HELP! PUM.UserWLoad and Trojan.Ransom

[Leilaaa]

I need some help. I have done a quick scan and malwarebytes detects 2 infected files: PUM.UserWLoad and Trojan.Ransom

 

 

Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data:

C:\Users\Joseph\LOCALS~1\Temp\mshxufb.bat -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\Joseph\LOCALS~1\Temp\mshxufb.bat -> Delete on reboot.


I removed these infected files and Malwarebytes tells me that an urgent restart on my system should be done to remove all active threats properly, but after doing this, the said infected files still appear when I do another quick scan, it seems that they were not deleted.

 

 

What should I do about this?

[MrCharlie]

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, Adobe host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

[Leilaaa]

DDS

DDS (Ver_2012-11-20.01) - NTFS_x86 

Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 10.21.2

Run by Joseph at 23:34:05 on 2013-08-25

Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2931.1672 [GMT 8:00]

.

AV: Bitdefender Antivirus *Enabled/Updated* {9B5F5313-CAF9-DD97-C460-E778420237B4}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Bitdefender Antispyware *Enabled/Updated* {203EB2F7-ECC3-D219-FED0-DC0A39857D09}

FW: Bitdefender Firewall *Enabled* {A364D236-8096-DCCF-EF3F-4E4DBCD170CF}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Program Files\Bitdefender\Bitdefender 2013\vsserv.exe

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe

C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Program Files\Smart Bro\AssistantServices.exe

C:\Program Files\Bitdefender\Bitdefender 2013\updatesrv.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Bitdefender\Bitdefender SafeBox\safeboxservice.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\USB Disk Security\USBGuard.exe

C:\Program Files\TOSHIBA\Utilities\KeNotify.exe

C:\Program Files\Smart Bro\UIExec.exe

C:\Program Files\Bitdefender\Bitdefender 2013\bdagent.exe

C:\Windows\System32\StikyNot.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Smart Bro\UIMain.exe

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Smart Bro\CMUpdater.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\Joseph\Downloads\RogueKiller.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k secsvcs

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

mStart Page = about:blank

uWindows: Load = c:\users\joseph\locals~1\temp\mshxufb.bat

BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll

uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [RtHDVBg] c:\program files\realtek\audio\hda\RtHDVBg.exe /FORPCEE3 

mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE

mRun: [smoothView] c:\program files\toshiba\smoothview\SmoothView.exe

mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe

mRun: [uSB Security] c:\program files\usb disk security\USBGuard.exe

mRun: [KeNotify] "c:\program files\toshiba\utilities\KeNotify.exe" LPCM

mRun: [uIExec] "c:\program files\smart bro\UIExec.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [bdagent] "c:\program files\bitdefender\bitdefender 2013\bdagent.exe"

mPolicies-Explorer: NoDriveTypeAutoRun = dword:255

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm

IE: Download with IDM - c:\program files\internet download manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000

TCP: Interfaces\{634C63AC-BA84-411B-93D0-18F121CCE4EC}\0525F4C494E4B4F58453030313E4F58363033444 : DHCPNameServer = 192.168.254.254

TCP: Interfaces\{634C63AC-BA84-411B-93D0-18F121CCE4EC}\0525F4C496E4B4F58453030313E4F52326034356 : DHCPNameServer = 192.168.254.254

TCP: Interfaces\{634C63AC-BA84-411B-93D0-18F121CCE4EC}\452716D62637970275946494 : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{634C63AC-BA84-411B-93D0-18F121CCE4EC}\7456470297F6572702F677E6027594649402E49676761612 : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{EE84FFE4-DF5E-4727-83AD-BF511BCE03F3} : NameServer = 121.1.3.172 121.1.3.89

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: igfxcui - igfxdev.dll

SSODL: WebCheck - <orphaned>

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

.

============= SERVICES / DRIVERS ===============

.

R0 avc3;avc3;c:\windows\system32\drivers\avc3.sys [2013-8-24 640560]

R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-7-26 13560]

R0 gzflt;gzflt;c:\windows\system32\drivers\gzflt.sys [2013-8-24 162976]

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-2-7 37664]

R1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [2013-8-24 78144]

R1 bdfwfpf;bdfwfpf;c:\program files\common files\bitdefender\bitdefender firewall\bdfwfpf.sys [2013-8-24 90704]

R1 BDVEDISK;BDVEDISK;c:\windows\system32\drivers\bdvedisk.sys [2013-8-24 72704]

R2 IconMan_R;IconMan_R;c:\program files\realtek\realtek usb 2.0 card reader\RIconMan.exe [2012-7-12 1811456]

R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2013-2-21 100216]

R2 SafeBox;SafeBox;c:\program files\bitdefender\bitdefender safebox\safeboxservice.exe [2013-8-24 82824]

R2 UI Assistant Service;UI Assistant Service;c:\program files\smart bro\AssistantServices.exe [2013-2-23 274760]

R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2012-7-12 2320920]

R2 UPDATESRV;Bitdefender Desktop Update Service;c:\program files\bitdefender\bitdefender 2013\updatesrv.exe [2013-8-24 54960]

R3 avchv;avchv Function Driver;c:\windows\system32\drivers\avchv.sys [2013-8-24 242504]

R3 avckf;avckf;c:\windows\system32\drivers\avckf.sys [2013-8-24 490144]

R3 CeKbFilter;CeKbFilter;c:\windows\system32\drivers\CeKbFilter.sys [2012-7-12 17520]

R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-2-27 132480]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-8-25 40776]

R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2012-7-12 33616]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]

R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\ZTEusbvoice.sys [2013-2-23 107520]

S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-8-24 418376]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-8-24 701512]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]

S2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\15.2.0\toolbarupdater.exe --> c:\program files\common files\avg secure search\vtoolbarupdater\15.2.0\ToolbarUpdater.exe [?]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 BDSandBox;BDSandBox;c:\windows\system32\drivers\bdsandbox.sys [2013-8-24 66832]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2013-2-7 49664]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-9-12 1512448]

S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2013-2-23 9216]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-8-24 22856]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2012-7-12 182304]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-10-15 52224]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-7-12 1343400]

S4 BdDesktopParental;Bitdefender Desktop Parental Control;c:\program files\bitdefender\bitdefender 2013\bdparentalservice.exe [2013-8-24 62688]

.

=============== File Associations ===============

.

FileExt: .scr: AutoCADScriptFile=c:\windows\system32\notepad.exe "%1"

.

=============== Created Last 30 ================

.

2013-08-25 15:17:03 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-08-24 14:42:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2013-08-24 09:56:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-08-24 09:56:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-08-24 09:21:21 -------- d-----w- c:\users\joseph\appdata\local\Programs

2013-08-24 07:03:58 -------- d-----w- c:\users\joseph\appdata\roaming\liQeNSoft

2013-08-24 07:01:17 -------- d-----w- c:\users\joseph\appdata\local\ElevatedDiagnostics

2013-08-24 05:53:09 452820 ----a-w- c:\programdata\1377323115.bdinstall.bin

2013-08-24 05:51:44 -------- d-----w- c:\programdata\BDLogging

2013-08-24 05:51:37 72704 ----a-w- c:\windows\system32\drivers\bdvedisk.sys

2013-08-24 05:51:35 78144 ----a-w- c:\windows\system32\drivers\BdfNdisf6.sys

2013-08-24 05:51:35 66832 ----a-w- c:\windows\system32\drivers\bdsandbox.sys

2013-08-24 05:51:35 511328 ----a-w- c:\windows\capicom.dll

2013-08-24 05:51:29 640560 ----a-w- c:\windows\system32\drivers\avc3.sys

2013-08-24 05:51:29 490144 ----a-w- c:\windows\system32\drivers\avckf.sys

2013-08-24 05:51:29 242504 ----a-w- c:\windows\system32\drivers\avchv.sys

2013-08-24 05:49:25 -------- d-----w- c:\users\joseph\appdata\roaming\Bitdefender

2013-08-24 05:49:21 -------- d-----w- c:\programdata\Bitdefender

2013-08-24 05:45:27 162976 ----a-w- c:\windows\system32\drivers\gzflt.sys

2013-08-24 05:45:25 355744 ----a-w- c:\windows\system32\drivers\trufos.sys

2013-08-24 05:41:34 57674 ----a-w- c:\programdata\1377322884.bdinstall.bin

2013-08-24 05:39:03 57674 ----a-w- c:\programdata\1377322730.bdinstall.bin

2013-08-24 05:37:57 -------- d-----w- c:\users\joseph\appdata\local\liQeNSoft

2013-08-24 05:37:33 247936 ----a-w- c:\programdata\1377322628.bdinstall.bin

2013-08-24 05:37:33 -------- d-----w- c:\program files\Bitdefender

2013-08-24 05:36:52 -------- d-----w- c:\program files\common files\Bitdefender

2013-08-24 04:58:23 28889 ----a-w- c:\programdata\1377320286.bdinstall.bin

2013-08-24 04:55:47 -------- d-----w- c:\users\joseph\appdata\roaming\TuneUp Software

2013-08-24 04:54:26 29462 ----a-w- c:\programdata\1377320026.bdinstall.bin

2013-08-24 04:54:17 18649 ----a-w- c:\programdata\1377320051.bdinstall.bin

2013-08-23 11:59:32 -------- d-----w- c:\windows\system32\wbem\Logs

2013-08-23 11:55:10 -------- d-----w- c:\windows\system32\wbem\mof\good

2013-08-23 11:55:10 -------- d-----w- c:\windows\system32\wbem\mof\bad

2013-08-23 11:55:10 -------- d-----w- c:\windows\system32\wbem\MOF

2013-08-18 07:16:10 -------- d--h--w- c:\windows\system32\GroupPolicy

2013-08-13 03:23:32 -------- d-----w- c:\users\joseph\appdata\roaming\QuickScan

2013-08-12 01:58:52 -------- d-----w- c:\users\joseph\appdata\local\mHotspot_Inc

2013-08-12 01:58:37 -------- d-----w- c:\program files\mHotspot

2013-08-11 10:40:21 29160 ----a-w- c:\windows\system32\drivers\cnnctfy3.sys

.

==================== Find3M  ====================

.

2013-08-24 14:33:41 44424 ----a-w- c:\windows\system32\sbbd.exe

2013-08-24 14:33:41 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys

2013-08-17 11:27:28 345 ----a-w- c:\windows\DeleteOnReboot.bat

2013-06-23 23:31:23 773712 ----a-w- c:\windows\system32\msvcr100.dll

2013-06-23 23:31:23 420944 ----a-w- c:\windows\system32\msvcp100.dll

.

============= FINISH: 23:34:50.79 ===============

 

 

Attach:

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Professional 

Boot Device: \Device\HarddiskVolume1

Install Date: 7/11/2012 6:24:31 PM

System Uptime: 8/25/2013 11:24:02 PM (0 hours ago)

.

Motherboard: TOSHIBA |  | PWWAA

Processor: Intel® Core i3 CPU       M 380  @ 2.53GHz | CPU | 2533/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 100 GiB total, 63.807 GiB free.

D: is FIXED (NTFS) - 365 GiB total, 328.84 GiB free.

E: is CDROM (CDFS)

F: is CDROM ()

H: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP157: 8/24/2013 12:54:56 PM - Removed AVG 2012

RP158: 8/24/2013 12:56:53 PM - Removed AVG 2012

RP160: 8/25/2013 9:36:46 PM - Uniblue SpeedUpMyPC installation

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader XI (11.0.03)

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Bitdefender Total Security 2013

Bluetooth Monitor 4

Bonjour

CCleaner

Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

Composite 2012

D3DX10

DvDrum 2

Facebook Video Calling 1.2.0.287

Google Chrome

Google Update Helper

Intel® Graphics Media Accelerator Driver

Intel® Management Engine Components

Intel® Rapid Storage Technology

Internet Download Manager

iTunes

Java 7 Update 21

Java Auto Updater

JavaFX 2.1.1

Junk Mail filter update

Macromedia Extension Manager

Macromedia Flash 8

Macromedia Flash 8 Video Encoder

Malwarebytes Anti-Malware version 1.75.0.1300

mHotspot version 6.4.0.0

Microsoft .NET Framework 4 Multi-Targeting Pack

Microsoft Application Error Reporting

Microsoft Help Viewer 1.0

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft SQL Server 2008 R2 Management Objects

Microsoft SQL Server Compact 3.5 SP2 ENU

Microsoft SQL Server System CLR Types

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219

Microsoft Visual Studio 6.0 Enterprise Edition

Microsoft VM for Java

Microsoft Web Publishing Wizard 1.53

Microsoft_VC80_ATL_x86

Microsoft_VC80_CRT_x86

Microsoft_VC80_MFC_x86

Microsoft_VC80_MFCLOC_x86

Microsoft_VC90_ATL_x86

Microsoft_VC90_CRT_x86

Microsoft_VC90_MFC_x86

Movie Maker

MSVCRT

MSVCRT110

MySQL Connector/ODBC 3.51

MySQL Server 5.0

MySQL Server 5.1

PDF Settings CS5

Photo Common

Photo Gallery

QuickTime

Realtek Ethernet Controller Driver For Windows 7

Realtek High Definition Audio Driver

Realtek USB 2.0 Card Reader

Skype™ 6.1

SMART BRO

swMSM

Synaptics Pointing Device Driver

TOSHIBA Flash Cards Support Utility

TOSHIBA Value Added Package

TOSHIBA Web Camera Application

TOSHIBA Wireless LAN Indicator

USB Disk Security

Utility Common Driver

VLC media player 2.0.2

WampServer 2.1

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live MIME IFilter

Windows Live Photo Common

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WinRAR archiver

.

==== Event Viewer Messages From Past Week ========

.

8/25/2013 9:57:28 PM, Error: Service Control Manager [7031]  - The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

8/25/2013 11:31:12 PM, Error: NetBT [4311]  - Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C0130100003B0000C00A000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the  Globally Unique Interface Identifier (GUID) if NetBT was unable to  map from GUID to MAC address. If neither the MAC address nor the GUID were  available, the string represents a cluster device name. 

8/25/2013 11:31:12 PM, Error: NetBT [4311]  - Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C0110100003B0000C00B000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the  Globally Unique Interface Identifier (GUID) if NetBT was unable to  map from GUID to MAC address. If neither the MAC address nor the GUID were  available, the string represents a cluster device name. 

8/25/2013 11:25:28 PM, Error: NetBT [4311]  - Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C0130100003B0000C008000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the  Globally Unique Interface Identifier (GUID) if NetBT was unable to  map from GUID to MAC address. If neither the MAC address nor the GUID were  available, the string represents a cluster device name. 

8/25/2013 11:25:28 PM, Error: NetBT [4311]  - Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C0110100003B0000C009000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the  Globally Unique Interface Identifier (GUID) if NetBT was unable to  map from GUID to MAC address. If neither the MAC address nor the GUID were  available, the string represents a cluster device name. 

8/25/2013 11:25:20 PM, Error: NetBT [4311]  - Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C0130100003B0000C006000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the  Globally Unique Interface Identifier (GUID) if NetBT was unable to  map from GUID to MAC address. If neither the MAC address nor the GUID were  available, the string represents a cluster device name. 

8/25/2013 11:25:20 PM, Error: NetBT [4311]  - Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C0110100003B0000C007000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the  Globally Unique Interface Identifier (GUID) if NetBT was unable to  map from GUID to MAC address. If neither the MAC address nor the GUID were  available, the string represents a cluster device name. 

8/25/2013 11:24:48 PM, Error: Service Control Manager [7000]  - The vToolbarUpdater15.2.0 service failed to start due to the following error:  The system cannot find the file specified.

8/25/2013 11:24:44 PM, Error: NetBT [4311]  - Initialization failed because the driver device could not be created. Use the string "B4749F9CD3B5" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the  Globally Unique Interface Identifier (GUID) if NetBT was unable to  map from GUID to MAC address. If neither the MAC address nor the GUID were  available, the string represents a cluster device name. 

8/25/2013 11:24:09 PM, Error: NetBT [4311]  - Initialization failed because the driver device could not be created. Use the string "B870F45513C4" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the  Globally Unique Interface Identifier (GUID) if NetBT was unable to  map from GUID to MAC address. If neither the MAC address nor the GUID were  available, the string represents a cluster device name. 

8/25/2013 10:54:37 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}

8/25/2013 10:54:37 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

8/25/2013 10:54:36 PM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.

8/25/2013 10:54:34 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

8/25/2013 10:54:34 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

8/25/2013 10:54:32 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

8/25/2013 10:54:32 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

8/25/2013 10:54:31 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

8/25/2013 10:54:25 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

8/25/2013 10:54:17 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD avc3 BdfNdisf bdfwfpf bdselfpr BDVEDISK CSC DfsC discache gzflt NetBIOS NetBT nsiproxy Psched rdbss spldr tdx trufos vwififlt Wanarpv6 WfpLwf

8/25/2013 10:54:13 PM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.

8/25/2013 10:54:13 PM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.

8/25/2013 10:54:13 PM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.

8/25/2013 10:54:13 PM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.

8/25/2013 10:54:13 PM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.

8/25/2013 10:54:13 PM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.

8/25/2013 10:54:13 PM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.

8/25/2013 10:54:13 PM, Error: Service Control Manager [7001]  - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.

8/25/2013 10:54:13 PM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.

8/25/2013 10:54:13 PM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.

8/25/2013 10:43:45 PM, Error: Microsoft-Windows-SharedAccess_NAT [30013]  - The DHCP allocator has disabled itself on IP address 169.254.94.59, since the IP address is outside the 192.168.173.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.

8/25/2013 10:01:31 PM, Error: Service Control Manager [7031]  - The Print Spooler service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

.

==== End Of File ===========================

 

 

RougeKiller

 

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://tigzyrk.blogspot.com/

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : Joseph [Admin rights]

Mode : Scan -- Date : 08/26/2013 09:41:30

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 9 ¤¤¤

[sHELL][Rans.Gendarm] HKCU\[...]\Windows : load (C:\Users\Joseph\LOCALS~1\Temp\mshxufb.bat [x]) -> FOUND

[sHELL][Rans.Gendarm] HKUS\[...]\Windows : load (C:\Users\Joseph\LOCALS~1\Temp\mshxufb.bat [x]) -> FOUND

[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [LOADED] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection : Rans.Gendarm ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

127.0.0.1       localhost

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: TOSHIBA MK5065GSXN +++++

--- User ---

[MBR] 323a0225a06d0e1629d21d7c4a42b264

[bSP] d12ec462d0b44d5c4e3b55bda4d3f2e5 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 102900 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 210946048 | Size: 373938 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_S_08262013_094130.txt >>

[MrCharlie]

AV: Bitdefender Antivirus *Enabled/Updated* {9B5F5313-CAF9-DD97-C460-E778420237B4}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Bitdefender Antispyware *Enabled/Updated* {203EB2F7-ECC3-D219-FED0-DC0A39857D09}

FW: Bitdefender Firewall *Enabled* {A364D236-8096-DCCF-EF3F-4E4DBCD170CF}

 

 

 

Please disable Defender, you have Bitdefender running and there's no need for Defender to be

running:

http://www.howtogeek.com/howto/15788/how-to-uninstall-disable-and-remove-windows-defender.-also-how-turn-it-off/

-------------------------------------

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

 

[sHELL][Rans.Gendarm] HKCU\[...]\Windows : load (C:\Users\Joseph\LOCALS~1\Temp\mshxufb.bat [x]) -> FOUND

[sHELL][Rans.Gendarm] HKUS\[...]\Windows : load (C:\Users\Joseph\LOCALS~1\Temp\mshxufb.bat [x]) -> FOUND

Now click Delete on the right hand column under Options

-------------

Then.......

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

[Leilaaa]

Thank you for your fast response. I did what you've said about RougeKiller, but after doing it, it says "Access is denied". Here is the report:

RKreport0_D_08262013_104308.txt

[Leilaaa]

Anti-rootkit is still running a scan. I'll attach the logs right away.

[MrCharlie]

OK, it's late here, be back in the AM...MrC

[Leilaaa]

It seems that the threats are removed. The first scan detected the said threats but after doing the clean-up on Malwarebytes Anti-rootkit, reboot and another scan, Malwarebytes Anti-rootkit says that "No malicious items were detected". I have attached the mbar-log.txt and system-log.txt

 

About my system:

I have an internet access and it's running normally.
My windows firewall can be turned on and off and seems to be functional.
My windows update is working.


Can I assure now that the threats are 100% removed on my laptop? Thank you for your help.

mbar-log-2013-08-26 (11-37-56).txt

system-log.txt

[Leilaaa]

Oh, by the way, I've started installing updates and encountered errors on installing other updates.

 

Here are the errors that I've encountered:

Code 8020002E

Code 80070003

 

I just wanted to know if these errors have something to deal with the functionality of the windows update or the system. I really appreciate your help and I want to thank you for your support. Sorry if I could not give you any donation...

[MrCharlie]

Did you run the fixdamage.exe tool??

You may want to run the troubleshooter:

http://windows.microsoft.com/en-US/windows7/Open-the-Windows-Update-troubleshooter

MrC

[Leilaaa]

Not yet. Should I run it now?

[MrCharlie]

Yes....MrC

[Leilaaa]

I have already used fixdamage.exe tool and the troubleshooter but I still encounter the same errors. What should I do?

[MrCharlie]

Try this:

http://www.sevenforums.com/tutorials/91738-windows-update-reset.html

MrC

[Leilaaa]

I've done every option, some updates were installed, but there are "7 important updates available" that I cannot install.
I'm encountering "Code 8020002E" error.

[Leilaaa]

It's late here. I'll be back here in the morning.

[MrCharlie]

OK...MrC

[Leilaaa]

I've done every option on the link you've given. Some updates were installed, but there are "7 important updates available" that I cannot install.
I'm encountering "Code 8020002E" error. What I should do now?

[MrCharlie]

Please download Farbar Service Scanner and run it on the computer with the issue.

•  

Make sure the following options are checked:

•  

Internet Services 

Windows Firewall 

System Restore

Security Center 

Windows Update

Windows Defender

 

[*]Press "Scan". 

[*]It will create a log (FSS.txt) in the same directory the tool is run. 

[*]Please copy and paste the log to your reply. 

 

MrC

[Leilaaa]

Farbar Service Scanner Version: 18-08-2013

Ran by Joseph (administrator) on 28-08-2013 at 14:25:43

Running from "E:\"

Microsoft Windows 7 Professional  Service Pack 1 (X86)

Boot Mode: Normal

****************************************************************

 

Internet Services:

============

 

Connection Status:

==============

Attempt to access Local Host IP returned error: Localhost is blocked: Destination is offline

LAN connected.

WAN connected

Attempt to access Google IP returned error. Google IP is offline

Google.com is accessible.

Yahoo.com is accessible.

 

 

Windows Firewall:

=============

 

Firewall Disabled Policy: 

==================

 

 

System Restore:

============

 

System Restore Disabled Policy: 

========================

 

 

Action Center:

============

 

 

Windows Update:

============

 

Windows Autoupdate Disabled Policy: 

============================

 

 

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

 

 

Windows Defender Disabled Policy: 

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

 

 

Other Services:

==============

 

 

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcore.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll

[2013-08-26 14:01] - [2013-05-10 12:49] - 0140288 ____A (Microsoft Corporation) 33ADF6E0853AB39EA1723BE82842C1D3

 

C:\Program Files\Windows Defender\MpSvc.dll

[2013-08-26 21:24] - [2013-05-27 12:57] - 0680960 ____A (Microsoft Corporation) 082CF481F659FAE0DE51AD060881EB47

 

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

 

 

**** End of log ****

[MrCharlie]

See if you can manually download and install them:

http://www.microsoft.com/en-us/download/default.aspx

MrC

[Leilaaa]

I searched for the updates that I needed but I can't find any of them in the results... also I've tried searching in the Microsoft's website if there are other people experiencing the same problem as mine and I found out that they have also tried the same advice you have given (which is given to them by Microsoft) but it didn't solve the problem. Does it mean that the problem is in the Microsoft?

[MrCharlie]

It's possible, there's a lot of people with the same problem.

Let do a little more research......can you give me a link to that info that you found about "all the people having the problem with updates".

MrC

[Leilaaa]

http://answers.microsoft.com/en-us/windows/forum/windows_other-windows_update/error-code-8020002e-cant-install-updates/bac002a9-603e-47af-b639-65d2abf4dd44

 

Find the reply made by jvnolan and read the other replies next to that user

[MrCharlie]

I don't think we tried this:

http://support.microsoft.com/kb/947821

MrC