlouise]

Okay, I updated Adobe. My theocratic activities keeps me busy until tomorrow evening, or Monday. Talk to you then - thanx!

[AdvancedSetup]

Many things could cause slowness and being on Vista means your computer is quite old now and that was not the fastest system in the first place.

You can open a new ticket in the General PC Help forum if you like though and see if someone can assist you with generic PC maintenance issues.

http://forums.malwarebytes.org/index.php?showforum=6

I'll go ahead and close your topic now then since it appears to be clean now.

Please read the following to gain more information about your computer and how to keep it safe.

Best Practices for Safe Computing - Prevention of Malware Infection

Thank you

[AdvancedSetup]

Please run the following and let me know what issues remain.

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool.

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.

• When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt

• Save both reports to your desktop
• Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt

  You can ignore the note about zipping the Attach.txt file

Thanks

[longbeachlouise]

Here are the attachments you asked for. Also, I added the screen capture of the blocked message, what it said when I right-clicked it, and the popup when I selected and clicked the top option.

dds.txt

Attach.txt

[longbeachlouise]

Oh. It's Windows Defender.

[AdvancedSetup]

I believe that is the program from ERUNT that I had you install.  c:\program files\erunt\AUTOBACK.EXE

 

Please click on START - All Programs -> STARTUP and cut/delete the Autobackup from that folder.

 

 

Next, well defender is not enough and is only a very limited program especially on Vista.  Please try to download and install Microsoft Security Essentials which is a Free antivirus program from Microsoft that is a lot more capable than Defender.

 

Then update it and do a Full System scan and let it quarantine anything it finds.

 

Then reboot and let me know if this error is still coming up or not.